From 167dc249b0a55fdb973afbd797059a3880bb7aea Mon Sep 17 00:00:00 2001 From: Daniel Golle Date: Mon, 23 Aug 2021 18:34:32 +0100 Subject: [PATCH] jail: protect against strcat buffer overflows Coverity CID: 1490012 Copy into fixed size buffer Signed-off-by: Daniel Golle --- jail/jail.c | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/jail/jail.c b/jail/jail.c index c02095b..1af0161 100644 --- a/jail/jail.c +++ b/jail/jail.c @@ -2186,21 +2186,24 @@ static int parseOCIlinux(struct blob_attr *msg) if (tb[OCI_LINUX_CGROUPSPATH]) { cgpath = blobmsg_get_string(tb[OCI_LINUX_CGROUPSPATH]); if (cgpath[0] == '/') { - if (strlen(cgpath) >= (sizeof(cgfullpath) - strlen(cgfullpath))) + if (strlen(cgpath) + 1 >= (sizeof(cgfullpath) - strlen(cgfullpath))) return E2BIG; strcat(cgfullpath, cgpath); } else { strcat(cgfullpath, "/containers/"); - strcat(cgfullpath, opts.name); /* should be container name rather than jail name */ - strcat(cgfullpath, "/"); - if (strlen(cgpath) >= (sizeof(cgfullpath) - strlen(cgfullpath))) + if (strlen(opts.name) + strlen(cgpath) + 2 >= (sizeof(cgfullpath) - strlen(cgfullpath))) return E2BIG; + strcat(cgfullpath, opts.name); /* should be container name rather than jail name */ + strcat(cgfullpath, "/"); strcat(cgfullpath, cgpath); } } else { strcat(cgfullpath, "/containers/"); + if (2 * strlen(opts.name) + 2 >= (sizeof(cgfullpath) - strlen(cgfullpath))) + return E2BIG; + strcat(cgfullpath, opts.name); /* should be container name rather than jail name */ strcat(cgfullpath, "/"); strcat(cgfullpath, opts.name); /* should be container instance name rather than jail name */ -- 2.30.2