The following pull request was submitted through Github.
It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2627
This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.
=== Description (from pull-request) ===
Hello,
realpath() does not use null as second parameter. It can cause buffer overflow.
So, the second parameter is modified to null to prevent buffer overflow.
Thanks.
Signed-off-by: 2xsec <dh48.je...@samsung.com>
From 74e7b6621905110e46a4bbc6b5b898328363fced Mon Sep 17 00:00:00 2001
From: 2xsec <dh48.je...@samsung.com>
Date: Fri, 21 Sep 2018 11:09:54 +0900
Subject: [PATCH] conf: realpath() uses null as second parameter to prevent
buffer overflow
Signed-off-by: 2xsec <dh48.je...@samsung.com>
---
src/lxc/conf.c | 27 ++++++++++++++++++++-------
1 file changed, 20 insertions(+), 7 deletions(-)
diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 488f3dd42..371256ef2 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -553,24 +553,31 @@ int run_script(const char *name, const char *section,
const char *script, ...)
int pin_rootfs(const char *rootfs)
{
int fd, ret;
- char absrootfs[MAXPATHLEN], absrootfspin[MAXPATHLEN];
+ char absrootfspin[MAXPATHLEN];
+ char *absrootfs;
struct stat s;
struct statfs sfs;
if (rootfs == NULL || strlen(rootfs) == 0)
return -2;
- if (!realpath(rootfs, absrootfs))
+ absrootfs = realpath(rootfs, NULL);
+ if (!absrootfs)
return -2;
ret = stat(absrootfs, &s);
- if (ret < 0)
+ if (ret < 0) {
+ free(absrootfs);
return -1;
+ }
- if (!S_ISDIR(s.st_mode))
+ if (!S_ISDIR(s.st_mode)) {
+ free(absrootfs);
return -2;
+ }
ret = snprintf(absrootfspin, MAXPATHLEN, "%s/.lxc-keep", absrootfs);
+ free(absrootfs);
if (ret >= MAXPATHLEN)
return -1;
@@ -1368,18 +1375,22 @@ int lxc_chroot(const struct lxc_rootfs *rootfs)
{
int i, ret;
char *p, *p2;
- char buf[LXC_LINELEN], nroot[PATH_MAX];
+ char buf[LXC_LINELEN];
+ char *nroot;
FILE *f;
char *root = rootfs->mount;
- if (!realpath(root, nroot)) {
+ nroot = realpath(root, NULL);
+ if (!nroot) {
SYSERROR("Failed to resolve \"%s\"", root);
return -1;
}
ret = chdir("/");
- if (ret < 0)
+ if (ret < 0) {
+ free(nroot);
return -1;
+ }
/* We could use here MS_MOVE, but in userns this mount is locked and
* can't be moved.
@@ -1387,8 +1398,10 @@ int lxc_chroot(const struct lxc_rootfs *rootfs)
ret = mount(nroot, "/", NULL, MS_REC | MS_BIND, NULL);
if (ret < 0) {
SYSERROR("Failed to mount \"%s\" onto \"/\" as MS_REC |
MS_BIND", nroot);
+ free(nroot);
return -1;
}
+ free(nroot);
ret = mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL);
if (ret < 0) {
_______________________________________________
lxc-devel mailing list
lxc-devel@lists.linuxcontainers.org
http://lists.linuxcontainers.org/listinfo/lxc-devel
