The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/2627
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === Hello, realpath() does not use null as second parameter. It can cause buffer overflow. So, the second parameter is modified to null to prevent buffer overflow. Thanks. Signed-off-by: 2xsec <dh48.je...@samsung.com>
From 74e7b6621905110e46a4bbc6b5b898328363fced Mon Sep 17 00:00:00 2001 From: 2xsec <dh48.je...@samsung.com> Date: Fri, 21 Sep 2018 11:09:54 +0900 Subject: [PATCH] conf: realpath() uses null as second parameter to prevent buffer overflow Signed-off-by: 2xsec <dh48.je...@samsung.com> --- src/lxc/conf.c | 27 ++++++++++++++++++++------- 1 file changed, 20 insertions(+), 7 deletions(-) diff --git a/src/lxc/conf.c b/src/lxc/conf.c index 488f3dd42..371256ef2 100644 --- a/src/lxc/conf.c +++ b/src/lxc/conf.c @@ -553,24 +553,31 @@ int run_script(const char *name, const char *section, const char *script, ...) int pin_rootfs(const char *rootfs) { int fd, ret; - char absrootfs[MAXPATHLEN], absrootfspin[MAXPATHLEN]; + char absrootfspin[MAXPATHLEN]; + char *absrootfs; struct stat s; struct statfs sfs; if (rootfs == NULL || strlen(rootfs) == 0) return -2; - if (!realpath(rootfs, absrootfs)) + absrootfs = realpath(rootfs, NULL); + if (!absrootfs) return -2; ret = stat(absrootfs, &s); - if (ret < 0) + if (ret < 0) { + free(absrootfs); return -1; + } - if (!S_ISDIR(s.st_mode)) + if (!S_ISDIR(s.st_mode)) { + free(absrootfs); return -2; + } ret = snprintf(absrootfspin, MAXPATHLEN, "%s/.lxc-keep", absrootfs); + free(absrootfs); if (ret >= MAXPATHLEN) return -1; @@ -1368,18 +1375,22 @@ int lxc_chroot(const struct lxc_rootfs *rootfs) { int i, ret; char *p, *p2; - char buf[LXC_LINELEN], nroot[PATH_MAX]; + char buf[LXC_LINELEN]; + char *nroot; FILE *f; char *root = rootfs->mount; - if (!realpath(root, nroot)) { + nroot = realpath(root, NULL); + if (!nroot) { SYSERROR("Failed to resolve \"%s\"", root); return -1; } ret = chdir("/"); - if (ret < 0) + if (ret < 0) { + free(nroot); return -1; + } /* We could use here MS_MOVE, but in userns this mount is locked and * can't be moved. @@ -1387,8 +1398,10 @@ int lxc_chroot(const struct lxc_rootfs *rootfs) ret = mount(nroot, "/", NULL, MS_REC | MS_BIND, NULL); if (ret < 0) { SYSERROR("Failed to mount \"%s\" onto \"/\" as MS_REC | MS_BIND", nroot); + free(nroot); return -1; } + free(nroot); ret = mount(NULL, "/", NULL, MS_REC | MS_PRIVATE, NULL); if (ret < 0) {
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel