From a17fa3c081a2a2e2ec692ed8decaf54470d05dce Mon Sep 17 00:00:00 2001 From: Niklas Eiling Date: Wed, 30 Mar 2016 20:10:21 +0200 Subject: [PATCH] fix possible buffer overflow strncat only returns its first argument and not the end of the written string. Thus "buf-pos" is always 0 and consquently no range check is performed. Signed-off-by: Niklas Eiling --- src/lxc/criu.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/src/lxc/criu.c b/src/lxc/criu.c index 75ae4e2fc..aa874c722 100644 --- a/src/lxc/criu.c +++ b/src/lxc/criu.c @@ -126,8 +126,8 @@ static void exec_criu(struct criu_opts *opts) int netnr = 0; struct lxc_list *it; - char buf[4096], *pos, tty_info[32]; - + char buf[4096], tty_info[32]; + size_t pos; /* If we are currently in a cgroup /foo/bar, and the container is in a * cgroup /lxc/foo, lxcfs will give us an ENOENT if some task in the * container has an open fd that points to one of the cgroup files @@ -363,10 +363,11 @@ static void exec_criu(struct criu_opts *opts) argv[argc] = NULL; buf[0] = 0; - pos = buf; + pos = 0; for (i = 0; argv[i]; i++) { - pos = strncat(buf, argv[i], buf + sizeof(buf) - pos); - pos = strncat(buf, " ", buf + sizeof(buf) - pos); + strncat(buf, argv[i], sizeof(buf) - pos - 1); + strncat(buf, " ", sizeof(buf) - pos - 1); + pos += strlen(argv[i]); } INFO("execing: %s", buf); -- 2.47.3