fix integer overflow in setproctitle

1. don't cast to long
2. check overflow before addition

v2: just remove the cast, don't change the type of the variables

Reported-by: Coverity
Signed-off-by: Tycho Andersen <tycho.andersen@canonical.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>

diff --git a/src/lxc/utils.c b/src/lxc/utils.c
index 1df6e8f57f9e4fbb9e3bfacf3d16586ed3af7f82..084b5563ef2bc2c18f1af615b520dca38d3d40d2 100644 (file)
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -1644,15 +1644,21 @@ int setproctitle(char *title)
                if (len >= arg_end - arg_start) {
                        env_start = env_end;
                }
+
+               /* check overflow */
+               if (arg_start + len < 0) {
+                       return -1;
+               }
+
                arg_end = arg_start + len;
        }
 
        strcpy((char*)arg_start, title);
 
-       ret |= prctl(PR_SET_MM, PR_SET_MM_ARG_START,   (long)arg_start, 0, 0);
-       ret |= prctl(PR_SET_MM, PR_SET_MM_ARG_END,     (long)arg_end, 0, 0);
-       ret |= prctl(PR_SET_MM, PR_SET_MM_ENV_START,   (long)env_start, 0, 0);
-       ret |= prctl(PR_SET_MM, PR_SET_MM_ENV_END,     (long)env_end, 0, 0);
+       ret |= prctl(PR_SET_MM, PR_SET_MM_ARG_START,   arg_start, 0, 0);
+       ret |= prctl(PR_SET_MM, PR_SET_MM_ARG_END,     arg_end, 0, 0);
+       ret |= prctl(PR_SET_MM, PR_SET_MM_ENV_START,   env_start, 0, 0);
+       ret |= prctl(PR_SET_MM, PR_SET_MM_ENV_END,     env_end, 0, 0);
 
        return ret;
 }