api.c: check for invalid error code in cgroup_strerror()

Fix array overflow warning, reported by the Coverity tool:

CID 258309 (#1 of 1): Out-of-bounds read (OVERRUN). overrun-local:
Overrunning array cgroup_strerror_codes of 32 8-byte elements at element
index 49999 (byte offset 399999) using index code % ECGROUPNOTCOMPILED
(which evaluates to 49999).

there are chances of users passing error codes, resulting in crossing
the upper bound of the cgroup_strerror_codes[], fix it by introducing
bound checks.

Signed-off-by: Kamalesh Babulal <kamalesh.babulal@oracle.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(cherry picked from commit 37fab4e36b3785698fcc8af14e624cf1e182c183)

diff --git a/src/api.c b/src/api.c
index 2836e3d16d32f95b8f043c068c061105d1b323e8..4a451b497e2e61c349a9238d46aa62f9f018bb49 100644 (file)
--- a/src/api.c
+++ b/src/api.c
@@ -4491,10 +4491,15 @@ cleanup_path:
 
 const char *cgroup_strerror(int code)
 {
+       int idx = code % ECGROUPNOTCOMPILED;
+
        if (code == ECGOTHER)
                return strerror_r(cgroup_get_last_errno(), errtext, MAXLEN);
 
-       return cgroup_strerror_codes[code % ECGROUPNOTCOMPILED];
+       if (idx >= sizeof(cgroup_strerror_codes)/sizeof(cgroup_strerror_codes[0]))
+               return "Invalid error code";
+
+       return cgroup_strerror_codes[idx];
 }
 
 /**