netns: Fix an off-by-one strcpy() in netns_map_add().

netns_map_add() does a malloc of (sizeof (struct nsid_cache) +
strlen(name)) and then proceed with strcpy() of name into the
zero-length member at the end of the nsid_cache structure.  The
nul-terminator is written outside of the allocated memory and may
overwrite the allocator's internal structure.

This can trigger a segmentation fault on i386 uclibc with names of size 8:
after the corruption occurs, the call to closedir() on netns_map_init()
crashes while freeing the DIR structure.

Here is the relevant valgrind output:

==1251== Memcheck, a memory error detector
==1251== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==1251== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright
info
==1251== Command: ./ip netns
==1251==
==1251== Invalid write of size 1
==1251==    at 0x4011975: strcpy (in
/usr/lib/valgrind/vgpreload_memcheck-x86-linux.so)
==1251==    by 0x8058B00: netns_map_add (ipnetns.c:181)
==1251==    by 0x8058E2A: netns_map_init (ipnetns.c:226)
==1251==    by 0x8058E79: do_netns (ipnetns.c:776)
==1251==    by 0x804D9FF: do_cmd (ip.c:110)
==1251==    by 0x804D814: main (ip.c:300)

diff --git a/ip/ipnetns.c b/ip/ipnetns.c
index 088096f646cb62980adeba1773359db6d73d6689..4ce598998d1bafd7cb15ede2f99011f43f491ccd 100644 (file)
--- a/ip/ipnetns.c
+++ b/ip/ipnetns.c
@@ -172,7 +172,7 @@ static int netns_map_add(int nsid, const char *name)
        if (netns_map_get_by_nsid(nsid) != NULL)
                return -EEXIST;
 
-       c = malloc(sizeof(*c) + strlen(name));
+       c = malloc(sizeof(*c) + strlen(name) + 1);
        if (c == NULL) {
                perror("malloc");
                return -ENOMEM;