Do not use strlen() on non-null terminated buffer

author Christian Brauner <christianvanbrauner@gmail.com>

Mon, 7 Sep 2015 21:41:35 +0000 (23:41 +0200)

committer Serge Hallyn <serge.hallyn@ubuntu.com>

Tue, 8 Sep 2015 13:54:53 +0000 (08:54 -0500)
author Christian Brauner <christianvanbrauner@gmail.com>
Mon, 7 Sep 2015 21:41:35 +0000 (23:41 +0200)
committer Serge Hallyn <serge.hallyn@ubuntu.com>
Tue, 8 Sep 2015 13:54:53 +0000 (08:54 -0500)
diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c

index 932d658ea87911bbf1ca81adcb8c47321e34ec0f..fb99892d2cc6be0f2673be64abd6158518259fa6 100644 (file)
--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -1989,7 +1989,7 @@ static bool mod_rdep(struct lxc_container *c0, struct lxc_container *c, bool inc
         char newpath[MAXPATHLEN];
         int fd, ret, n = 0, v = 0;
         bool bret = false;
-       size_t len;
+       size_t len, difflen;
  
         if (container_disk_lock(c0))
                 return false;
@@ -2072,19 +2072,22 @@ static bool mod_rdep(struct lxc_container *c0, struct lxc_container *c, bool inc
  
                         /* mmap()ed memory is only \0-terminated when it is not
                          * a multiple of a pagesize. Hence, we'll use memmem(). */
-                       if ((del = memmem(buf, fbuf.st_size, newpath, len))) {
-                               /* remove container entry */
-                               memmove(del, del + len, strlen(del) - len + 1);
-
-                               munmap(buf, fbuf.st_size);
-
-                               if (ftruncate(fd, fbuf.st_size - len) < 0) {
-                                       SYSERROR("Failed to truncate file %s", path);
-                                       close(fd);
-                                       goto out;
-                               }
-                       } else {
-                               munmap(buf, fbuf.st_size);
+                        if ((del = memmem(buf, fbuf.st_size, newpath, len))) {
+                                /* remove container entry */
+                                if (del != buf + fbuf.st_size - len) {
+                                        difflen = fbuf.st_size - (del-buf);
+                                        memmove(del, del + len, strnlen(del, difflen) - len);
+                                }
+
+                                munmap(buf, fbuf.st_size);
+
+                                if (ftruncate(fd, fbuf.st_size - len) < 0) {
+                                        SYSERROR("Failed to truncate file %s", path);
+                                        close(fd);
+                                        goto out;
+                                }
+                        } else {
+                                munmap(buf, fbuf.st_size);
                         }
  
                         close(fd);
author	Christian Brauner <christianvanbrauner@gmail.com>
	Mon, 7 Sep 2015 21:41:35 +0000 (23:41 +0200)
committer	Serge Hallyn <serge.hallyn@ubuntu.com>
	Tue, 8 Sep 2015 13:54:53 +0000 (08:54 -0500)