utils: fix lxc_mount_proc_if_needed()

- check for buffer overflow
- only call INFO() after we ensured that readlink() was successful
- simplify logic

Reported-by: Benedikt Rosenkranz beluro@web.de
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

diff --git a/src/lxc/utils.c b/src/lxc/utils.c
index 15c9f91b584af135e63f9f65a928c90b68ff8762..2549793860ccaae81405a03cd84e6f0357f76ecf 100644 (file)
--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -1758,9 +1758,8 @@ int safe_mount(const char *src, const char *dest, const char *fstype,
 int lxc_mount_proc_if_needed(const char *rootfs)
 {
        char path[MAXPATHLEN];
-       char link[20];
-       int link_to_pid, linklen, ret;
-       int mypid;
+       int link_to_pid, linklen, mypid, ret;
+       char link[LXC_NUMSTRLEN64] = {0};
 
        ret = snprintf(path, MAXPATHLEN, "%s/proc/self", rootfs);
        if (ret < 0 || ret >= MAXPATHLEN) {
@@ -1768,10 +1767,7 @@ int lxc_mount_proc_if_needed(const char *rootfs)
                return -1;
        }
 
-       memset(link, 0, 20);
-       linklen = readlink(path, link, 20);
-       mypid = (int)getpid();
-       INFO("I am %d, /proc/self points to \"%s\"", mypid, link);
+       linklen = readlink(path, link, LXC_NUMSTRLEN64);
 
        ret = snprintf(path, MAXPATHLEN, "%s/proc", rootfs);
        if (ret < 0 || ret >= MAXPATHLEN) {
@@ -1784,24 +1780,29 @@ int lxc_mount_proc_if_needed(const char *rootfs)
                if (mkdir(path, 0755) && errno != EEXIST)
                        return -1;
                goto domount;
+       } else if (linklen >= LXC_NUMSTRLEN64) {
+               link[linklen - 1] = '\0';
+               ERROR("readlink returned truncated content: \"%s\"", link);
+               return -1;
        }
 
+       mypid = getpid();
+       INFO("I am %d, /proc/self points to \"%s\"", mypid, link);
+
        if (lxc_safe_int(link, &link_to_pid) < 0)
                return -1;
 
-       /* wrong /procs mounted */
-       if (link_to_pid != mypid) {
-               /* ignore failure */
-               umount2(path, MNT_DETACH);
-               goto domount;
-       }
+       /* correct procfs is already mounted */
+       if (link_to_pid == mypid)
+               return 0;
 
-       /* the right proc is already mounted */
-       return 0;
+       ret = umount2(path, MNT_DETACH);
+       if (ret < 0)
+               WARN("failed to umount \"%s\" with MNT_DETACH", path);
 
 domount:
        /* rootfs is NULL */
-       if (!strcmp(rootfs,""))
+       if (!strcmp(rootfs, ""))
                ret = mount("proc", path, "proc", 0, NULL);
        else
                ret = safe_mount("proc", path, "proc", 0, NULL, rootfs);