From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Wed, 4 Jul 2018 12:51:48 +0000 (+0200)
Subject: conf: safely retrieve path of slave device
X-Git-Tag: lxc-3.1.0~219^2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=77a3980598a4d6553ffc0ac8b922189c83d03430;p=thirdparty%2Flxc.git

conf: safely retrieve path of slave device

openpty() is a horrible function that uses strcpy() into the char *name
argument if name != NULL. We can't rely on the path being sane in all cases so
let's split out the name retrieval to ttyname_r().

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---

diff --git a/src/lxc/conf.c b/src/lxc/conf.c
index 8ba5fa833..0f02e400c 100644
--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -971,15 +971,22 @@ int lxc_allocate_ttys(struct lxc_conf *conf)
 
 		tty->master = -EBADF;
 		tty->slave = -EBADF;
-		ret = openpty(&tty->master, &tty->slave,
-			      tty->name, NULL, NULL);
-		if (ret) {
+		ret = openpty(&tty->master, &tty->slave, NULL, NULL, NULL);
+		if (ret < 0) {
 			SYSERROR("Failed to create tty %d", i);
 			ttys->max = i;
 			lxc_delete_tty(ttys);
 			return -ENOTTY;
 		}
 
+		ret = ttyname_r(tty->slave, tty->name, sizeof(tty->name));
+		if (ret < 0) {
+			SYSERROR("Failed to retrieve name of tty %d slave", i);
+			ttys->max = i;
+			lxc_delete_tty(ttys);
+			return -ENOTTY;
+		}
+
 		DEBUG("Created tty \"%s\" with master fd %d and slave fd %d",
 		      tty->name, tty->master, tty->slave);