From: Adriaan Schmidt <adriaan.schmidt@siemens.com>
Date: Wed, 28 Jun 2023 08:12:15 +0000 (+0200)
Subject: fix: malloc size off-by-one in cgroup_process_v2_mnt
X-Git-Tag: v3.1.0~38
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7b37e0dcb90d7980d9f32397aff21486a2369970;p=thirdparty%2Flibcgroup.git

fix: malloc size off-by-one in cgroup_process_v2_mnt

need to allocate the length of both strings, plus the space added in
the sprintf, plus the terminating null byte.

Signed-off-by: Adriaan Schmidt <adriaan.schmidt@siemens.com>
Reviewed-by: Kamalesh Babulal <kamalesh.babulal@oracle.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
---

diff --git a/src/api.c b/src/api.c
index 5428cc34..e24805cd 100644
--- a/src/api.c
+++ b/src/api.c
@@ -1272,7 +1272,7 @@ STATIC int cgroup_process_v2_mnt(struct mntent *ent, int *mnt_tbl_idx)
 	 * wish to read/modify.  Add it to our cg_mount_table so that it can be manipulated
 	 * like other "normal" controllers
 	 */
-	controllers = malloc(strlen(ret_c) + strlen(CGROUP_FILE_PREFIX) + 1);
+	controllers = malloc(strlen(ret_c) + strlen(CGROUP_FILE_PREFIX) + 2);
 	if (!controllers) {
 		ret = ECGOTHER;
 		goto out;