From: Lans Zhang <jia.zhang@windriver.com>
Date: Mon, 10 Oct 2016 13:49:55 +0000 (+0800)
Subject: log: sanity check the returned value from snprintf()
X-Git-Tag: lxc-2.1.0~305^2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=refs%2Fpull%2F1225%2Fhead;p=thirdparty%2Flxc.git

log: sanity check the returned value from snprintf()

The returned value from snprintf() should be checked carefully.

This bug can be leveraged to execute arbitrary code through carefully
constructing the payload, e.g,

lxc-freeze -n `python -c "print 'AAAAAAAA' + 'B'*959"` -P PADPAD -o /tmp/log

This command running on Ubuntu 14.04 (x86-64) can cause a segment fault.

Signed-off-by: Lans Zhang <jia.zhang@windriver.com>
---

diff --git a/src/lxc/log.c b/src/lxc/log.c
index cab77f24c..6775822b3 100644
--- a/src/lxc/log.c
+++ b/src/lxc/log.c
@@ -170,10 +170,13 @@ static int log_append_logfile(const struct lxc_log_appender *appender,
 		     event->locinfo->file, event->locinfo->func,
 		     event->locinfo->line);
 
-	n += vsnprintf(buffer + n, sizeof(buffer) - n, event->fmt,
-		       *event->vap);
+	if (n < 0)
+		return n;
 
-	if (n >= sizeof(buffer) - 1) {
+	if (n < sizeof(buffer) - 1)
+		n += vsnprintf(buffer + n, sizeof(buffer) - n, event->fmt,
+			       *event->vap);
+	else {
 		WARN("truncated next event from %d to %zd bytes", n,
 		     sizeof(buffer));
 		n = sizeof(buffer) - 1;