From 7cfde20f987262acaf5250bfd305691ebe303fd6 Mon Sep 17 00:00:00 2001 From: 2xsec Date: Thu, 18 Oct 2018 15:16:54 +0900 Subject: [PATCH] string_utils: fix global buffer overflow issue Signed-off-by: 2xsec --- src/lxc/string_utils.c | 41 +++++++++++++++++++++++++++++------------ 1 file changed, 29 insertions(+), 12 deletions(-) diff --git a/src/lxc/string_utils.c b/src/lxc/string_utils.c index fb46109b9..7bc99c428 100644 --- a/src/lxc/string_utils.c +++ b/src/lxc/string_utils.c @@ -784,24 +784,32 @@ char *must_make_path(const char *first, ...) char *cur, *dest; size_t full_len = strlen(first); size_t buf_len; + size_t cur_len; dest = must_copy_string(first); + cur_len = full_len; va_start(args, first); while ((cur = va_arg(args, char *)) != NULL) { - full_len += strlen(cur); + buf_len = strlen(cur); + + full_len += buf_len; if (cur[0] != '/') full_len++; - buf_len = full_len + 1; - dest = must_realloc(dest, buf_len); + dest = must_realloc(dest, full_len + 1); - if (cur[0] != '/') - (void)strlcat(dest, "/", buf_len); - (void)strlcat(dest, cur, buf_len); + if (cur[0] != '/') { + memcpy(dest + cur_len, "/", 1); + cur_len++; + } + + memcpy(dest + cur_len, cur, buf_len); + cur_len += buf_len; } va_end(args); + dest[cur_len] = '\0'; return dest; } @@ -812,23 +820,32 @@ char *must_append_path(char *first, ...) va_list args; char *dest = first; size_t buf_len; + size_t cur_len; full_len = strlen(first); + cur_len = full_len; + va_start(args, first); while ((cur = va_arg(args, char *)) != NULL) { - full_len += strlen(cur); + buf_len = strlen(cur); + + full_len += buf_len; if (cur[0] != '/') full_len++; - buf_len = full_len + 1; - dest = must_realloc(dest, buf_len); + dest = must_realloc(dest, full_len + 1); - if (cur[0] != '/') - (void)strlcat(dest, "/", buf_len); - (void)strlcat(dest, cur, buf_len); + if (cur[0] != '/') { + memcpy(dest + cur_len, "/", 1); + cur_len++; + } + + memcpy(dest + cur_len, cur, buf_len); + cur_len += buf_len; } va_end(args); + dest[cur_len] = '\0'; return dest; } -- 2.47.2