api: leave room for NUL in cgroup_get_procs()

Commit 4a851a569689 ("api: Fix unsafe call to strncat in
cgroup_get_procs() and cgroup_get_threads()") tightened several
strncat() callers, but the code building the procs/threads paths
still used the raw remaining buffer size. When the buffer is
already full, strncat() would copy path_sz bytes and overwrite
the terminator. Subtract one from the remaining length before
appending "tasks" or the controller-specific filename so there
is always space for the trailing NUL.

Signed-off-by: Kamalesh Babulal <kamalesh.babulal@oracle.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>

diff --git a/src/api.c b/src/api.c
index 47f553545e983afe009b5060fb357a993fc5ea86..8ada97cb892cce36f8978f39d68ad553a610b6c6 100644 (file)
--- a/src/api.c
+++ b/src/api.c
@@ -1990,7 +1990,7 @@ int cgroup_build_tasks_procs_path(char * const path, size_t path_sz, const char
 
        switch (version) {
        case CGROUP_V1:
-               strncat(path, "tasks", path_sz - strlen(path));
+               strncat(path, "tasks", path_sz - strlen(path) - 1);
                err = 0;
                break;
        case CGROUP_V2:
@@ -1998,7 +1998,7 @@ int cgroup_build_tasks_procs_path(char * const path, size_t path_sz, const char
                if (err)
                        goto error;
 
-               strncat(path, cg_type, path_sz - strlen(path));
+               strncat(path, cg_type, path_sz - strlen(path) - 1);
                break;
        default:
                err = ECGOTHER;