src/api: terminate controller copies in cgroup_copy_controller_values()

cgroup_copy_controller_values() populates the destination controller
structs with strncpy(), but never forces a trailing '\0'. Today the
destinations are zeroed via calloc(), but reusing an existing struct or
copying a token that fills the buffer would leave dst->name and each
control_value dst_val.{name,value} unterminated.

Guard against that by explicitly writing '\0' to the last byte of each
destination buffer after the copy.

Signed-off-by: Kamalesh Babulal <kamalesh.babulal@oracle.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>

diff --git a/src/api.c b/src/api.c
index 4b5afeeb8389e043a743de5703d3dcc6afbc304c..47f553545e983afe009b5060fb357a993fc5ea86 100644 (file)
--- a/src/api.c
+++ b/src/api.c
@@ -2860,6 +2860,8 @@ int cgroup_copy_controller_values(struct cgroup_controller * const dst,
                return ECGFAIL;
 
        strncpy(dst->name, src->name, CONTROL_NAMELEN_MAX);
+       dst->name[CONTROL_NAMELEN_MAX - 1] = '\0';
+
        for (i = 0; i < src->index; i++, dst->index++) {
                struct control_value *src_val = src->values[i];
                struct control_value *dst_val;
@@ -2873,7 +2875,10 @@ int cgroup_copy_controller_values(struct cgroup_controller * const dst,
 
                dst_val = dst->values[i];
                strncpy(dst_val->value, src_val->value, CG_CONTROL_VALUE_MAX);
+               dst_val->value[CG_CONTROL_VALUE_MAX - 1] = '\0';
+
                strncpy(dst_val->name, src_val->name, FILENAME_MAX);
+               dst_val->name[FILENAME_MAX - 1] = '\0';
 
                if (src_val->multiline_value) {
                        dst_val->multiline_value = strdup(src_val->multiline_value);