Merge pull request #2419 from 2xsec/bugfix

secure coding: strcat => strncat

Merge pull request #2419 from 2xsec/bugfix
3cc0d428 · Christian Brauner · GitHub · 13413325 · 25aced9f · 3cc0d428
Unverified Commit 3cc0d428 authored Jun 22, 2018 by Christian Brauner Committed by GitHub Jun 22, 2018
8 changed files
--- a/src/lxc/cgroups/cgfsng.c
+++ b/src/lxc/cgroups/cgfsng.c
@@ -58,6 +58,14 @@
 #include "storage/storage.h"
 #include "utils.h"
+#ifndef HAVE_STRLCPY
+#include "include/strlcpy.h"
+#endif
+#ifndef HAVE_STRLCAT
+#include "include/strlcat.h"
+#endif
 lxc_log_define(lxc_cgfsng, lxc);
 static void free_string_list(char **clist)
@@ -1195,19 +1203,23 @@ static bool cg_unified_create_cgroup(struct hierarchy *h, char *cgname)
 	 * some thinking.
 	 */
 	for (it = h->controllers; it && *it; it++) {
-                full_len += strlen(*it) + 2;
+		full_len += strlen(*it) + 2;
-                add_controllers = must_realloc(add_controllers, full_len + 1);
+		add_controllers = must_realloc(add_controllers, full_len + 1);
-                if (h->controllers[0] == *it)
-                        add_controllers[0] = '\0';
+		if (h->controllers[0] == *it)
-                strcat(add_controllers, "+");
+			add_controllers[0] = '\0';
-                strcat(add_controllers, *it);
-                if ((it + 1) && *(it + 1))
+		(void)strlcat(add_controllers, "+", full_len + 1);
-                        strcat(add_controllers, " ");
+		(void)strlcat(add_controllers, *it, full_len + 1);
+		if ((it + 1) && *(it + 1))
+			(void)strlcat(add_controllers, " ", full_len + 1);
 	}
 	parts = lxc_string_split(cgname, '/');
 	if (!parts)
 		goto on_error;
 	parts_len = lxc_array_len((void **)parts);
 	if (parts_len > 0)
 		parts_len--;
@@ -1301,9 +1313,10 @@ static inline bool cgfsng_create(struct cgroup_ops *ops,
 		ERROR("Failed expanding cgroup name pattern");
 		return false;
 	}
 	len = strlen(tmp) + 5; /* leave room for -NNN\0 */
 	container_cgroup = must_alloc(len);
-	strcpy(container_cgroup, tmp);
+	(void)strlcpy(container_cgroup, tmp, len);
 	free(tmp);
 	offset = container_cgroup + len - 5;
@@ -1942,7 +1955,7 @@ static int __cg_unified_attach(const struct hierarchy *h, const char *name,
 		if (ret < 0 && errno != EEXIST)
 			goto on_error;
-		strcat(full_path, "/cgroup.procs");
+		(void)strlcat(full_path, "/cgroup.procs", len + 1);
 		ret = lxc_write_to_file(full_path, pidstr, len, false, 0666);
 		if (ret == 0)
 			goto on_success;
@@ -2022,7 +2035,8 @@ static int cgfsng_get(struct cgroup_ops *ops, const char *filename, char *value,
 	controller_len = strlen(filename);
 	controller = alloca(controller_len + 1);
-	strcpy(controller, filename);
+	(void)strlcpy(controller, filename, controller_len + 1);
 	p = strchr(controller, '.');
 	if (p)
 		*p = '\0';
@@ -2059,7 +2073,8 @@ static int cgfsng_set(struct cgroup_ops *ops, const char *filename,
 	controller_len = strlen(filename);
 	controller = alloca(controller_len + 1);
-	strcpy(controller, filename);
+	(void)strlcpy(controller, filename, controller_len + 1);
 	p = strchr(controller, '.');
 	if (p)
 		*p = '\0';
@@ -2176,7 +2191,8 @@ static int cg_legacy_set_data(struct cgroup_ops *ops, const char *filename,
 	len = strlen(filename);
 	controller = alloca(len + 1);
-	strcpy(controller, filename);
+	(void)strlcpy(controller, filename, len + 1);
 	p = strchr(controller, '.');
 	if (p)
 		*p = '\0';

--- a/src/lxc/conf.c
+++ b/src/lxc/conf.c
@@ -76,6 +76,10 @@
 #include <sys/personality.h>
 #endif
+#ifndef HAVE_STRLCAT
+#include "include/strlcat.h"
+#endif
 #if IS_BIONIC
 #include <../include/lxcmntent.h>
 #else
@@ -841,6 +845,7 @@ static int lxc_setup_dev_symlinks(const struct lxc_rootfs *rootfs)
 static bool append_ttyname(char **pp, char *name)
 {
 	char *p;
+	size_t size;
 	if (!*pp) {
 		*pp = malloc(strlen(name) + strlen("container_ttys=") + 1);
@@ -851,13 +856,14 @@ static bool append_ttyname(char **pp, char *name)
 		return true;
 	}
-	p = realloc(*pp, strlen(*pp) + strlen(name) + 2);
+	size = strlen(*pp) + strlen(name) + 2;
+	p = realloc(*pp, size);
 	if (!p)
 		return false;
 	*pp = p;
-	strcat(p, " ");
+	(void)strlcat(p, " ", size);
-	strcat(p, name);
+	(void)strlcat(p, name, size);
 	return true;
 }
@@ -1788,7 +1794,7 @@ static int lxc_setup_console(const struct lxc_rootfs *rootfs,
 	return lxc_setup_ttydir_console(rootfs, console, ttydir);
 }
-static void parse_mntopt(char *opt, unsigned long *flags, char **data)
+static void parse_mntopt(char *opt, unsigned long *flags, char **data, size_t size)
 {
 	struct mount_opt *mo;
@@ -1806,14 +1812,16 @@ static void parse_mntopt(char *opt, unsigned long *flags, char **data)
 	}
 	if (strlen(*data))
-		strcat(*data, ",");
+		(void)strlcat(*data, ",", size);
-	strcat(*data, opt);
+	(void)strlcat(*data, opt, size);
 }
 int parse_mntopts(const char *mntopts, unsigned long *mntflags, char **mntdata)
 {
 	char *data, *p, *s;
 	char *saveptr = NULL;
+	size_t size;
 	*mntdata = NULL;
 	*mntflags = 0L;
@@ -1825,7 +1833,8 @@ int parse_mntopts(const char *mntopts, unsigned long *mntflags, char **mntdata)
 	if (!s)
 		return -1;
-	data = malloc(strlen(s) + 1);
+	size = strlen(s) + 1;
+	data = malloc(size);
 	if (!data) {
 		free(s);
 		return -1;
@@ -1833,7 +1842,7 @@ int parse_mntopts(const char *mntopts, unsigned long *mntflags, char **mntdata)
 	*data = 0;
 	for (; (p = strtok_r(s, ",", &saveptr)); s = NULL)
-		parse_mntopt(p, mntflags, &data);
+		parse_mntopt(p, mntflags, &data, size);
 	if (*data)
 		*mntdata = data;

--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -69,6 +69,10 @@
 #include "include/strlcpy.h"
 #endif
+#ifndef HAVE_STRLCAT
+#include "include/strlcat.h"
+#endif
 lxc_log_define(lxc_confile, lxc);
 #define lxc_config_define(name)                                                \
@@ -2060,10 +2064,11 @@ int append_unexp_config_line(const char *line, struct lxc_conf *conf)
 		conf->unexpanded_config = tmp;
 		conf->unexpanded_alloced += 1024;
 	}
-	strcat(conf->unexpanded_config, line);
+	(void)strlcat(conf->unexpanded_config, line, conf->unexpanded_alloced);
 	conf->unexpanded_len += linelen;
 	if (line[linelen - 1] != '\n') {
-		strcat(conf->unexpanded_config, "\n");
+		(void)strlcat(conf->unexpanded_config, "\n", conf->unexpanded_alloced);
 		conf->unexpanded_len++;
 	}

--- a/src/lxc/pam/pam_cgfs.c
+++ b/src/lxc/pam/pam_cgfs.c
@@ -63,6 +63,10 @@
 #include "include/strlcpy.h"
 #endif
+#ifndef HAVE_STRLCAT
+#include "include/strlcat.h"
+#endif
 #define pam_cgfs_debug_stream(stream, format, ...)                                \
 	do {                                                                   \
 		fprintf(stream, "%s: %d: %s: " format, __FILE__, __LINE__,     \
@@ -1617,6 +1621,7 @@ static char *string_join(const char *sep, const char **parts, bool use_as_prefix
 	char **p;
 	size_t sep_len = strlen(sep);
 	size_t result_len = use_as_prefix * sep_len;
+	size_t buf_len;
 	if (!parts)
 		return NULL;
@@ -1625,17 +1630,18 @@ static char *string_join(const char *sep, const char **parts, bool use_as_prefix
 	for (p = (char **)parts; *p; p++)
 		result_len += (p > (char **)parts) * sep_len + strlen(*p);
-	result = calloc(result_len + 1, sizeof(char));
+	buf_len = result_len + 1;
+	result = calloc(buf_len, sizeof(char));
 	if (!result)
 		return NULL;
 	if (use_as_prefix)
-		(void)strlcpy(result, sep, (result_len + 1) * sizeof(char));
+		(void)strlcpy(result, sep, buf_len * sizeof(char));
 	for (p = (char **)parts; *p; p++) {
 		if (p > (char **)parts)
-			strcat(result, sep);
+			(void)strlcat(result, sep, buf_len * sizeof(char));
-		strcat(result, *p);
+		(void)strlcat(result, *p, buf_len * sizeof(char));
 	}
 	return result;

--- a/src/lxc/pam/utils.c
+++ b/src/lxc/pam/utils.c
@@ -33,6 +33,10 @@
 #include "utils.h"
+#ifndef HAVE_STRLCAT
+#include "include/strlcat.h"
+#endif
 bool file_exists(const char *f)
 {
 	struct stat statbuf;
@@ -69,6 +73,7 @@ char *must_make_path(const char *first, ...)
 	va_list args;
 	char *cur, *dest;
 	size_t full_len = strlen(first);
+	size_t buf_len;
 	dest = must_copy_string(first);
@@ -77,10 +82,13 @@ char *must_make_path(const char *first, ...)
 		full_len += strlen(cur);
 		if (cur[0] != '/')
 			full_len++;
-		dest = must_realloc(dest, full_len + 1);
+		buf_len = full_len + 1;
+		dest = must_realloc(dest, buf_len);
 		if (cur[0] != '/')
-			strcat(dest, "/");
+			(void)strlcat(dest, "/", buf_len);
-		strcat(dest, cur);
+		(void)strlcat(dest, cur, buf_len);
 	}
 	va_end(args);

--- a/src/lxc/storage/btrfs.c
+++ b/src/lxc/storage/btrfs.c
@@ -63,7 +63,7 @@ char *get_btrfs_subvol_path(int fd, u64 dir_id, u64 objid, char *name,
 {
 	struct btrfs_ioctl_ino_lookup_args args;
 	int ret, e;
-	size_t len;
+	size_t len, retlen;
 	char *retpath;
 	memset(&args, 0, sizeof(args));
@@ -92,18 +92,33 @@ char *get_btrfs_subvol_path(int fd, u64 dir_id, u64 objid, char *name,
 		retpath = malloc(len);
 		if (!retpath)
 			return NULL;
 		(void)strlcpy(retpath, args.name, len);
-		(void)strlcat(retpath, "/", 1);
+		(void)strlcat(retpath, "/", len);
-		(void)strlcat(retpath, name, name_len);
+		retlen = strlcat(retpath, name, len);
+		if (retlen >= len) {
+			ERROR("Failed to append name - %s\n", name);
+			free(retpath);
+			return NULL;
+		}
 	} else {
 		/* we're at the root of ref_tree */
 		len = name_len + 1;
 		retpath = malloc(len);
 		if (!retpath)
 			return NULL;
 		*retpath = '\0';
-		(void)strlcat(retpath, name, name_len);
+		retlen = strlcat(retpath, name, len);
+		if (retlen >= len) {
+			ERROR("Failed to append name - %s\n", name);
+			free(retpath);
+			return NULL;
+		}
 	}
 	return retpath;
 }

--- a/src/lxc/tools/tool_utils.c
+++ b/src/lxc/tools/tool_utils.c
@@ -52,6 +52,10 @@
 #include "include/strlcpy.h"
 #endif
+#ifndef HAVE_STRLCAT
+#include "include/strlcat.h"
+#endif
 int lxc_fill_elevated_privileges(char *flaglist, int *flags)
 {
 	char *token, *saveptr = NULL;
@@ -503,22 +507,24 @@ char *lxc_string_join(const char *sep, const char **parts, bool use_as_prefix)
 	char **p;
 	size_t sep_len = strlen(sep);
 	size_t result_len = use_as_prefix * sep_len;
+	size_t buf_len;
 	/* calculate new string length */
 	for (p = (char **)parts; *p; p++)
 		result_len += (p > (char **)parts) * sep_len + strlen(*p);
-	result = calloc(result_len + 1, 1);
+	buf_len = result_len + 1;
+	result = calloc(buf_len, 1);
 	if (!result)
 		return NULL;
 	if (use_as_prefix)
-		(void)strlcpy(result, sep, result_len + 1);
+		(void)strlcpy(result, sep, buf_len);
 	for (p = (char **)parts; *p; p++) {
 		if (p > (char **)parts)
-			strcat(result, sep);
+			(void)strlcat(result, sep, buf_len);
-		strcat(result, *p);
+		(void)strlcat(result, *p, buf_len);
 	}
 	return result;
@@ -1071,6 +1077,7 @@ char *must_make_path(const char *first, ...)
 	va_list args;
 	char *cur, *dest;
 	size_t full_len = strlen(first);
+	size_t buf_len;
 	dest = must_copy_string(first);
@@ -1079,10 +1086,13 @@ char *must_make_path(const char *first, ...)
 		full_len += strlen(cur);
 		if (cur[0] != '/')
 			full_len++;
-		dest = must_realloc(dest, full_len + 1);
+		buf_len = full_len + 1;
+		dest = must_realloc(dest, buf_len);
 		if (cur[0] != '/')
-			strcat(dest, "/");
+			(void)strlcat(dest, "/", buf_len);
-		strcat(dest, cur);
+		(void)strlcat(dest, cur, buf_len);
 	}
 	va_end(args);

--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -55,6 +55,10 @@
 #include "include/strlcpy.h"
 #endif
+#ifndef HAVE_STRLCAT
+#include "include/strlcat.h"
+#endif
 #ifndef O_PATH
 #define O_PATH      010000000
 #endif
@@ -635,22 +639,24 @@ char *lxc_string_join(const char *sep, const char **parts, bool use_as_prefix)
 	char **p;
 	size_t sep_len = strlen(sep);
 	size_t result_len = use_as_prefix * sep_len;
+	size_t buf_len;
 	/* calculate new string length */
 	for (p = (char **)parts; *p; p++)
 		result_len += (p > (char **)parts) * sep_len + strlen(*p);
-	result = calloc(result_len + 1, 1);
+	buf_len = result_len + 1;
+	result = calloc(buf_len, 1);
 	if (!result)
 		return NULL;
 	if (use_as_prefix)
-		(void)strlcpy(result, sep, result_len + 1);
+		(void)strlcpy(result, sep, buf_len);
 	for (p = (char **)parts; *p; p++) {
 		if (p > (char **)parts)
-			strcat(result, sep);
+			(void)strlcat(result, sep, buf_len);
-		strcat(result, *p);
+		(void)strlcat(result, *p, buf_len);
 	}
 	return result;
@@ -2310,6 +2316,7 @@ char *must_make_path(const char *first, ...)
 	va_list args;
 	char *cur, *dest;
 	size_t full_len = strlen(first);
+	size_t buf_len;
 	dest = must_copy_string(first);
@@ -2318,10 +2325,13 @@ char *must_make_path(const char *first, ...)
 		full_len += strlen(cur);
 		if (cur[0] != '/')
 			full_len++;
-		dest = must_realloc(dest, full_len + 1);
+		buf_len = full_len + 1;
+		dest = must_realloc(dest, buf_len);
 		if (cur[0] != '/')
-			strcat(dest, "/");
+			(void)strlcat(dest, "/", buf_len);
-		strcat(dest, cur);
+		(void)strlcat(dest, cur, buf_len);
 	}
 	va_end(args);
@@ -2334,21 +2344,21 @@ char *must_append_path(char *first, ...)
 	size_t full_len;
 	va_list args;
 	char *dest = first;
+	size_t buf_len;
 	full_len = strlen(first);
 	va_start(args, first);
 	while ((cur = va_arg(args, char *)) != NULL) {
 		full_len += strlen(cur);
 		if (cur[0] != '/')
 			full_len++;
-		dest = must_realloc(dest, full_len + 1);
+		buf_len = full_len + 1;
+		dest = must_realloc(dest, buf_len);
 		if (cur[0] != '/')
-			strcat(dest, "/");
+			(void)strlcat(dest, "/", buf_len);
+		(void)strlcat(dest, cur, buf_len);
-		strcat(dest, cur);
 	}
 	va_end(args);