Merge pull request #2585 from 2xsec/bugfix

caps: fix illegal access to array bound

Merge pull request #2585 from 2xsec/bugfix
59301023 · Christian Brauner · GitHub · d3aba1db · b8bcbe9b · 59301023
Unverified Commit 59301023 authored Sep 04, 2018 by Christian Brauner Committed by GitHub Sep 04, 2018
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 10 deletions

caps.c src/lxc/caps.c +2 -4

nl.c src/lxc/nl.c +0 -3

seccomp.c src/lxc/seccomp.c +2 -1

utils.c src/lxc/utils.c +2 -2

No files found.
--- a/src/lxc/caps.c
+++ b/src/lxc/caps.c
@@ -296,15 +296,13 @@ static long int _real_caps_last_cap(void)
 	if (fd >= 0) {
 		ssize_t n;
 		char *ptr;
-		char buf[INTTYPE_TO_STRLEN(int)];
+		char buf[INTTYPE_TO_STRLEN(int)] = {0};
 	again:
-		n = read(fd, buf, sizeof(buf));
+		n = read(fd, buf, sizeof(buf) - 1);
 		if (n < 0 && errno == EINTR) {
 			goto again;
 		} else if (n >= 0) {
-			buf[n] = '\0';
 			errno = 0;
 			result = strtol(buf, &ptr, 10);
 			if (!ptr || (*ptr != '\0' && *ptr != '\n') || errno != 0)

--- a/src/lxc/nl.c
+++ b/src/lxc/nl.c
@@ -32,9 +32,6 @@
 #include "nl.h"
-#define NLMSG_TAIL(nmsg) \
-        ((struct rtattr *) (((void *) (nmsg)) + NLMSG_ALIGN((nmsg)->nlmsg_len)))
 extern size_t nlmsg_len(const struct nlmsg *nlmsg)
 {
 	return nlmsg->nlmsghdr->nlmsg_len - NLMSG_HDRLEN;

--- a/src/lxc/seccomp.c
+++ b/src/lxc/seccomp.c
@@ -905,8 +905,9 @@ static int parse_config_v2(FILE *f, char *line, size_t *line_bufsz, struct lxc_c
 				}
 				cur_rule_arch = lxc_seccomp_arch_s390x;
+			}
 #endif
-			} else {
+			else {
 				goto bad_arch;
 			}

--- a/src/lxc/utils.c
+++ b/src/lxc/utils.c
@@ -898,10 +898,10 @@ static char *get_nextpath(char *path, int *offsetp, int fulllen)
 	if (offset >= fulllen)
 		return NULL;
-	while (path[offset] != '\0' && offset < fulllen)
+	while (offset < fulllen && path[offset] != '\0')
 		offset++;
-	while (path[offset] == '\0' && offset < fulllen)
+	while (offset < fulllen && path[offset] == '\0')
 		offset++;
 	*offsetp = offset;