Skip to content

L
lxc
Unverified Commit 84f69331 by 2xsec Committed by Christian Brauner
Options

string_utils: fix global buffer overflow issue

Signed-off-by: 's avatar2xsec <dh48.jeong@samsung.com>
parent 6ca9fedb
Showing with 29 additions and 12 deletions
src/lxc/string_utils.c
......@@ -784,24 +784,32 @@ char *must_make_path(const char *first, ...)
char *cur, *dest;
size_t full_len = strlen(first);
size_t buf_len;
size_t cur_len;
dest = must_copy_string(first);
cur_len = full_len;
va_start(args, first);
while ((cur = va_arg(args, char *)) != NULL) {
full_len += strlen(cur);
buf_len = strlen(cur);
full_len += buf_len;
if (cur[0] != '/')
full_len++;
buf_len = full_len + 1;
dest = must_realloc(dest, buf_len);
dest = must_realloc(dest, full_len + 1);
if (cur[0] != '/')
(void)strlcat(dest, "/", buf_len);
(void)strlcat(dest, cur, buf_len);
if (cur[0] != '/') {
memcpy(dest + cur_len, "/", 1);
cur_len++;
}
memcpy(dest + cur_len, cur, buf_len);
cur_len += buf_len;
}
va_end(args);
dest[cur_len] = '\0';
return dest;
}
......@@ -812,23 +820,32 @@ char *must_append_path(char *first, ...)
va_list args;
char *dest = first;
size_t buf_len;
size_t cur_len;
full_len = strlen(first);
cur_len = full_len;
va_start(args, first);
while ((cur = va_arg(args, char *)) != NULL) {
full_len += strlen(cur);
buf_len = strlen(cur);
full_len += buf_len;
if (cur[0] != '/')
full_len++;
buf_len = full_len + 1;
dest = must_realloc(dest, buf_len);
dest = must_realloc(dest, full_len + 1);
if (cur[0] != '/')
(void)strlcat(dest, "/", buf_len);
(void)strlcat(dest, cur, buf_len);
if (cur[0] != '/') {
memcpy(dest + cur_len, "/", 1);
cur_len++;
}
memcpy(dest + cur_len, cur, buf_len);
cur_len += buf_len;
}
va_end(args);
dest[cur_len] = '\0';
return dest;
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment