fix possible buffer overflow

strncat only returns its first argument and not the end of the written string. Thus "buf-pos" is always 0 and consquently no range check is performed. Signed-off-by: Niklas Eiling <niklas.eiling@rwth-aachen.de>

fix possible buffer overflow
a17fa3c0 · Niklas Eiling · cb82ed39 · a17fa3c0
Commit a17fa3c0 authored Mar 30, 2016 by Niklas Eiling
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 5 deletions

criu.c src/lxc/criu.c +6 -5

No files found.
--- a/src/lxc/criu.c
+++ b/src/lxc/criu.c
@@ -126,8 +126,8 @@ static void exec_criu(struct criu_opts *opts)
 	int netnr = 0;
 	struct lxc_list *it;

-	char buf[4096], *pos, tty_info[32];
-
+	char buf[4096], tty_info[32];
+	size_t pos;
 	/* If we are currently in a cgroup /foo/bar, and the container is in a
 	 * cgroup /lxc/foo, lxcfs will give us an ENOENT if some task in the
 	 * container has an open fd that points to one of the cgroup files
@@ -363,10 +363,11 @@ static void exec_criu(struct criu_opts *opts)
 	argv[argc] = NULL;

 	buf[0] = 0;
-	pos = buf;
+	pos = 0;
 	for (i = 0; argv[i]; i++) {
-		pos = strncat(buf, argv[i], buf + sizeof(buf) - pos);
-		pos = strncat(buf, " ", buf + sizeof(buf) - pos);
+		strncat(buf, argv[i], sizeof(buf) - pos - 1);
+		strncat(buf, " ", sizeof(buf) - pos - 1);
+		pos += strlen(argv[i]);
 	}

 	INFO("execing: %s", buf);