confile: enforce maximum subkey length

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

confile: enforce maximum subkey length
ae393e13 · Christian Brauner · c3cef319 · ae393e13
Unverified Commit ae393e13 authored Apr 06, 2021 by Christian Brauner
Show whitespace changes
Inline Side-by-side

Showing with 18 additions and 4 deletions

confile.c src/lxc/confile.c +18 -4

No files found.
--- a/src/lxc/confile.c
+++ b/src/lxc/confile.c
@@ -300,12 +300,22 @@ struct lxc_config_t *lxc_get_config_exact(const char *key)
 	return NULL;
 }
-static inline bool match_config_item(const struct lxc_config_t *entry,
+/* Assume a reasonable subkey size limit. */
-				     const char *key)
+#define LXC_SUBKEY_LEN_MAX 256
+static inline int match_config_item(const struct lxc_config_t *entry, const char *key)
 {
+	size_t len;
 	if (entry->strict)
 		return strequal(entry->name, key);
-	return strnequal(entry->name, key, strlen(entry->name));
+	/* There should be no subkey longer than this. */
+	len = strnlen(entry->name, LXC_SUBKEY_LEN_MAX);
+	if (len == LXC_SUBKEY_LEN_MAX)
+		return error_ret(-E2BIG, "Excessive subkey length");
+	return strnequal(entry->name, key, len);
 }
 struct lxc_config_t *lxc_get_config(const char *key)
@@ -313,8 +323,12 @@ struct lxc_config_t *lxc_get_config(const char *key)
 	for (size_t i = 0; i < ARRAY_SIZE(config_jump_table); i++) {
 		struct lxc_config_t *cur = &config_jump_table[i];
-		if (!match_config_item(cur, key))
+		switch (match_config_item(cur, key)) {
+		case 0:
 			continue;
+		case -E2BIG:
+			return NULL;
+		}
 		return cur;
 	}