log: sanity check the returned value from snprintf()

The returned value from snprintf() should be checked carefully. This bug can be leveraged to execute arbitrary code through carefully constructing the payload, e.g, lxc-freeze -n `python -c "print 'AAAAAAAA' + 'B'*959"` -P PADPAD -o /tmp/log This command running on Ubuntu 14.04 (x86-64) can cause a segment fault. Signed-off-by: Lans Zhang <jia.zhang@windriver.com>

log: sanity check the returned value from snprintf()
dff34a76 · Lans Zhang · Stéphane Graber · 957edbf8 · dff34a76
Commit dff34a76 authored Oct 10, 2016 by Lans Zhang Committed by Stéphane Graber Nov 17, 2016
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 3 deletions

log.c src/lxc/log.c +6 -3

No files found.
--- a/src/lxc/log.c
+++ b/src/lxc/log.c
@@ -101,10 +101,13 @@ static int log_append_logfile(const struct lxc_log_appender *appender,
 		     event->locinfo->file, event->locinfo->func,
 		     event->locinfo->line);
-	n += vsnprintf(buffer + n, sizeof(buffer) - n, event->fmt,
+	if (n < 0)
-		       *event->vap);
+		return n;
-	if (n >= sizeof(buffer) - 1) {
+	if (n < sizeof(buffer) - 1)
+		n += vsnprintf(buffer + n, sizeof(buffer) - n, event->fmt,
+			       *event->vap);
+	else {
 		WARN("truncated next event from %d to %zd bytes", n,
 		     sizeof(buffer));
 		n = sizeof(buffer) - 1;