Merge pull request #2414 from 2xsec/bugfix

secure coding: strcpy => strlcpy

Merge pull request #2414 from 2xsec/bugfix
eaebae7d · Christian Brauner · GitHub · bbb97736 · 94b1cade · eaebae7d
Unverified Commit eaebae7d authored Jun 18, 2018 by Christian Brauner Committed by GitHub Jun 18, 2018
Showing with 29 additions and 17 deletions

criu.c src/lxc/criu.c +1 -1

lxccontainer.c src/lxc/lxccontainer.c +7 -3

network.c src/lxc/network.c +10 -7

start.c src/lxc/start.c +3 -1

btrfs.c src/lxc/storage/btrfs.c +8 -5

No files found.
--- a/src/lxc/criu.c
+++ b/src/lxc/criu.c
@@ -923,7 +923,7 @@ static bool restore_net_info(struct lxc_container *c)
 			if (!lxc_mkifname(template))
 				goto out_unlock;

-			strcpy(netdev->priv.veth_attr.veth1, template);
+			(void)strlcpy(netdev->priv.veth_attr.veth1, template, IFNAMSIZ);
 		}
 	}


--- a/src/lxc/lxccontainer.c
+++ b/src/lxc/lxccontainer.c
@@ -1192,7 +1192,8 @@ static int do_create_container_dir(const char *path, struct lxc_conf *conf)

 	len = strlen(path);
 	p = alloca(len + 1);
-	strcpy(p, path);
+	(void)strlcpy(p, path, len + 1);
+
 	if (!lxc_list_empty(&conf->id_map)) {
 		ret = chown_mapped_root(p, conf);
 		if (ret < 0)
@@ -4777,6 +4778,7 @@ out:
 struct lxc_container *lxc_container_new(const char *name, const char *configpath)
 {
 	struct lxc_container *c;
+	size_t len;

 	if (!name)
 		return NULL;
@@ -4799,12 +4801,14 @@ struct lxc_container *lxc_container_new(const char *name, const char *configpath
 	}

 	remove_trailing_slashes(c->config_path);
-	c->name = malloc(strlen(name)+1);
+
+	len = strlen(name);
+	c->name = malloc(len + 1);
 	if (!c->name) {
 		fprintf(stderr, "Failed to allocate memory for %s\n", name);
 		goto err;
 	}
-	strcpy(c->name, name);
+	(void)strlcpy(c->name, name, len + 1);

 	c->numthreads = 1;
 	c->slock = lxc_newlock(c->config_path, name);

--- a/src/lxc/network.c
+++ b/src/lxc/network.c
@@ -1992,7 +1992,7 @@ char *lxc_mkifname(char *template)
 	/* Generate random names until we find one that doesn't exist. */
 	while (true) {
 		name[0] = '\0';
-		strcpy(name, template);
+		(void)strlcpy(name, template, IFNAMSIZ);

 		exists = false;
 		for (i = 0; i < strlen(name); i++) {
@@ -2017,7 +2017,9 @@ char *lxc_mkifname(char *template)
 	}

 	freeifaddrs(ifaddr);
-	return strcpy(template, name);
+	(void)strlcpy(template, name, strlen(template) + 1);
+
+	return template;
 }

 int setup_private_host_hw_addr(char *veth1)
@@ -2108,6 +2110,7 @@ static int lxc_create_network_unpriv_exec(const char *lxcpath, const char *lxcna
 	char *token, *saveptr = NULL;
 	char netdev_link[IFNAMSIZ];
 	char buffer[MAXPATHLEN] = {0};
+	size_t retlen;

 	if (netdev->type != LXC_NET_VETH) {
 		ERROR("Network type %d not support for unprivileged use", netdev->type);
@@ -2224,12 +2227,12 @@ static int lxc_create_network_unpriv_exec(const char *lxcpath, const char *lxcna
 		return -1;
 	}

-	if (strlen(token) >= IFNAMSIZ) {
+	retlen = strlcpy(netdev->priv.veth_attr.veth1, token, IFNAMSIZ);
+	if (retlen >= IFNAMSIZ) {
 		ERROR("Host side veth device name returned by lxc-user-nic is "
 		      "too long");
 		return -E2BIG;
 	}
-	strcpy(netdev->priv.veth_attr.veth1, token);

 	/* netdev->priv.veth_attr.ifindex */
 	token = strtok_r(NULL, ":", &saveptr);
@@ -2880,9 +2883,9 @@ static int lxc_setup_netdev_in_child_namespaces(struct lxc_netdev *netdev)
 	 */
 	if (netdev->name[0] == '\0') {
 		if (netdev->type == LXC_NET_PHYS)
-			strcpy(netdev->name, netdev->link);
+			(void)strlcpy(netdev->name, netdev->link, IFNAMSIZ);
 		else
-			strcpy(netdev->name, "eth%d");
+			(void)strlcpy(netdev->name, "eth%d", IFNAMSIZ);
 	}

 	/* rename the interface name */
@@ -2908,7 +2911,7 @@ static int lxc_setup_netdev_in_child_namespaces(struct lxc_netdev *netdev)
 	 * name of the network device in the child's network namespace. We will
 	 * later on send this information back to the parent.
 	 */
-	strcpy(netdev->name, current_ifname);
+	(void)strlcpy(netdev->name, current_ifname, IFNAMSIZ);

 	/* set a mac address */
 	if (netdev->hwaddr) {

--- a/src/lxc/start.c
+++ b/src/lxc/start.c
@@ -110,9 +110,11 @@ static void print_top_failing_dir(const char *path)

 	len = strlen(path);
 	copy = alloca(len + 1);
-	strcpy(copy, path);
+	(void)strlcpy(copy, path, len + 1);
+
 	p = copy;
 	e = copy + len;
+
 	while (p < e) {
 		while (p < e && *p == '/')
 			p++;

--- a/src/lxc/storage/btrfs.c
+++ b/src/lxc/storage/btrfs.c
@@ -88,8 +88,8 @@ char *get_btrfs_subvol_path(int fd, u64 dir_id, u64 objid, char *name,
 		retpath = malloc(len);
 		if (!retpath)
 			return NULL;
-		strcpy(retpath, args.name);
-		strcat(retpath, "/");
+		(void)strlcpy(retpath, args.name, len);
+		strncat(retpath, "/", 1);
 		strncat(retpath, name, name_len);
 	} else {
 		/* we're at the root of ref_tree */
@@ -602,17 +602,20 @@ static bool update_tree_node(struct mytree_node *n, u64 id, u64 parent,
 		if (!n->name)
 			return false;

-		strcpy(n->name, name);
+		(void)strlcpy(n->name, name, name_len + 1);
 	}

 	if (dirname) {
-		n->dirname = malloc(strlen(dirname) + 1);
+		size_t len;
+
+		len = strlen(dirname);
+		n->dirname = malloc(len + 1);
 		if (!n->dirname) {
 			free(n->name);
 			return false;
 		}

-		strcpy(n->dirname, dirname);
+		(void)strlcpy(n->dirname, dirname, len + 1);
 	}
 	return true;
 }