1. prctl() only accepts longs, so we can just scan the stat file as longs. 2. check overflow before addition
Signed-off-by: Tycho Andersen <tycho.ander...@canonical.com> --- src/lxc/utils.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/src/lxc/utils.c b/src/lxc/utils.c index 1df6e8f..cc12ecd 100644 --- a/src/lxc/utils.c +++ b/src/lxc/utils.c @@ -1599,7 +1599,7 @@ int setproctitle(char *title) char buf[2048], *tmp; FILE *f; int i, len, ret = 0; - unsigned long arg_start, arg_end, env_start, env_end; + long arg_start, arg_end, env_start, env_end; f = fopen_cloexec("/proc/self/stat", "r"); if (!f) { @@ -1624,7 +1624,7 @@ int setproctitle(char *title) if (!tmp) return -1; - i = sscanf(tmp, "%lu %lu %lu %lu", &arg_start, &arg_end, &env_start, &env_end); + i = sscanf(tmp, "%ld %ld %ld %ld", &arg_start, &arg_end, &env_start, &env_end); if (i != 4) { return -1; } @@ -1644,15 +1644,21 @@ int setproctitle(char *title) if (len >= arg_end - arg_start) { env_start = env_end; } + + /* check overflow */ + if (arg_start + len < 0) { + return -1; + } + arg_end = arg_start + len; } strcpy((char*)arg_start, title); - ret |= prctl(PR_SET_MM, PR_SET_MM_ARG_START, (long)arg_start, 0, 0); - ret |= prctl(PR_SET_MM, PR_SET_MM_ARG_END, (long)arg_end, 0, 0); - ret |= prctl(PR_SET_MM, PR_SET_MM_ENV_START, (long)env_start, 0, 0); - ret |= prctl(PR_SET_MM, PR_SET_MM_ENV_END, (long)env_end, 0, 0); + ret |= prctl(PR_SET_MM, PR_SET_MM_ARG_START, arg_start, 0, 0); + ret |= prctl(PR_SET_MM, PR_SET_MM_ARG_END, arg_end, 0, 0); + ret |= prctl(PR_SET_MM, PR_SET_MM_ENV_START, env_start, 0, 0); + ret |= prctl(PR_SET_MM, PR_SET_MM_ENV_END, env_end, 0, 0); return ret; } -- 2.1.4 _______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel