The following pull request was submitted through Github. It can be accessed and reviewed at: https://github.com/lxc/lxc/pull/3339
This e-mail was sent by the LXC bot, direct replies will not reach the author unless they happen to be subscribed to this list. === Description (from pull-request) === validate that a cgroup controller name is a valid zero-terminated string before passing it to `cgroup_ops->get_cgroup()`. Signed-off-by: Wolfgang Bumiller <w.bumil...@proxmox.com>
From e6bc68d691796adb535b56d93d27bf2f85b4bcd3 Mon Sep 17 00:00:00 2001 From: Wolfgang Bumiller <w.bumil...@proxmox.com> Date: Mon, 30 Mar 2020 16:01:07 +0200 Subject: [PATCH] verify cgroup controller name validate that a cgroup controller name is a valid zero-terminated string before passing it to `cgroup_ops->get_cgroup()`. Signed-off-by: Wolfgang Bumiller <w.bumil...@proxmox.com> --- src/lxc/commands.c | 37 +++++++++++++++++++++++++++++++++++-- 1 file changed, 35 insertions(+), 2 deletions(-) diff --git a/src/lxc/commands.c b/src/lxc/commands.c index 8b2d0e0b7a..991bca290e 100644 --- a/src/lxc/commands.c +++ b/src/lxc/commands.c @@ -325,6 +325,34 @@ int lxc_try_cmd(const char *name, const char *lxcpath) return 0; } +/* + * Validate that the input is a proper string parameter. If not, + * send an EINVAL response and return -1. + * + * Precondition: there is non-zero-length data available. + */ +static int validate_string_request(int fd, const struct lxc_cmd_req *req) +{ + int ret; + size_t maxlen = req->datalen - 1; + const char *data = req->data; + + if (data[maxlen] == 0 && strnlen(data, maxlen) == maxlen) + return 0; + + struct lxc_cmd_rsp rsp = { + .ret = -EINVAL, + .datalen = 0, + .data = NULL, + }; + + ret = lxc_cmd_rsp_send(fd, &rsp); + if (ret < 0) + return LXC_CMD_REAP_CLIENT_FD; + + return -1; +} + /* Implementations of the commands and their callbacks */ /* @@ -506,10 +534,15 @@ static int lxc_cmd_get_cgroup_callback(int fd, struct lxc_cmd_req *req, struct lxc_cmd_rsp rsp; struct cgroup_ops *cgroup_ops = handler->cgroup_ops; - if (req->datalen > 0) + if (req->datalen > 0) { + ret = validate_string_request(fd, req); + if (ret != 0) + return ret; + path = cgroup_ops->get_cgroup(cgroup_ops, req->data); - else + } else { path = cgroup_ops->get_cgroup(cgroup_ops, NULL); + } if (!path) return -1;
_______________________________________________ lxc-devel mailing list lxc-devel@lists.linuxcontainers.org http://lists.linuxcontainers.org/listinfo/lxc-devel