When the no_new_privs parameter is given, thei size of the array which contains the argv pointers is not increased in instance_jail_parse() which causes a buffer overflow. Fix this by requesting one more entry in instance_jail_parse() for the allocation.
Fixes: dfd5816bcbef ("instance, ujail: wire no_new_privs (-c) option") Cc: Etienne CHAMPETIER <champetier.etie...@gmail.com> Signed-off-by: Hauke Mehrtens <ha...@hauke-m.de> --- service/instance.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/service/instance.c b/service/instance.c index b4284e7..4bb2207 100644 --- a/service/instance.c +++ b/service/instance.c @@ -829,6 +829,9 @@ instance_jail_parse(struct service_instance *in, struct blob_attr *attr) if (in->seccomp) jail->argc += 2; + if (in->no_new_privs) + jail->argc++; + return 1; } -- 2.20.1 _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel