jail: protect against strcat buffer overflows

Coverity CID: 1490012 Copy into fixed size buffer

Signed-off-by: Daniel Golle <daniel@makrotopia.org>

diff --git a/jail/jail.c b/jail/jail.c
index c02095b4a00ae0b0b3ff976f271266b981cb6d50..1af01618d66aa0c163c109edf510f6330082159c 100644 (file)
--- a/jail/jail.c
+++ b/jail/jail.c
@@ -2186,21 +2186,24 @@ static int parseOCIlinux(struct blob_attr *msg)
        if (tb[OCI_LINUX_CGROUPSPATH]) {
                cgpath = blobmsg_get_string(tb[OCI_LINUX_CGROUPSPATH]);
                if (cgpath[0] == '/') {
-                       if (strlen(cgpath) >= (sizeof(cgfullpath) - strlen(cgfullpath)))
+                       if (strlen(cgpath) + 1 >= (sizeof(cgfullpath) - strlen(cgfullpath)))
                                return E2BIG;
 
                        strcat(cgfullpath, cgpath);
                } else {
                        strcat(cgfullpath, "/containers/");
-                       strcat(cgfullpath, opts.name); /* should be container name rather than jail name */
-                       strcat(cgfullpath, "/");
-                       if (strlen(cgpath) >= (sizeof(cgfullpath) - strlen(cgfullpath)))
+                       if (strlen(opts.name) + strlen(cgpath) + 2 >= (sizeof(cgfullpath) - strlen(cgfullpath)))
                                return E2BIG;
 
+                       strcat(cgfullpath, opts.name); /* should be container name rather than jail name */
+                       strcat(cgfullpath, "/");
                        strcat(cgfullpath, cgpath);
                }
        } else {
                strcat(cgfullpath, "/containers/");
+               if (2 * strlen(opts.name) + 2 >= (sizeof(cgfullpath) - strlen(cgfullpath)))
+                       return E2BIG;
+
                strcat(cgfullpath, opts.name); /* should be container name rather than jail name */
                strcat(cgfullpath, "/");
                strcat(cgfullpath, opts.name); /* should be container instance name rather than jail name */