utils: fix lxc_mount_proc_if_needed()

- check for buffer overflow - only call INFO() after we ensured that readlink() was successful - simplify logic Reported-by: Benedikt Rosenkranz beluro@web.de Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
lxc · May 29, 2017 · 3dc958d · 3dc958d
1 parent fc2ae78
commit 3dc958d
Showing 1 changed file with 17 additions and 16 deletions.
diff --git a/src/lxc/utils.c b/src/lxc/utils.c
@@ -1758,20 +1758,16 @@ int safe_mount(const char *src, const char *dest, const char *fstype,
 int lxc_mount_proc_if_needed(const char *rootfs)
 {
 	char path[MAXPATHLEN];
-	char link[20];
-	int link_to_pid, linklen, ret;
-	int mypid;
+	int link_to_pid, linklen, mypid, ret;
+	char link[LXC_NUMSTRLEN64] = {0};
 
 	ret = snprintf(path, MAXPATHLEN, "%s/proc/self", rootfs);
 	if (ret < 0 || ret >= MAXPATHLEN) {
 		SYSERROR("proc path name too long");
 		return -1;
 	}
 
-	memset(link, 0, 20);
-	linklen = readlink(path, link, 20);
-	mypid = (int)getpid();
-	INFO("I am %d, /proc/self points to \"%s\"", mypid, link);
+	linklen = readlink(path, link, LXC_NUMSTRLEN64);
 
 	ret = snprintf(path, MAXPATHLEN, "%s/proc", rootfs);
 	if (ret < 0 || ret >= MAXPATHLEN) {
@@ -1784,24 +1780,29 @@ int lxc_mount_proc_if_needed(const char *rootfs)
 		if (mkdir(path, 0755) && errno != EEXIST)
 			return -1;
 		goto domount;
+	} else if (linklen >= LXC_NUMSTRLEN64) {
+		link[linklen - 1] = '\0';
+		ERROR("readlink returned truncated content: \"%s\"", link);
+		return -1;
 	}
 
+	mypid = getpid();
+	INFO("I am %d, /proc/self points to \"%s\"", mypid, link);
+
 	if (lxc_safe_int(link, &link_to_pid) < 0)
 		return -1;
 
-	/* wrong /procs mounted */
-	if (link_to_pid != mypid) {
-		/* ignore failure */
-		umount2(path, MNT_DETACH);
-		goto domount;
-	}
+	/* correct procfs is already mounted */
+	if (link_to_pid == mypid)
+		return 0;
 
-	/* the right proc is already mounted */
-	return 0;
+	ret = umount2(path, MNT_DETACH);
+	if (ret < 0)
+		WARN("failed to umount \"%s\" with MNT_DETACH", path);
 
 domount:
 	/* rootfs is NULL */
-	if (!strcmp(rootfs,""))
+	if (!strcmp(rootfs, ""))
 		ret = mount("proc", path, "proc", 0, NULL);
 	else
 		ret = safe_mount("proc", path, "proc", 0, NULL, rootfs);