string_utils: fix global buffer overflow issue

author 2xsec <dh48.jeong@samsung.com>

Thu, 18 Oct 2018 06:16:54 +0000 (15:16 +0900)

committer 2xsec <dh48.jeong@samsung.com>

Thu, 18 Oct 2018 06:16:54 +0000 (15:16 +0900)
author 2xsec <dh48.jeong@samsung.com>
Thu, 18 Oct 2018 06:16:54 +0000 (15:16 +0900)
committer 2xsec <dh48.jeong@samsung.com>
Thu, 18 Oct 2018 06:16:54 +0000 (15:16 +0900)
diff --git a/src/lxc/string_utils.c b/src/lxc/string_utils.c

index fb46109b923be944bd4cdd12439ce9809ccae5d8..7bc99c4282978077b02086469545215868a57b6b 100644 (file)
--- a/src/lxc/string_utils.c
+++ b/src/lxc/string_utils.c
@@ -784,24 +784,32 @@ char *must_make_path(const char *first, ...)
         char *cur, *dest;
         size_t full_len = strlen(first);
         size_t buf_len;
+       size_t cur_len;
  
         dest = must_copy_string(first);
+       cur_len = full_len;
  
         va_start(args, first);
         while ((cur = va_arg(args, char *)) != NULL) {
-               full_len += strlen(cur);
+               buf_len = strlen(cur);
+
+               full_len += buf_len;
                 if (cur[0] != '/')
                         full_len++;
  
-               buf_len = full_len + 1;
-               dest = must_realloc(dest, buf_len);
+               dest = must_realloc(dest, full_len + 1);
  
-               if (cur[0] != '/')
-                       (void)strlcat(dest, "/", buf_len);
-               (void)strlcat(dest, cur, buf_len);
+               if (cur[0] != '/') {
+                       memcpy(dest + cur_len, "/", 1);
+                       cur_len++;
+               }
+
+               memcpy(dest + cur_len, cur, buf_len);
+               cur_len += buf_len;
         }
         va_end(args);
  
+       dest[cur_len] = '\0';
         return dest;
  }
  
@@ -812,23 +820,32 @@ char *must_append_path(char *first, ...)
         va_list args;
         char *dest = first;
         size_t buf_len;
+       size_t cur_len;
  
         full_len = strlen(first);
+       cur_len = full_len;
+
         va_start(args, first);
         while ((cur = va_arg(args, char *)) != NULL) {
-               full_len += strlen(cur);
+               buf_len = strlen(cur);
+
+               full_len += buf_len;
                 if (cur[0] != '/')
                         full_len++;
  
-               buf_len = full_len + 1;
-               dest = must_realloc(dest, buf_len);
+               dest = must_realloc(dest, full_len + 1);
  
-               if (cur[0] != '/')
-                       (void)strlcat(dest, "/", buf_len);
-               (void)strlcat(dest, cur, buf_len);
+               if (cur[0] != '/') {
+                       memcpy(dest + cur_len, "/", 1);
+                       cur_len++;
+               }
+
+               memcpy(dest + cur_len, cur, buf_len);
+               cur_len += buf_len;
         }
         va_end(args);
  
+       dest[cur_len] = '\0';
         return dest;
  }
author	2xsec <dh48.jeong@samsung.com>
	Thu, 18 Oct 2018 06:16:54 +0000 (15:16 +0900)
committer	2xsec <dh48.jeong@samsung.com>
	Thu, 18 Oct 2018 06:16:54 +0000 (15:16 +0900)