From c0adec85a133a7ad1ef6c6d3966415f89bd06846 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn@ubuntu.com>
Date: Mon, 20 Apr 2015 08:40:39 -0500
Subject: [PATCH] Add some more sanity checks

Limit string size in sscanf, convert some sprintfs to snprintfs
(to make them future-proof), and free d in case of error.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
---
 lxcfs.c | 20 ++++++++++++++------
 1 file changed, 14 insertions(+), 6 deletions(-)

diff --git a/lxcfs.c b/lxcfs.c
index 1312383..e99c588 100644
--- a/lxcfs.c
+++ b/lxcfs.c
@@ -888,7 +888,9 @@ static void pid_to_ns_wrapper(int sock, pid_t tpid)
 	fd_set s;
 	char v;
 
-	sprintf(fnam, "/proc/%d/ns/pid", tpid);
+	ret = snprintf(fnam, sizeof(fnam), "/proc/%d/ns/pid", tpid);
+	if (ret < 0 || ret >= sizeof(fnam))
+		exit(1);
 	newnsfd = open(fnam, O_RDONLY);
 	if (newnsfd < 0)
 		exit(1);
@@ -1140,7 +1142,9 @@ static void pid_from_ns_wrapper(int sock, pid_t tpid)
 	struct timeval tv;
 	char v;
 
-	sprintf(fnam, "/proc/%d/ns/pid", tpid);
+	ret = snprintf(fnam, sizeof(fnam), "/proc/%d/ns/pid", tpid);
+	if (ret < 0 || ret >= sizeof(fnam))
+		exit(1);
 	newnsfd = open(fnam, O_RDONLY);
 	if (newnsfd < 0)
 		exit(1);
@@ -1982,7 +1986,10 @@ static long int get_pid1_time(pid_t pid)
 		return 0;
 	}
 
-	sprintf(fnam, "/proc/%d/ns/pid", pid);
+	ret = snprintf(fnam, sizeof(fnam), "/proc/%d/ns/pid", pid);
+	if (ret < 0 || ret >= sizeof(fnam))
+		return 0;
+
 	fd = open(fnam, O_RDONLY);
 	if (fd < 0) {
 		perror("get_pid1_time open of ns/pid");
@@ -2182,7 +2189,7 @@ static int proc_diskstats_read(char *buf, size_t size, off_t offset,
 		size_t l;
 		char *printme, lbuf[256];
 
-		i = sscanf(line, "%u %u %s", &major, &minor, dev_name);
+		i = sscanf(line, "%u %u %71s", &major, &minor, dev_name);
 		if(i == 3){
 			get_blkio_io_value(io_serviced_str, major, minor, "Read", &read);
 			get_blkio_io_value(io_serviced_str, major, minor, "Write", &write);
@@ -2607,7 +2614,7 @@ void swallow_option(int *argcp, char *argv[], char *opt, char *v)
 
 int main(int argc, char *argv[])
 {
-	int ret;
+	int ret = -1;
 	struct lxcfs_state *d = NULL;
 	/*
 	 * what we pass to fuse_main is:
@@ -2638,10 +2645,11 @@ int main(int argc, char *argv[])
 		fprintf(stderr, "WARNING: failed to escape to root cgroup\n");
 
 	if (!cgm_get_controllers(&d->subsystems))
-		return -1;
+		goto out;
 
 	ret = fuse_main(NARGS - 1, newargv, &lxcfs_ops, d);
 
+out:
 	free(d);
 	return ret;
 }
-- 
2.39.5