verify cgroup controller name

validate that a cgroup controller name is a valid
zero-terminated string before passing it to
`cgroup_ops->get_cgroup()`.

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>

diff --git a/src/lxc/commands.c b/src/lxc/commands.c
index 8b2d0e0b7ab1fc020379bd377546b4af72fb30c7..991bca290e21c0a6e99d12b0643f1c44296d7ce0 100644 (file)
--- a/src/lxc/commands.c
+++ b/src/lxc/commands.c
@@ -325,6 +325,34 @@ int lxc_try_cmd(const char *name, const char *lxcpath)
        return 0;
 }
 
+/*
+ * Validate that the input is a proper string parameter. If not,
+ * send an EINVAL response and return -1.
+ *
+ * Precondition: there is non-zero-length data available.
+ */
+static int validate_string_request(int fd, const struct lxc_cmd_req *req)
+{
+       int ret;
+       size_t maxlen = req->datalen - 1;
+       const char *data = req->data;
+
+       if (data[maxlen] == 0 && strnlen(data, maxlen) == maxlen)
+               return 0;
+
+       struct lxc_cmd_rsp rsp = {
+               .ret = -EINVAL,
+               .datalen = 0,
+               .data = NULL,
+       };
+
+       ret = lxc_cmd_rsp_send(fd, &rsp);
+       if (ret < 0)
+               return LXC_CMD_REAP_CLIENT_FD;
+
+       return -1;
+}
+
 /* Implementations of the commands and their callbacks */
 
 /*
@@ -506,10 +534,15 @@ static int lxc_cmd_get_cgroup_callback(int fd, struct lxc_cmd_req *req,
        struct lxc_cmd_rsp rsp;
        struct cgroup_ops *cgroup_ops = handler->cgroup_ops;
 
-       if (req->datalen > 0)
+       if (req->datalen > 0) {
+               ret = validate_string_request(fd, req);
+               if (ret != 0)
+                       return ret;
+
                path = cgroup_ops->get_cgroup(cgroup_ops, req->data);
-       else
+       } else {
                path = cgroup_ops->get_cgroup(cgroup_ops, NULL);
+       }
        if (!path)
                return -1;