From 1b4b4b7f8d4443c3e630838c9b33c9a69fdb6193 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Nikola=20Forr=C3=B3?= <nforro@redhat.com>

Date: Sun, 19 Jun 2016 17:12:01 +0200

Subject: [PATCH] api.c: fix potential buffer overflow

MIME-Version: 1.0

Content-Type: text/plain; charset=UTF-8

Content-Transfer-Encoding: 8bit

It is assumed that arguments read from /proc/<pid>/cmdline don't exceed

buf_pname buffer size, which is FILENAME_MAX - 1 characters, but that's

not always the case.

Add check to prevent buffer overflow and discard the excessive part of

an argument.

Signed-off-by: Nikola Forró <nforro@redhat.com>

---

 src/api.c | 6 +++++-

 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/src/api.c b/src/api.c

index b40364c..18ce21f 100644

--- a/src/api.c

+++ b/src/api.c

@@ -4055,13 +4055,17 @@ static int cg_get_procname_from_proc_cmdline(pid_t pid,

 	while (c != EOF) {

 		c = fgetc(f);

-		if ((c != EOF) && (c != '\0')) {

+		if ((c != EOF) && (c != '\0') && (len < FILENAME_MAX - 1)) {

 			buf_pname[len] = c;

 			len++;

 			continue;

 		}

 		buf_pname[len] = '\0';

+		if (len == FILENAME_MAX - 1)

+			while ((c != EOF) && (c != '\0'))

+				c = fgetc(f);

+

 		/*

 		 * The taken process name from /proc/<pid>/status is

 		 * shortened to 15 characters if it is over. So the

-- 

2.7.4