diff options
author | Dhaval Giani <dhaval@linux.vnet.ibm.com> | 2009-02-21 07:28:19 +0000 |
---|---|---|
committer | Dhaval Giani <dhaval@linux.vnet.ibm.com> | 2009-02-21 07:28:19 +0000 |
commit | 5ef29f580daf9c8d5e6a8af096fb30b1cf9a3aa5 (patch) | |
tree | 037438e2fbaa1b940d6a9331fcaf4ff636948e8e | |
parent | e23bc23a1dbda8717d3c0bb86c45a3fffa4fd3a0 (diff) | |
download | libcg-5ef29f580daf9c8d5e6a8af096fb30b1cf9a3aa5.tar.gz libcg-5ef29f580daf9c8d5e6a8af096fb30b1cf9a3aa5.tar.xz libcg-5ef29f580daf9c8d5e6a8af096fb30b1cf9a3aa5.zip |
libcgorup: Fix a chown security issue
From: Balbir Singh <balbir@linux.vnet.ibm.com>
Impact: Bug fix causes incorrect chown
This patch fixes a potential security issue, we free path and add
reallocate it using asprintf, but that breaks chown, since that relies on
fts_path[0] and path to point to the same address location.
Please review, comment.
[dhaval@linux.vnet.ibm.com: Fixed the return checks]
Signed-off-by: Balbir Singh <balbir@linux.vnet.ibm.com>
Signed-off-by: Dhaval Giani <dhaval@linux.vnet.ibm.com>
git-svn-id: https://libcg.svn.sourceforge.net/svnroot/libcg/trunk@335 4f4bb910-9a46-0410-90c8-c897d4f1cd53
-rw-r--r-- | api.c | 16 |
1 files changed, 9 insertions, 7 deletions
@@ -1211,18 +1211,21 @@ int cgroup_create_cgroup(struct cgroup *cgroup, int ignore_ownership) goto err; } - if (!ignore_ownership) + if (!ignore_ownership) { + dbg("Changing ownership of %s\n", fts_path[0]); error = cg_chown_recursive(fts_path, cgroup->control_uid, cgroup->control_gid); + } if (error) goto err; for (j = 0; j < cgroup->controller[k]->index; j++) { - free(path); - ret = asprintf(&path, "%s%s", base, + ret = snprintf(path, FILENAME_MAX, "%s%s", base, cgroup->controller[k]->values[j]->name); - if (ret < 0) { + dbg("setting %s to %s, error %d\n", path, + cgroup->controller[k]->values[j]->name, ret); + if (ret < 0 || ret >= FILENAME_MAX) { last_errno = errno; error = ECGOTHER; goto err; @@ -1245,9 +1248,8 @@ int cgroup_create_cgroup(struct cgroup *cgroup, int ignore_ownership) } if (!ignore_ownership) { - free(path); - ret = asprintf(&path, "%s/tasks", base); - if (ret < 0) { + ret = snprintf(path, FILENAME_MAX, "%s/tasks", base); + if (ret < 0 || ret >= FILENAME_MAX) { last_errno = errno; error = ECGOTHER; goto err; |