procd: jail/cgroups: fix OOB write in cgroups_apply()

Check if any cgroups have been selected and string subtree_control has a
length greater than 0 before reducing its length by 1, preventing to
write outside of the bounds of the array in case no cgroups are
selected.

Fixes: ID: TOB-OWRT-6
Fixes: 16159bb ("jail: parse OCI cgroups resources")
Reported-by: Trail of Bits
Signed-off-by: Daniel Golle <daniel@makrotopia.org>

diff --git a/jail/cgroups.c b/jail/cgroups.c
index 2d3dce4d31acc25b0c4c38643e55928f7743847f..1eb229b5757987bca229c2601930b88e5a85cb32 100644 (file)
--- a/jail/cgroups.c
+++ b/jail/cgroups.c
@@ -164,9 +164,12 @@ void cgroups_apply(pid_t pid)
        if (rdma)
                strcat(subtree_control, "+rdma ");
 
-       /* remove trailing space */
-       ent = strchr(subtree_control, '\0') - 1;
-       *ent = '\0';
+       /* remove trailing space (length is > 0) */
+       ent = strchr(subtree_control, '\0');
+       if (ent > subtree_control) {
+               ent -= 1;
+               *ent = '\0';
+       }
 
        ent = malloc(maxlen);
        if (!ent)