From ec9ac7df45acdde1eaaec75b2e85c6ad22f6c1a6 Mon Sep 17 00:00:00 2001 From: netblue30 Date: Wed, 29 Aug 2018 07:35:28 -0400 Subject: cleanup --- src/firecfg/main.c | 5 +++-- src/firejail/arp.c | 4 ++-- src/firejail/fs_whitelist.c | 8 ++++++-- src/firejail/network.c | 6 +++--- src/firejail/preproc.c | 2 ++ src/firemon/interface.c | 2 +- src/fldd/main.c | 2 +- src/fnet/arp.c | 2 +- src/fnet/interface.c | 16 ++++++++-------- 9 files changed, 27 insertions(+), 20 deletions(-) (limited to 'src') diff --git a/src/firecfg/main.c b/src/firecfg/main.c index 298314d4f..810af6ff2 100644 --- a/src/firecfg/main.c +++ b/src/firecfg/main.c @@ -318,13 +318,14 @@ int main(int argc, char **argv) { // user setup char *user = get_user(); + assert(user); uid_t uid; gid_t gid; char *home = get_homedir(user, &uid, &gid); // check for --bindir - for (i = i; i < argc; i++) { + for (i = 1; i < argc; i++) { if (strncmp(argv[i], "--bindir=", 9) == 0) { if (strncmp(argv[i] + 9, "~/", 2) == 0) { if (asprintf(&arg_bindir, "%s/%s", home, argv[i] + 11) == -1) @@ -430,7 +431,7 @@ int main(int argc, char **argv) { set_links_firecfg(); // add user to firejail access database - only for root - if (user && getuid() == 0) { + if (getuid() == 0) { printf("\nAdding user %s to Firejail access database in %s/firejail.users\n", user, SYSCONFDIR); firejail_user_add(user); } diff --git a/src/firejail/arp.c b/src/firejail/arp.c index c19cb0a47..288e5ded3 100644 --- a/src/firejail/arp.c +++ b/src/firejail/arp.c @@ -66,7 +66,7 @@ void arp_announce(const char *dev, Bridge *br) { // Find interface MAC address struct ifreq ifr; memset(&ifr, 0, sizeof (ifr)); - strncpy(ifr.ifr_name, dev, IFNAMSIZ); + strncpy(ifr.ifr_name, dev, IFNAMSIZ - 1); if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0) errExit("ioctl"); close(sock); @@ -138,7 +138,7 @@ int arp_check(const char *dev, uint32_t destaddr) { // Find interface MAC address struct ifreq ifr; memset(&ifr, 0, sizeof (ifr)); - strncpy(ifr.ifr_name, dev, IFNAMSIZ); + strncpy(ifr.ifr_name, dev, IFNAMSIZ - 1); if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0) errExit("ioctl"); close(sock); diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c index e983a071d..8a402f692 100644 --- a/src/firejail/fs_whitelist.c +++ b/src/firejail/fs_whitelist.c @@ -506,14 +506,18 @@ void fs_whitelist(void) { // both path and absolute path are under /home if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) == 0) { // entire home directory is not allowed - if (*(fname + strlen(cfg.homedir)) != '/') + if (*(fname + strlen(cfg.homedir)) != '/') { + free(fname); goto errexit; + } } else { if (checkcfg(CFG_FOLLOW_SYMLINK_AS_USER)) { // check if the file is owned by the user - if (stat(fname, &s) == 0 && s.st_uid != getuid()) + if (stat(fname, &s) == 0 && s.st_uid != getuid()) { + free(fname); goto errexit; + } } } } diff --git a/src/firejail/network.c b/src/firejail/network.c index 7b84854d3..fed7539ca 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c @@ -78,7 +78,7 @@ int net_get_mtu(const char *ifname) { memset(&ifr, 0, sizeof(ifr)); ifr.ifr_addr.sa_family = AF_INET; - strncpy(ifr.ifr_name, ifname, IFNAMSIZ); + strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); if (ioctl(s, SIOCGIFMTU, (caddr_t)&ifr) == 0) mtu = ifr.ifr_mtu; if (arg_debug) @@ -106,7 +106,7 @@ void net_set_mtu(const char *ifname, int mtu) { memset(&ifr, 0, sizeof(ifr)); ifr.ifr_addr.sa_family = AF_INET; - strncpy(ifr.ifr_name, ifname, IFNAMSIZ); + strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); ifr.ifr_mtu = mtu; if (ioctl(s, SIOCSIFMTU, (caddr_t)&ifr) != 0) fwarning("cannot set mtu for interface %s\n", ifname); @@ -269,7 +269,7 @@ int net_get_mac(const char *ifname, unsigned char mac[6]) { errExit("socket"); memset(&ifr, 0, sizeof(ifr)); - strncpy(ifr.ifr_name, ifname, IFNAMSIZ); + strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER; if (ioctl(sock, SIOCGIFHWADDR, &ifr) == -1) diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c index 9fb4840c6..f519ed85f 100644 --- a/src/firejail/preproc.c +++ b/src/firejail/preproc.c @@ -140,6 +140,8 @@ void preproc_clean_run(void) { if (fp) { int val; if (fscanf(fp, "%d", &val) == 1) { + if (val > 4194304) // this is the max value supported on 64 bit Linux kernels + val = 4194304; if (val >= max_pids) max_pids = val + 1; } diff --git a/src/firemon/interface.c b/src/firemon/interface.c index 71026c7b7..3e0f10d0b 100644 --- a/src/firemon/interface.c +++ b/src/firemon/interface.c @@ -62,7 +62,7 @@ static void net_ifprint(void) { // extract mac address struct ifreq ifr; memset(&ifr, 0, sizeof(ifr)); - strncpy(ifr.ifr_name, ifa->ifa_name, IFNAMSIZ); + strncpy(ifr.ifr_name, ifa->ifa_name, IFNAMSIZ - 1); int rv = ioctl (fd, SIOCGIFHWADDR, &ifr); if (rv == 0) diff --git a/src/fldd/main.c b/src/fldd/main.c index 4658e82fb..d9adcdcf6 100644 --- a/src/fldd/main.c +++ b/src/fldd/main.c @@ -321,7 +321,7 @@ printf("\n"); // attempt to open the file if (argc == 3) { fd = open(argv[2], O_CREAT | O_TRUNC | O_WRONLY, 0644); - if (!fd) { + if (fd == -1) { fprintf(stderr, "Error fldd: invalid arguments\n"); usage(); exit(1); diff --git a/src/fnet/arp.c b/src/fnet/arp.c index 2b6df6945..794f6c8c8 100644 --- a/src/fnet/arp.c +++ b/src/fnet/arp.c @@ -60,7 +60,7 @@ void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) { errExit("socket"); struct ifreq ifr; memset(&ifr, 0, sizeof (ifr)); - strncpy(ifr.ifr_name, dev, IFNAMSIZ); + strncpy(ifr.ifr_name, dev, IFNAMSIZ - 1); if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0) errExit("ioctl"); close(sock); diff --git a/src/fnet/interface.c b/src/fnet/interface.c index f3e9a8993..283c6d312 100644 --- a/src/fnet/interface.c +++ b/src/fnet/interface.c @@ -58,7 +58,7 @@ void net_bridge_add_interface(const char *bridge, const char *dev) { errExit("socket"); memset(&ifr, 0, sizeof(ifr)); - strncpy(ifr.ifr_name, bridge, IFNAMSIZ); + strncpy(ifr.ifr_name, bridge, IFNAMSIZ - 1); #ifdef SIOCBRADDIF ifr.ifr_ifindex = ifindex; err = ioctl(sock, SIOCBRADDIF, &ifr); @@ -90,7 +90,7 @@ void net_if_up(const char *ifname) { // get the existing interface flags struct ifreq ifr; memset(&ifr, 0, sizeof(ifr)); - strncpy(ifr.ifr_name, ifname, IFNAMSIZ); + strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); ifr.ifr_addr.sa_family = AF_INET; // read the existing flags @@ -135,7 +135,7 @@ int net_get_mtu(const char *ifname) { memset(&ifr, 0, sizeof(ifr)); ifr.ifr_addr.sa_family = AF_INET; - strncpy(ifr.ifr_name, ifname, IFNAMSIZ); + strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); if (ioctl(s, SIOCGIFMTU, (caddr_t)&ifr) == 0) mtu = ifr.ifr_mtu; close(s); @@ -154,7 +154,7 @@ void net_set_mtu(const char *ifname, int mtu) { memset(&ifr, 0, sizeof(ifr)); ifr.ifr_addr.sa_family = AF_INET; - strncpy(ifr.ifr_name, ifname, IFNAMSIZ); + strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); ifr.ifr_mtu = mtu; if (ioctl(s, SIOCSIFMTU, (caddr_t)&ifr) != 0) { if (!arg_quiet) @@ -238,7 +238,7 @@ int net_get_mac(const char *ifname, unsigned char mac[6]) { errExit("socket"); memset(&ifr, 0, sizeof(ifr)); - strncpy(ifr.ifr_name, ifname, IFNAMSIZ); + strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER; if (ioctl(sock, SIOCGIFHWADDR, &ifr) == -1) @@ -258,7 +258,7 @@ void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) { struct ifreq ifr; memset(&ifr, 0, sizeof(ifr)); - strncpy(ifr.ifr_name, ifname, IFNAMSIZ); + strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); ifr.ifr_addr.sa_family = AF_INET; ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr = htonl(ip); @@ -292,7 +292,7 @@ int net_if_mac(const char *ifname, const unsigned char mac[6]) { errExit("socket"); memset(&ifr, 0, sizeof(ifr)); - strncpy(ifr.ifr_name, ifname, IFNAMSIZ); + strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER; memcpy(ifr.ifr_hwaddr.sa_data, mac, 6); @@ -350,7 +350,7 @@ void net_if_ip6(const char *ifname, const char *addr6) { // find interface index struct ifreq ifr; memset(&ifr, 0, sizeof(ifr)); - strncpy(ifr.ifr_name, ifname, IFNAMSIZ); + strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1); ifr.ifr_addr.sa_family = AF_INET; if (ioctl(sock, SIOGIFINDEX, &ifr) < 0) { perror("ioctl SIOGIFINDEX"); -- cgit v1.2.3-54-g00ecf