cleanup

netblue30 · Aug 29, 2018 · ec9ac7d · ec9ac7d
1 parent 88c4986
commit ec9ac7d
Show file tree

Hide file tree

Showing 9 changed files with 27 additions and 20 deletions.
diff --git a/src/firecfg/main.c b/src/firecfg/main.c
@@ -318,13 +318,14 @@ int main(int argc, char **argv) {
 
  // user setup
  char *user = get_user();
+ assert(user);
  uid_t uid;
  gid_t gid;
  char *home = get_homedir(user, &uid, &gid);
 
 
  // check for --bindir
- for (i = i; i < argc; i++) {
+ for (i = 1; i < argc; i++) {
  if (strncmp(argv[i], "--bindir=", 9) == 0) {
  if (strncmp(argv[i] + 9, "~/", 2) == 0) {
  if (asprintf(&arg_bindir, "%s/%s", home, argv[i] + 11) == -1)
@@ -430,7 +431,7 @@ int main(int argc, char **argv) {
  set_links_firecfg();
 
  // add user to firejail access database - only for root
- if (user && getuid() == 0) {
+ if (getuid() == 0) {
  printf("\nAdding user %s to Firejail access database in %s/firejail.users\n", user, SYSCONFDIR);
  firejail_user_add(user);
  }

diff --git a/src/firejail/arp.c b/src/firejail/arp.c
@@ -66,7 +66,7 @@ void arp_announce(const char *dev, Bridge *br) {
  // Find interface MAC address
  struct ifreq ifr;
  memset(&ifr, 0, sizeof (ifr));
- strncpy(ifr.ifr_name, dev, IFNAMSIZ);
+ strncpy(ifr.ifr_name, dev, IFNAMSIZ - 1);
  if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0)
  errExit("ioctl");
  close(sock);
@@ -138,7 +138,7 @@ int arp_check(const char *dev, uint32_t destaddr) {
  // Find interface MAC address
  struct ifreq ifr;
  memset(&ifr, 0, sizeof (ifr));
- strncpy(ifr.ifr_name, dev, IFNAMSIZ);
+ strncpy(ifr.ifr_name, dev, IFNAMSIZ - 1);
  if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0)
  errExit("ioctl");
  close(sock);

diff --git a/src/firejail/fs_whitelist.c b/src/firejail/fs_whitelist.c
@@ -506,14 +506,18 @@ void fs_whitelist(void) {
  // both path and absolute path are under /home
  if (strncmp(fname, cfg.homedir, strlen(cfg.homedir)) == 0) {
  // entire home directory is not allowed
- if (*(fname + strlen(cfg.homedir)) != '/')
+ if (*(fname + strlen(cfg.homedir)) != '/') {
+ free(fname);
  goto errexit;
+ }
  }
  else {
  if (checkcfg(CFG_FOLLOW_SYMLINK_AS_USER)) {
  // check if the file is owned by the user
- if (stat(fname, &s) == 0 && s.st_uid != getuid())
+ if (stat(fname, &s) == 0 && s.st_uid != getuid()) {
+ free(fname);
  goto errexit;
+ }
  }
  }
  }

diff --git a/src/firejail/network.c b/src/firejail/network.c
@@ -78,7 +78,7 @@ int net_get_mtu(const char *ifname) {
 
  memset(&ifr, 0, sizeof(ifr));
  ifr.ifr_addr.sa_family = AF_INET;
- strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+ strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1);
  if (ioctl(s, SIOCGIFMTU, (caddr_t)&ifr) == 0)
  mtu = ifr.ifr_mtu;
  if (arg_debug)
@@ -106,7 +106,7 @@ void net_set_mtu(const char *ifname, int mtu) {
 
  memset(&ifr, 0, sizeof(ifr));
  ifr.ifr_addr.sa_family = AF_INET;
- strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+ strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1);
  ifr.ifr_mtu = mtu;
  if (ioctl(s, SIOCSIFMTU, (caddr_t)&ifr) != 0)
  fwarning("cannot set mtu for interface %s\n", ifname);
@@ -269,7 +269,7 @@ int net_get_mac(const char *ifname, unsigned char mac[6]) {
  errExit("socket");
 
  memset(&ifr, 0, sizeof(ifr));
- strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+ strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1);
  ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER;
 
  if (ioctl(sock, SIOCGIFHWADDR, &ifr) == -1)

diff --git a/src/firejail/preproc.c b/src/firejail/preproc.c
@@ -140,6 +140,8 @@ void preproc_clean_run(void) {
  if (fp) {
  int val;
  if (fscanf(fp, "%d", &val) == 1) {
+ if (val > 4194304) // this is the max value supported on 64 bit Linux kernels
+ val = 4194304;
  if (val >= max_pids)
  max_pids = val + 1;
  }

diff --git a/src/firemon/interface.c b/src/firemon/interface.c
@@ -62,7 +62,7 @@ static void net_ifprint(void) {
  // extract mac address
  struct ifreq ifr;
  memset(&ifr, 0, sizeof(ifr));
- strncpy(ifr.ifr_name, ifa->ifa_name, IFNAMSIZ);
+ strncpy(ifr.ifr_name, ifa->ifa_name, IFNAMSIZ - 1);
  int rv = ioctl (fd, SIOCGIFHWADDR, &ifr);
 
  if (rv == 0)

diff --git a/src/fldd/main.c b/src/fldd/main.c
@@ -321,7 +321,7 @@ printf("\n");
  // attempt to open the file
  if (argc == 3) {
  fd = open(argv[2], O_CREAT | O_TRUNC | O_WRONLY, 0644);
- if (!fd) {
+ if (fd == -1) {
  fprintf(stderr, "Error fldd: invalid arguments\n");
  usage();
  exit(1);

diff --git a/src/fnet/arp.c b/src/fnet/arp.c
@@ -60,7 +60,7 @@ void arp_scan(const char *dev, uint32_t ifip, uint32_t ifmask) {
  errExit("socket");
  struct ifreq ifr;
  memset(&ifr, 0, sizeof (ifr));
- strncpy(ifr.ifr_name, dev, IFNAMSIZ);
+ strncpy(ifr.ifr_name, dev, IFNAMSIZ - 1);
  if (ioctl(sock, SIOCGIFHWADDR, &ifr) < 0)
  errExit("ioctl");
  close(sock);

diff --git a/src/fnet/interface.c b/src/fnet/interface.c
@@ -58,7 +58,7 @@ void net_bridge_add_interface(const char *bridge, const char *dev) {
  errExit("socket");
 
  memset(&ifr, 0, sizeof(ifr));
- strncpy(ifr.ifr_name, bridge, IFNAMSIZ);
+ strncpy(ifr.ifr_name, bridge, IFNAMSIZ - 1);
 #ifdef SIOCBRADDIF
  ifr.ifr_ifindex = ifindex;
  err = ioctl(sock, SIOCBRADDIF, &ifr);
@@ -90,7 +90,7 @@ void net_if_up(const char *ifname) {
  // get the existing interface flags
  struct ifreq ifr;
  memset(&ifr, 0, sizeof(ifr));
- strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+ strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1);
  ifr.ifr_addr.sa_family = AF_INET;
 
  // read the existing flags
@@ -135,7 +135,7 @@ int net_get_mtu(const char *ifname) {
 
  memset(&ifr, 0, sizeof(ifr));
  ifr.ifr_addr.sa_family = AF_INET;
- strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+ strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1);
  if (ioctl(s, SIOCGIFMTU, (caddr_t)&ifr) == 0)
  mtu = ifr.ifr_mtu;
  close(s);
@@ -154,7 +154,7 @@ void net_set_mtu(const char *ifname, int mtu) {
 
  memset(&ifr, 0, sizeof(ifr));
  ifr.ifr_addr.sa_family = AF_INET;
- strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+ strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1);
  ifr.ifr_mtu = mtu;
  if (ioctl(s, SIOCSIFMTU, (caddr_t)&ifr) != 0) {
  if (!arg_quiet)
@@ -238,7 +238,7 @@ int net_get_mac(const char *ifname, unsigned char mac[6]) {
  errExit("socket");
 
  memset(&ifr, 0, sizeof(ifr));
- strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+ strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1);
  ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER;
 
  if (ioctl(sock, SIOCGIFHWADDR, &ifr) == -1)
@@ -258,7 +258,7 @@ void net_if_ip(const char *ifname, uint32_t ip, uint32_t mask, int mtu) {
 
  struct ifreq ifr;
  memset(&ifr, 0, sizeof(ifr));
- strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+ strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1);
  ifr.ifr_addr.sa_family = AF_INET;
 
  ((struct sockaddr_in *)&ifr.ifr_addr)->sin_addr.s_addr = htonl(ip);
@@ -292,7 +292,7 @@ int net_if_mac(const char *ifname, const unsigned char mac[6]) {
  errExit("socket");
 
  memset(&ifr, 0, sizeof(ifr));
- strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+ strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1);
  ifr.ifr_hwaddr.sa_family = ARPHRD_ETHER;
  memcpy(ifr.ifr_hwaddr.sa_data, mac, 6);
 
@@ -350,7 +350,7 @@ void net_if_ip6(const char *ifname, const char *addr6) {
  // find interface index
  struct ifreq ifr;
  memset(&ifr, 0, sizeof(ifr));
- strncpy(ifr.ifr_name, ifname, IFNAMSIZ);
+ strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1);
  ifr.ifr_addr.sa_family = AF_INET;
  if (ioctl(sock, SIOGIFINDEX, &ifr) < 0) {
  perror("ioctl SIOGIFINDEX");