chroot_realpath and tests: Replace sprintf with snprintf for security #1885
+11
−7
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Reviewer's guide (collapsed on small PRs)Reviewer's GuideReplace all unsafe sprintf calls with snprintf using fixed buffer limits (sizeof buffers or PATH_MAX) across test initialization, fuzzer ID generation, and core chroot_realpath logic to mitigate potential buffer overflow vulnerabilities. File-Level Changes
Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
Hey there - I've reviewed your changes - here's some feedback:
- In chroot_realpath.c, consider replacing the hard-coded PATH_MAX with sizeof(resolved_path) or an explicit bufsize parameter to ensure snprintf’s size matches the actual buffer length.
- The change to the HF_ITER extern declaration in tests_libcrun_fuzzer.c looks like an unrelated formatting tweak—please revert or separate it into its own PR to keep the snprintf changes focused.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- In chroot_realpath.c, consider replacing the hard-coded PATH_MAX with sizeof(resolved_path) or an explicit bufsize parameter to ensure snprintf’s size matches the actual buffer length.
- The change to the HF_ITER extern declaration in tests_libcrun_fuzzer.c looks like an unrelated formatting tweak—please revert or separate it into its own PR to keep the snprintf changes focused.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
|
Ephemeral COPR build failed. @containers/packit-build please check. |
kolyshkin
reviewed
Sep 27, 2025
kolyshkin
reviewed
Sep 27, 2025
tests/tests_libcrun_fuzzer.c
Outdated
| } | ||
| #ifdef FUZZER | ||
| extern void HF_ITER (uint8_t **buf, size_t *len); | ||
| extern void HF_ITER (uint8_t * *buf, size_t * len); |
kolyshkin
reviewed
Sep 27, 2025
tests/init.c
Outdated
| { | ||
| /* change one page each 0.1 seconds */ | ||
| nanosleep ((const struct timespec[]) { { 0, 100000000L } }, NULL); | ||
| nanosleep ((const struct timespec[]){ { 0, 100000000L } }, NULL); |
kolyshkin
reviewed
Sep 27, 2025
osamakader
force-pushed
the
sprintf-to-snprintf
branch
2 times, most recently
from
b302be8 to
11a40b1
Compare
There was a problem hiding this comment.
Hey there - I've reviewed your changes - here's some feedback:
- In chroot_realpath, verify snprintf’s return value to detect and handle any potential buffer truncation instead of assuming full writes.
- Prefer using sizeof(resolved_path) (the actual buffer length) instead of hardcoded PATH_MAX to keep snprintf size in sync with the buffer.
Prompt for AI Agents
Please address the comments from this code review:
## Overall Comments
- In chroot_realpath, verify snprintf’s return value to detect and handle any potential buffer truncation instead of assuming full writes.
- Prefer using sizeof(resolved_path) (the actual buffer length) instead of hardcoded PATH_MAX to keep snprintf size in sync with the buffer.Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.
|
@kolyshkin I forgot to rebase the commits, now should be ok. Please re-review. |
osamakader
changed the title
Replace sprintf with snprintf to prevent buffer overflows in chroot_realpath.c. This follows the security hardening mentioned in NEWS.md where sprintf was replaced with safer alternatives. The function uses PATH_MAX as the buffer size since sizeof on array function parameters returns the pointer size, not the actual buffer size. Signed-off-by: Osama Abdelkader <[email protected]>
Replace sprintf with snprintf in test files to prevent buffer overflows. This follows the security hardening mentioned in NEWS.md where sprintf was replaced with safer alternatives. Changes made: - tests/init.c: Replace sprintf with snprintf for proc paths - tests/tests_libcrun_fuzzer.c: Replace sprintf with snprintf for ID generation Signed-off-by: Osama Abdelkader <[email protected]>
osamakader
force-pushed
the
sprintf-to-snprintf
branch
from
11a40b1 to
ccbf0d9
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Replace all instances of sprintf with snprintf to prevent buffer overflows. This follows the security hardening mentioned in NEWS.md where sprintf was replaced with safer alternatives.
Changes made:
All changes use appropriate buffer size limits to prevent overflow.
Summary by Sourcery
Harden string formatting across the project by replacing unsafe sprintf calls with bounded snprintf usages and explicit buffer size limits to prevent buffer overflows in both test code and core functionality.
Enhancements: