api: Fix unsafe call to strncat in cgroup_get_procs() and cgroup_get_threads()

drakenclimber · github-advanced-security[bot] · kamalesh-babulal · commit b62ec89e9ca3 · 2026-01-28T15:20:20.000+05:30
TJH - the text below was autogenerated by Copilot.

In general, when using strncat, the third argument must reflect the
remaining space in the destination buffer minus one byte to keep room
for the terminating NUL. The correct upper bound is therefore
sizeof(dest) - strlen(dest) - 1. This ensures strncat cannot write past
the end of the buffer, even including the terminator it always appends.

For this code, the minimal, behavior-preserving fix is to adjust the
strncat calls that append constant suffixes to cgroup_path.
Specifically:

In cgroup_get_procs, change FILENAME_MAX - strlen(cgroup_path) to
FILENAME_MAX - strlen(cgroup_path) - 1.
In cgroup_get_threads, make the same adjustment.
No other logic needs to change; the functions will still append the same
suffixes, but the maximum number of characters strncat is allowed to
copy will correctly reserve one byte for the NUL terminator. If
cg_build_path already fills nearly the entire buffer, the new limit
prevents overflow and may result in a truncated path; if such truncation
should be handled explicitly, additional error checks on
strlen(cgroup_path) relative to FILENAME_MAX could be added, but that
would go beyond the minimal fix requested.

These changes are all within src/api.c, in the region containing
cgroup_get_procs and cgroup_get_threads, and do not require any new
includes or helper functions.

Co-authored-by: Copilot Autofix powered by AI &lt;62310815+github-advanced-security[bot]@users.noreply.github.com&gt;
Signed-off-by: Tom Hromatka &lt;tom.hromatka@oracle.com&gt;
Signed-off-by: Kamalesh Babulal &lt;kamalesh.babulal@oracle.com&gt;
diff --git a/src/api.c b/src/api.c
@@ -6391,7 +6391,7 @@ int cgroup_get_procs(const char *name, const char *controller, pid_t **pids, int
 	char cgroup_path[FILENAME_MAX];
 
 	cg_build_path(name, cgroup_path, controller);
-	strncat(cgroup_path, "/cgroup.procs", FILENAME_MAX-strlen(cgroup_path));
+	strncat(cgroup_path, "/cgroup.procs", FILENAME_MAX - strlen(cgroup_path) - 1);
 
 	return read_pids(cgroup_path, pids, size);
 }
@@ -6401,7 +6401,7 @@ int cgroup_get_threads(const char *name, const char *controller, pid_t **pids, i
 	char cgroup_path[FILENAME_MAX];
 
 	cg_build_path(name, cgroup_path, controller);
-	strncat(cgroup_path, "/cgroup.threads", FILENAME_MAX-strlen(cgroup_path));
+	strncat(cgroup_path, "/cgroup.threads", FILENAME_MAX - strlen(cgroup_path) - 1);
 
 	return read_pids(cgroup_path, pids, size);
 }

Original file line number	Diff line number	Diff line change
`@@ -6391,7 +6391,7 @@ int cgroup_get_procs(const char name, const char controller, pid_t **pids, int`
`6391`	`6391`	`char cgroup_path[FILENAME_MAX];`
`6392`	`6392`
`6393`	`6393`	`cg_build_path(name, cgroup_path, controller);`
`6394`		`- strncat(cgroup_path, "/cgroup.procs", FILENAME_MAX-strlen(cgroup_path));`
	`6394`	`+ strncat(cgroup_path, "/cgroup.procs", FILENAME_MAX - strlen(cgroup_path) - 1);`
`6395`	`6395`
`6396`	`6396`	`return read_pids(cgroup_path, pids, size);`
`6397`	`6397`	`}`
`@@ -6401,7 +6401,7 @@ int cgroup_get_threads(const char name, const char controller, pid_t **pids, i`
`6401`	`6401`	`char cgroup_path[FILENAME_MAX];`
`6402`	`6402`
`6403`	`6403`	`cg_build_path(name, cgroup_path, controller);`
`6404`		`- strncat(cgroup_path, "/cgroup.threads", FILENAME_MAX-strlen(cgroup_path));`
	`6404`	`+ strncat(cgroup_path, "/cgroup.threads", FILENAME_MAX - strlen(cgroup_path) - 1);`
`6405`	`6405`
`6406`	`6406`	`return read_pids(cgroup_path, pids, size);`
`6407`	`6407`	`}`