diff --git a/src/basic/namespace-util.c b/src/basic/namespace-util.c index 74c3ca0421..a55b76df97 100644 --- a/src/basic/namespace-util.c +++ b/src/basic/namespace-util.c @@ -10,6 +10,7 @@ #include "namespace-util.h" #include "process-util.h" #include "stat-util.h" +#include "stdio-util.h" #include "user-util.h" int namespace_open(pid_t pid, int *pidns_fd, int *mntns_fd, int *netns_fd, int *userns_fd, int *root_fd) { @@ -82,15 +83,14 @@ int namespace_open(pid_t pid, int *pidns_fd, int *mntns_fd, int *netns_fd, int * } int namespace_enter(int pidns_fd, int mntns_fd, int netns_fd, int userns_fd, int root_fd) { - if (userns_fd >= 0) { - /* Can't setns to your own userns, since then you could - * escalate from non-root to root in your own namespace, so - * check if namespaces equal before attempting to enter. */ - _cleanup_free_ char *userns_fd_path = NULL; - int r; - if (asprintf(&userns_fd_path, "/proc/self/fd/%d", userns_fd) < 0) - return -ENOMEM; + int r; + if (userns_fd >= 0) { + /* Can't setns to your own userns, since then you could escalate from non-root to root in + * your own namespace, so check if namespaces are equal before attempting to enter. */ + + char userns_fd_path[STRLEN("/proc/self/fd/") + DECIMAL_STR_MAX(int)]; + xsprintf(userns_fd_path, "/proc/self/fd/%d", userns_fd); r = files_same(userns_fd_path, "/proc/self/ns/user", 0); if (r < 0) return r; diff --git a/src/basic/os-util.c b/src/basic/os-util.c index 3d199f028d..51c685bc6a 100644 --- a/src/basic/os-util.c +++ b/src/basic/os-util.c @@ -65,15 +65,15 @@ int open_extension_release(const char *root, const char *extension, char **ret_p extension_full_path = strjoina("/usr/lib/extension-release.d/extension-release.", extension); r = chase_symlinks(extension_full_path, root, CHASE_PREFIX_ROOT, - ret_path ? &q : NULL, - ret_fd ? &fd : NULL); + ret_path ? &q : NULL, + ret_fd ? &fd : NULL); } else { const char *p; FOREACH_STRING(p, "/etc/os-release", "/usr/lib/os-release") { r = chase_symlinks(p, root, CHASE_PREFIX_ROOT, - ret_path ? &q : NULL, - ret_fd ? &fd : NULL); + ret_path ? &q : NULL, + ret_fd ? &fd : NULL); if (r != -ENOENT) break; } @@ -116,10 +116,9 @@ int fopen_extension_release(const char *root, const char *extension, char **ret_ if (!f) return -errno; - *ret_file = f; - if (ret_path) *ret_path = TAKE_PTR(p); + *ret_file = f; return 0; } diff --git a/src/core/socket.c b/src/core/socket.c index 2aba8bff1c..016986401b 100644 --- a/src/core/socket.c +++ b/src/core/socket.c @@ -1555,7 +1555,7 @@ static int socket_address_listen_in_cgroup( if (s->exec_context.ipc_namespace_path && s->exec_runtime && s->exec_runtime->ipcns_storage_socket[0] >= 0) { - r = open_shareable_ns_path(s->exec_runtime->netns_storage_socket, s->exec_context.network_namespace_path, CLONE_NEWIPC); + r = open_shareable_ns_path(s->exec_runtime->ipcns_storage_socket, s->exec_context.ipc_namespace_path, CLONE_NEWIPC); if (r < 0) return log_unit_error_errno(UNIT(s), r, "Failed to open IPC namespace path %s: %m", s->exec_context.ipc_namespace_path); } diff --git a/src/journal-remote/journal-gatewayd.c b/src/journal-remote/journal-gatewayd.c index bd1edb1797..86df022b64 100644 --- a/src/journal-remote/journal-gatewayd.c +++ b/src/journal-remote/journal-gatewayd.c @@ -501,7 +501,9 @@ static int request_handler_entries( if (!response) return respond_oom(connection); - MHD_add_response_header(response, "Content-Type", mime_types[m->mode]); + if (MHD_add_response_header(response, "Content-Type", mime_types[m->mode]) == MHD_NO) + return respond_oom(connection); + return MHD_queue_response(connection, MHD_HTTP_OK, response); } @@ -629,7 +631,9 @@ static int request_handler_fields( if (!response) return respond_oom(connection); - MHD_add_response_header(response, "Content-Type", mime_types[m->mode == OUTPUT_JSON ? OUTPUT_JSON : OUTPUT_SHORT]); + if (MHD_add_response_header(response, "Content-Type", mime_types[m->mode == OUTPUT_JSON ? OUTPUT_JSON : OUTPUT_SHORT]) == MHD_NO) + return respond_oom(connection); + return MHD_queue_response(connection, MHD_HTTP_OK, response); } @@ -652,8 +656,10 @@ static int request_handler_redirect( return respond_oom(connection); } - MHD_add_response_header(response, "Content-Type", "text/html"); - MHD_add_response_header(response, "Location", target); + if (MHD_add_response_header(response, "Content-Type", "text/html") == MHD_NO || + MHD_add_response_header(response, "Location", target) == MHD_NO) + return respond_oom(connection); + return MHD_queue_response(connection, MHD_HTTP_MOVED_PERMANENTLY, response); } @@ -682,7 +688,9 @@ static int request_handler_file( return respond_oom(connection); TAKE_FD(fd); - MHD_add_response_header(response, "Content-Type", mime_type); + if (MHD_add_response_header(response, "Content-Type", mime_type) == MHD_NO) + return respond_oom(connection); + return MHD_queue_response(connection, MHD_HTTP_OK, response); } @@ -783,7 +791,9 @@ static int request_handler_machine( return respond_oom(connection); TAKE_PTR(json); - MHD_add_response_header(response, "Content-Type", "application/json"); + if (MHD_add_response_header(response, "Content-Type", "application/json") == MHD_NO) + return respond_oom(connection); + return MHD_queue_response(connection, MHD_HTTP_OK, response); } diff --git a/src/journal-remote/microhttpd-util.c b/src/journal-remote/microhttpd-util.c index d3fb0b8b19..e6a8254491 100644 --- a/src/journal-remote/microhttpd-util.c +++ b/src/journal-remote/microhttpd-util.c @@ -39,7 +39,8 @@ static int mhd_respond_internal(struct MHD_Connection *connection, return MHD_NO; log_debug("Queueing response %u: %s", code, buffer); - MHD_add_response_header(response, "Content-Type", "text/plain"); + if (MHD_add_response_header(response, "Content-Type", "text/plain") == MHD_NO) + return MHD_NO; return MHD_queue_response(connection, code, response); } diff --git a/test/units/testsuite-15.sh b/test/units/testsuite-15.sh index bf6a5c7a87..23a39bf090 100755 --- a/test/units/testsuite-15.sh +++ b/test/units/testsuite-15.sh @@ -144,7 +144,8 @@ test_linked_units () { check_ok test15-a Names test15-a.service check_ok test15-a Names test15-b.service - check_ko test15-a Names test15-b@ + check_ko test15-a Names test15-a@ # test15-a@.scope is the symlink target. + # Make sure it is completely ignored. rm /test15-a@.scope clear_services test15-a test15-b