RepoMirrors
/
selinux
mirror of https://github.com/SELinuxProject/selinux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

genfs_read: fix use heap-use-after-free 

The newc variable is calloc'd and assigned to a new
owner during a loop. After the first assignment of newc
to newgenfs->head, the subsequent iteration could fail
before the newc is reseated with a new heap allocation
pointer. When the subsequent iteration fails, the
newc variable is freed. Later, an attempt it made to
free the same pointer assigned to newgenfs->head.

To correct this, clear newc after every loop iteration.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
This commit is contained in:
William Roberts 2016-08-16 10:28:34 -07:00 committed by James Carter
parent 33de30a284
commit 305986f58c
1 changed files with 2 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
libsepol/src/policydb.c
View File

@ -2812,6 +2812,8 @@ static int genfs_read(policydb_t * p, struct policy_file *fp)
l->next = newc;
else
newgenfs->head = newc;
/* clear newc after a new owner has the pointer */
newc = NULL;
}
}