From 340da085a51612ba6c08d1334f8fc88d07441235 Mon Sep 17 00:00:00 2001 From: Nicolas Iooss Date: Fri, 20 Sep 2019 07:59:54 +0200 Subject: [PATCH] libselinux: ensure strlen() is not called on NULL When compile_regex() calls regex_prepare_data() and this function fails in the following condition: *regex = regex_data_create(); if (!(*regex)) return -1; ... error_data has been zero-ed and compile_regex() calls: regex_format_error(&error_data, regex_error_format_buffer, sizeof(regex_error_format_buffer)); This leads to a call to strlen(error_data->error_buffer), where error_data->error_buffer is NULL. Avoid this by checking that error_data->error_buffer is not NULL before trying to format it. This issue has been found using clang's static analyzer: https://337-118970575-gh.circle-artifacts.com/0/output-scan-build/2019-09-01-181851-6152-1/report-0b122b.html#EndPath Signed-off-by: Nicolas Iooss --- libselinux/src/regex.c | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/libselinux/src/regex.c b/libselinux/src/regex.c index a6fcbbfe..c835dd1b 100644 --- a/libselinux/src/regex.c +++ b/libselinux/src/regex.c @@ -519,6 +519,29 @@ void regex_format_error(struct regex_error_data const *error_data, char *buffer, if (pos >= buf_size) goto truncated; + /* Return early if there is no error to format */ +#ifdef USE_PCRE2 + if (!error_data->error_code) { + rc = snprintf(buffer + pos, buf_size - pos, "no error code"); + if (rc < 0) + abort(); + pos += rc; + if (pos >= buf_size) + goto truncated; + return; + } +#else + if (!error_data->error_buffer) { + rc = snprintf(buffer + pos, buf_size - pos, "empty error"); + if (rc < 0) + abort(); + pos += rc; + if (pos >= buf_size) + goto truncated; + return; + } +#endif + if (error_data->error_offset > 0) { #ifdef USE_PCRE2 rc = snprintf(buffer + pos, buf_size - pos, "At offset %zu: ",