libsepol/cil: do not leak left-hand side of an invalid constraint

__cil_fill_constraint_expr() does not destroy the list associated with the first operand of a two-operand operation when the second operand is invalid. This memory leak can be reproduced with the following policy: (constrain (files (read)) (not (or (and (eq t1 exec_t) (%q t2 bin_t)) (eq r1 r2)))) This memory leak has been found by running clang's Address Sanitizer on a set of policies generated from secilc/test/policy.cil by American Fuzzy Lop. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2024-12-18 12:14:33 +00:00 · 2017-02-19 11:30:57 +01:00 · 2017-02-19 11:30:57 +01:00 · 9feaf0380d
commit 9feaf0380d
parent 602385d70c
1 changed files with 1 additions and 0 deletions
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@ -2753,6 +2753,7 @@ static int __cil_fill_constraint_expr(struct cil_tree_node *current, enum cil_fl
 		}
 		rc = __cil_fill_constraint_expr(current->next->next->cl_head, flavor, &rexpr, depth);
 		if (rc != SEPOL_OK) {
+			cil_list_destroy(&lexpr, CIL_TRUE);
 			goto exit;
 		}
 		cil_list_init(expr, flavor);