RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2025-02-03 03:12:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

checkpolicy: fix double free on name-based type transitions

Browse Source 
checkpolicy was directly assigning type sets rather than using
type_set_cpy() and therefore creating pointer aliases to the
same type set from multiple filename-based type transition rules
if they specified multiple classes.  This would then yield a double
free when destroying the rules afterward and a segmentation fault.
Fix it to use type_set_cpy().

Reported-by: William C Roberts <william.c.roberts@intel.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley 2015-07-31 08:57:32 -04:00
parent 38feeaddf7
commit a3691b87be
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
checkpolicy/policy_define.c
View File

@ -3315,8 +3315,14 @@ int define_filename_trans(void)
append_filename_trans(ftr);
ftr->name = strdup(name);
ftr->stypes = stypes;
ftr->ttypes = ttypes;
if (type_set_cpy(&ftr->stypes, &stypes)) {
yyerror("out of memory");
goto bad;
}
if (type_set_cpy(&ftr->ttypes, &ttypes)) {
yyerror("out of memory");
goto bad;
}
ftr->tclass = c + 1;
ftr->otype = otype;
}