From a3691b87be42006bb8211082762cddc10c94e05e Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 31 Jul 2015 08:57:32 -0400
Subject: [PATCH] checkpolicy: fix double free on name-based type transitions

checkpolicy was directly assigning type sets rather than using
type_set_cpy() and therefore creating pointer aliases to the
same type set from multiple filename-based type transition rules
if they specified multiple classes.  This would then yield a double
free when destroying the rules afterward and a segmentation fault.
Fix it to use type_set_cpy().

Reported-by: William C Roberts <william.c.roberts@intel.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 checkpolicy/policy_define.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index da475661..7f32029d 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -3315,8 +3315,14 @@ int define_filename_trans(void)
 		append_filename_trans(ftr);
 
 		ftr->name = strdup(name);
-		ftr->stypes = stypes;
-		ftr->ttypes = ttypes;
+		if (type_set_cpy(&ftr->stypes, &stypes)) {
+			yyerror("out of memory");
+			goto bad;
+		}
+		if (type_set_cpy(&ftr->ttypes, &ttypes)) {
+			yyerror("out of memory");
+			goto bad;
+		}
 		ftr->tclass = c + 1;
 		ftr->otype = otype;
 	}