libsepol/cil: fix memory leak in __cil_fill_expr()

__cil_fill_expr() initializes 'cil_list *sub_expr' but does not destroy it when __cil_fill_expr_helper() fails. This list is therefore leaked when __cil_fill_expr() returns. This occurs when secilc compiles the following policy: (class CLASS (PERM)) (classorder (CLASS)) (sid SID) (sidorder (SID)) (user USER) (role ROLE) (type TYPE) (category CAT) (categoryorder (CAT)) (sensitivity SENS) (sensitivityorder (SENS)) (sensitivitycategory SENS (CAT)) (allow TYPE self (CLASS (PERM))) (roletype ROLE TYPE) (userrole USER ROLE) (userlevel USER (SENS)) (userrange USER ((SENS)(SENS (CAT)))) (sidcontext SID (USER ROLE TYPE ((SENS)(SENS)))) (categoryset cats (not (range unknown))) This bug has been found using gcc address sanitizer. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2025-04-25 04:08:02 +00:00 · 2016-10-03 22:46:57 +02:00 · 2016-10-03 22:46:57 +02:00 · ac12826c11
commit ac12826c11
parent 81c9ca5f96
1 changed files with 1 additions and 0 deletions
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@ -2562,6 +2562,7 @@ static int __cil_fill_expr(struct cil_tree_node *current, enum cil_flavor flavor
 		cil_list_init(&sub_expr, flavor);
 		rc = __cil_fill_expr_helper(current->cl_head, flavor, sub_expr, depth);
 		if (rc != SEPOL_OK) {
+			cil_list_destroy(&sub_expr, CIL_TRUE);
 			goto exit;
 		}
 		cil_list_append(expr, CIL_LIST, sub_expr);