mirror of
https://github.com/SELinuxProject/selinux
synced 2025-01-27 15:52:58 +00:00
libsepol: fix use-after-free in sepol_user_clone()
When sepol_user_add_role() fails to allocate memory for role_cp but succeeds in reallocating user->roles memory, it frees this reallocated memory, thus leaving user->roles referencing a free memory block. When sepol_user_clone() calls sepol_user_free(new_user) because the allocation failure made sepol_user_add_role() fail, the following code is executed: for (i = 0; i < user->num_roles; i++) free(user->roles[i]); free(user->roles); As user->roles has been freed, this code frees pointers which may be invalid and then tries to free user->roles again. Fix this flaw by returning right after strdup() failed in sepol_user_add_role(). This issue has been found using clang's static analyzer. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This commit is contained in:
parent
b6579d262e
commit
b251dbba98
@ -178,16 +178,18 @@ int sepol_user_add_role(sepol_handle_t * handle,
|
||||
{
|
||||
|
||||
char *role_cp;
|
||||
char **roles_realloc;
|
||||
char **roles_realloc = NULL;
|
||||
|
||||
if (sepol_user_has_role(user, role))
|
||||
return STATUS_SUCCESS;
|
||||
|
||||
role_cp = strdup(role);
|
||||
if (!role_cp)
|
||||
goto omem;
|
||||
|
||||
roles_realloc = realloc(user->roles,
|
||||
sizeof(char *) * (user->num_roles + 1));
|
||||
|
||||
if (!role_cp || !roles_realloc)
|
||||
if (!roles_realloc)
|
||||
goto omem;
|
||||
|
||||
user->num_roles++;
|
||||
|
Loading…
Reference in New Issue
Block a user