RepoMirrors
/
selinux
mirror of https://github.com/SELinuxProject/selinux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

libselinux: label_file: fix memory management in store_stem() 

If store_stem() fails to expand the memory allocated on data->stem_arr,
some things go wrong:
* the memory referenced by "buf" is leaked,
* data->alloc_stems has been increased without data->stem_arr having
  been expanded. So the next time store_stem() is called, the function
  will behave as if the buffer holds enough space, and will write data
  after the end of data->stem_arr.

The first issue is being spotted by clang's static analyzer, which warns
about leaking variable "stem" in find_stem_from_spec() (this function
calls store_stem()).

This both issues by freeing buf when realloc(data->stem_arr) fails, and
by not increasing data->alloc_stems when this happens.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
This commit is contained in:
Nicolas Iooss 2018-04-13 22:34:22 +02:00 committed by William Roberts
parent 3dd5dd8a07
commit c56bb631c4
1 changed files with 6 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
libselinux/src/label_file.h
View File

@ -278,12 +278,14 @@ static inline int store_stem(struct saved_data *data, char *buf, int stem_len)
if (data->alloc_stems == num) {
struct stem *tmp_arr;
data->alloc_stems = data->alloc_stems * 2 + 16;
int alloc_stems = data->alloc_stems * 2 + 16;
tmp_arr = realloc(data->stem_arr,
sizeof(*tmp_arr) * data->alloc_stems);
if (!tmp_arr)
sizeof(*tmp_arr) * alloc_stems);
if (!tmp_arr) {
free(buf);
return -1;
}
data->alloc_stems = alloc_stems;
data->stem_arr = tmp_arr;
}
data->stem_arr[num].len = stem_len;