RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2025-04-04 23:49:19 +00:00
Code Issues Packages Projects Releases Wiki Activity

libsepol: sepol_{bool|iface|user}_key_create: copy name

Browse Source 
The sepol_{bool|iface|user}_key_create() functions were not
copying the name.  This produces a use-after-free in the
swig-generated code for python3 bindings.  Copy the name
in these functions, and free it upon sepol_{bool|iface|user}_key_free().

Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
Stephen Smalley 2016-11-08 10:46:14 -05:00
parent 5e911ee825
commit eac6f1f1b5
3 changed files with 24 additions and 6 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
libsepol/src/boolean_record.c
View File

@ -15,7 +15,7 @@ struct sepol_bool {
struct sepol_bool_key { struct sepol_bool_key {
/* This boolean's name */ /* This boolean's name */
const char *name; char *name;
}; };
int sepol_bool_key_create(sepol_handle_t * handle, int sepol_bool_key_create(sepol_handle_t * handle,
@ -30,7 +30,12 @@ int sepol_bool_key_create(sepol_handle_t * handle,
return STATUS_ERR; return STATUS_ERR;
} }
tmp_key->name = name; tmp_key->name = strdup(name);
if (!tmp_key->name) {
ERR(handle, "out of memory, " "could not create boolean key");
free(tmp_key);
return STATUS_ERR;
}
*key_ptr = tmp_key; *key_ptr = tmp_key;
return STATUS_SUCCESS; return STATUS_SUCCESS;
@ -62,6 +67,7 @@ int sepol_bool_key_extract(sepol_handle_t * handle,
void sepol_bool_key_free(sepol_bool_key_t * key) void sepol_bool_key_free(sepol_bool_key_t * key)
{ {
free(key->name);
free(key); free(key);
} }

10
libsepol/src/iface_record.c
View File

@ -20,7 +20,7 @@ struct sepol_iface {
struct sepol_iface_key { struct sepol_iface_key {
/* Interface name */ /* Interface name */
const char *name; char *name;
}; };
/* Key */ /* Key */
@ -36,7 +36,12 @@ int sepol_iface_key_create(sepol_handle_t * handle,
return STATUS_ERR; return STATUS_ERR;
} }
tmp_key->name = name; tmp_key->name = strdup(name);
if (!tmp_key->name) {
ERR(handle, "out of memory, could not create interface key");
free(tmp_key);
return STATUS_ERR;
}
*key_ptr = tmp_key; *key_ptr = tmp_key;
return STATUS_SUCCESS; return STATUS_SUCCESS;
@ -68,6 +73,7 @@ int sepol_iface_key_extract(sepol_handle_t * handle,
void sepol_iface_key_free(sepol_iface_key_t * key) void sepol_iface_key_free(sepol_iface_key_t * key)
{ {
free(key->name);
free(key); free(key);
} }

10
libsepol/src/user_record.c
View File

@ -24,7 +24,7 @@ struct sepol_user {
struct sepol_user_key { struct sepol_user_key {
/* This user's name */ /* This user's name */
const char *name; char *name;
}; };
int sepol_user_key_create(sepol_handle_t * handle, int sepol_user_key_create(sepol_handle_t * handle,
@ -40,7 +40,12 @@ int sepol_user_key_create(sepol_handle_t * handle,
return STATUS_ERR; return STATUS_ERR;
} }
tmp_key->name = name; tmp_key->name = strdup(name);
if (!tmp_key->name) {
ERR(handle, "out of memory, could not create selinux user key");
free(tmp_key);
return STATUS_ERR;
}
*key_ptr = tmp_key; *key_ptr = tmp_key;
return STATUS_SUCCESS; return STATUS_SUCCESS;
@ -71,6 +76,7 @@ int sepol_user_key_extract(sepol_handle_t * handle,
void sepol_user_key_free(sepol_user_key_t * key) void sepol_user_key_free(sepol_user_key_t * key)
{ {
free(key->name);
free(key); free(key);
} }