diff options
| author | Nicolas Iooss <nicolas.iooss@m4x.org> | 2017-05-17 22:51:45 +0200 |
|---|---|---|
| committer | Stephen Smalley <sds@tycho.nsa.gov> | 2017-05-18 08:42:26 -0400 |
| commit | 55fe40ac77b2a419cd9ade9de07e06d31ca18c5c (patch) | |
| tree | 4b85fbb0f277ee180a2fe3ab254a03d54b7c0ce2 /libselinux/src/label_file.c | |
| parent | 58962eb3d847bd4bfd37c6790d13f361bbe543f9 (diff) | |
| download | android_external_selinux-55fe40ac77b2a419cd9ade9de07e06d31ca18c5c.tar.gz android_external_selinux-55fe40ac77b2a419cd9ade9de07e06d31ca18c5c.tar.bz2 android_external_selinux-55fe40ac77b2a419cd9ade9de07e06d31ca18c5c.zip | |
libselinux: rework selabel_subs_init() to avoid use-after-free
In selabel_subs_init(), when digest_add_specfile() fails, the returned
value is a pointer to data which has been freed (because label "err"
frees variable "sub" which is equals to the returned variable, "list").
Moreover since since commit fd56c5230cea ("Separate out the calling of
local subs and dist subs in selabel_sub"), argument "list" of
selabel_subs_init() has always been NULL (rec->subs and rec->dist_subs
are both initialized to NULL in selabel_open() before
selabel_file_init() is called).
Drop selabel_file_init()'s "list" argument and free all the list items
which have been allocated in this function, when the code encounters an
error.
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Diffstat (limited to 'libselinux/src/label_file.c')
| -rw-r--r-- | libselinux/src/label_file.c | 10 |
1 files changed, 4 insertions, 6 deletions
diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c index 0d4029bb..3ff75903 100644 --- a/libselinux/src/label_file.c +++ b/libselinux/src/label_file.c @@ -589,17 +589,15 @@ static int init(struct selabel_handle *rec, const struct selinux_opt *opts, if (!path) { rec->dist_subs = selabel_subs_init(selinux_file_context_subs_dist_path(), - rec->dist_subs, rec->digest); + rec->digest); rec->subs = selabel_subs_init(selinux_file_context_subs_path(), - rec->subs, rec->digest); + rec->digest); path = selinux_file_context_path(); } else { snprintf(subs_file, sizeof(subs_file), "%s.subs_dist", path); - rec->dist_subs = selabel_subs_init(subs_file, rec->dist_subs, - rec->digest); + rec->dist_subs = selabel_subs_init(subs_file, rec->digest); snprintf(subs_file, sizeof(subs_file), "%s.subs", path); - rec->subs = selabel_subs_init(subs_file, rec->subs, - rec->digest); + rec->subs = selabel_subs_init(subs_file, rec->digest); } #endif |