When fuzzing hll/pp inputs, a policy module where the value of
scope->decl_ids_len has been modified to zero makes the program abort
(when it has been compiled without -DNDEBUG).
Change the behavior to report an error message instead. This eases
fuzzing functions like policydb_read().
Signed-off-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>
---
libsepol/src/policydb.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index cdb3cde6b5e2..e36d82f0a1e8 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -3635,7 +3635,10 @@ static int scope_read(policydb_t * p, int symnum, struct policy_file *fp)
goto cleanup;
scope->scope = le32_to_cpu(buf[0]);
scope->decl_ids_len = le32_to_cpu(buf[1]);
- assert(scope->decl_ids_len > 0);
+ if (scope->decl_ids_len == 0) {
+ ERR(fp->handle, "invalid scope with no declaration");
+ goto cleanup;
+ }
if ((scope->decl_ids =
malloc(scope->decl_ids_len * sizeof(uint32_t))) == NULL) {
goto cleanup;
--
2.10.2
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
