[PATCH 3/5] libsepol: do not crash when block->branch_list is NULL

Nicolas Iooss <nicolas.iooss@xxxxxxx> · Tue, 22 Nov 2016 23:23:40 +0100

When fuzzing hll/pp, the fuzzer created a policy module with a block
which has no declaration. With block->branch_list = NULL,
typealias_list_create() triggered a NULL pointer dereference when
computing max_decl_id.

Signed-off-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>
---
 libsepol/src/module_to_cil.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 1c2c51c614ab..51a478434805 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -374,7 +374,7 @@ static int typealias_list_create(struct policydb *pdb)
 
 	for (block = pdb->global; block != NULL; block = block->next) {
 		decl = block->branch_list;
-		if (decl->decl_id > max_decl_id) {
+		if (decl != NULL && decl->decl_id > max_decl_id) {
 			max_decl_id = decl->decl_id;
 		}
 	}
-- 
2.10.2

_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.






