In cond_expr_to_cil() when stack_init(&stack) fails, stack is set to
NULL and the execution flow jumps to label "exit". This triggers a call
to stack_pop(stack) which dereferences a NULL pointer in "if (stack->pos
== -1)".
This issue has been found using clang's static analyzer.
Signed-off-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>
---
libsepol/src/module_to_cil.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 308ada4f1381..5c98c29bcf13 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -1363,11 +1363,12 @@ exit:
free(new_val);
free(val1);
free(val2);
- while ((val1 = stack_pop(stack)) != NULL) {
- free(val1);
+ if (stack != NULL) {
+ while ((val1 = stack_pop(stack)) != NULL) {
+ free(val1);
+ }
+ stack_destroy(&stack);
}
- stack_destroy(&stack);
-
return rc;
}
--
2.12.0
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
