On 03/28/2017 05:41 PM, Nicolas Iooss wrote:
In cond_expr_to_cil() when stack_init(&stack) fails, stack is set to NULL and the execution flow jumps to label "exit". This triggers a call to stack_pop(stack) which dereferences a NULL pointer in "if (stack->pos == -1)". This issue has been found using clang's static analyzer. Signed-off-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>
I applied these seven patches. Thanks, Jim
--- libsepol/src/module_to_cil.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c index 308ada4f1381..5c98c29bcf13 100644 --- a/libsepol/src/module_to_cil.c +++ b/libsepol/src/module_to_cil.c @@ -1363,11 +1363,12 @@ exit: free(new_val); free(val1); free(val2); - while ((val1 = stack_pop(stack)) != NULL) { - free(val1); + if (stack != NULL) { + while ((val1 = stack_pop(stack)) != NULL) { + free(val1); + } + stack_destroy(&stack); } - stack_destroy(&stack); - return rc; }
-- James Carter <jwcart2@xxxxxxxxxxxxx> National Security Agency _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.