selabel_is_digest_set() contains the following code:
digest = calloc(1, sizeof(*digest));
if (!digest)
goto err;
/* ... */
err:
free(digest->digest);
If calloc() failed, digest is NULL but is dereferenced when the
execution jumps to label err.
Check that digest is not NULL before freeing its fields.
This issue has been found using clang's static analyzer.
Signed-off-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>
---
libselinux/src/label.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/libselinux/src/label.c b/libselinux/src/label.c
index 60639cfcfb74..3300ddc0ab31 100644
--- a/libselinux/src/label.c
+++ b/libselinux/src/label.c
@@ -191,9 +191,11 @@ static inline struct selabel_digest *selabel_is_digest_set
return NULL;
err:
- free(digest->digest);
- free(digest->specfile_list);
- free(digest);
+ if (digest) {
+ free(digest->digest);
+ free(digest->specfile_list);
+ free(digest);
+ }
return NULL;
}
--
2.12.0
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
