In main(), if "extract_pw_data(&pw)" returns a failed value, it has
already freed pw.pw_name, pw.pw_dir and pw.pw_shell. These fields are
freed a second time in main's err_free label, which is incorrect. Work
around this by setting them to NULL after they are freed.
This issue has been found using clang's static analyzer.
While at it, make extract_pw_data() static.
Signed-off-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>
---
policycoreutils/newrole/newrole.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/policycoreutils/newrole/newrole.c b/policycoreutils/newrole/newrole.c
index faf937b94f6d..bed92e4e7494 100644
--- a/policycoreutils/newrole/newrole.c
+++ b/policycoreutils/newrole/newrole.c
@@ -412,7 +412,7 @@ static int verify_shell(const char *shell_name)
* This function assigns malloc'd memory into the pw_copy struct.
* Returns zero on success, non-zero otherwise
*/
-int extract_pw_data(struct passwd *pw_copy)
+static int extract_pw_data(struct passwd *pw_copy)
{
uid_t uid;
struct passwd *pw;
@@ -456,6 +456,9 @@ int extract_pw_data(struct passwd *pw_copy)
free(pw->pw_name);
free(pw->pw_dir);
free(pw->pw_shell);
+ pw->pw_name = NULL;
+ pw->pw_dir = NULL;
+ pw->pw_shell = NULL;
return -1;
}
--
2.12.0
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
