When load_users() parses an invalid line with an empty level context
(ie. nothing between "level" and "range" keywords), it allocates memory
with malloc(0) and uses it. The behavior of malloc() in this case is
an unspecified behavior: it might return NULL, which would lead to a
segmentation fault.
Fix this issue by reporting the invalid entry instead. While at it,
ensure that the character before "range" is a space, and change the
logic slightly in order to avoid using "--p; ... p++;".
This issue is reported by clang's static analyzer with the following
message:
genusers.c:222:11: warning: Use of zero-allocated memory
*r++ = *s;
^
genusers.c:225:7: warning: Use of zero-allocated memory
*r = 0;
^
Signed-off-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>
---
libsepol/src/genusers.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/libsepol/src/genusers.c b/libsepol/src/genusers.c
index 556821066e3e..9bea83fd8304 100644
--- a/libsepol/src/genusers.c
+++ b/libsepol/src/genusers.c
@@ -201,11 +201,11 @@ static int load_users(struct policydb *policydb, const char *path)
if (!(*p))
BADLINE();
q = p;
- while (*p && strncasecmp(p, "range", 5))
+ while (*p && (!isspace(*p) || strncasecmp(p + 1, "range", 5)))
p++;
- if (!(*p))
+ if (!(*p) || p == q)
BADLINE();
- *--p = 0;
+ *p = 0;
p++;
scontext = malloc(p - q);
--
2.17.0
