On 2/6/19 4:07 PM, Nicolas Iooss wrote:
clang's static analyze reports a use-after-free in
__cil_expr_to_string(), when __cil_expr_to_string_helper() does not
modify its third parameter (variable s1 here) in this loop:
for (curr = curr->next; curr; curr = curr->next) {
__cil_expr_to_string_helper(curr, flavor, &s1);
cil_asprintf(&c2, "%s %s", c1, s1);
free(c1);
free(s1);
c1 = c2;
}
Silence this warning by making sure s1 is always NULL at the beginning
of every iteration of the loop.
Signed-off-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>
Acked-by: James Carter <jwcart2@xxxxxxxxxxxxx>
---
libsepol/cil/src/cil_binary.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index a10c3763bea4..e2eb3ebe8ff3 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -2075,6 +2075,7 @@ static void __cil_expr_to_string(struct cil_list *expr, enum cil_flavor flavor,
char *c2 = NULL;
__cil_expr_to_string_helper(curr, flavor, &c1);
for (curr = curr->next; curr; curr = curr->next) {
+ s1 = NULL;
__cil_expr_to_string_helper(curr, flavor, &s1);
cil_asprintf(&c2, "%s %s", c1, s1);
free(c1);
--
James Carter <jwcart2@xxxxxxxxxxxxx>
National Security Agency
