On Mon, Feb 11, 2019 at 8:06 PM jwcart2 <jwcart2@xxxxxxxxxxxxx> wrote:
>
> On 2/6/19 4:07 PM, Nicolas Iooss wrote:
> > clang's static analyze reports a use-after-free in
> > __cil_expr_to_string(), when __cil_expr_to_string_helper() does not
> > modify its third parameter (variable s1 here) in this loop:
> >
> > for (curr = curr->next; curr; curr = curr->next) {
> > __cil_expr_to_string_helper(curr, flavor, &s1);
> > cil_asprintf(&c2, "%s %s", c1, s1);
> > free(c1);
> > free(s1);
> > c1 = c2;
> > }
> >
> > Silence this warning by making sure s1 is always NULL at the beginning
> > of every iteration of the loop.
> >
> > Signed-off-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>
>
> Acked-by: James Carter <jwcart2@xxxxxxxxxxxxx>
Merged.
Nicolas
> > ---
> > libsepol/cil/src/cil_binary.c | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
> > index a10c3763bea4..e2eb3ebe8ff3 100644
> > --- a/libsepol/cil/src/cil_binary.c
> > +++ b/libsepol/cil/src/cil_binary.c
> > @@ -2075,6 +2075,7 @@ static void __cil_expr_to_string(struct cil_list *expr, enum cil_flavor flavor,
> > char *c2 = NULL;
> > __cil_expr_to_string_helper(curr, flavor, &c1);
> > for (curr = curr->next; curr; curr = curr->next) {
> > + s1 = NULL;
> > __cil_expr_to_string_helper(curr, flavor, &s1);
> > cil_asprintf(&c2, "%s %s", c1, s1);
> > free(c1);
> >
>
>
> --
> James Carter <jwcart2@xxxxxxxxxxxxx>
> National Security Agency
