Re: [PATCH 1/1] libsepol: free memory when realloc() fails

Nicolas Iooss <nicolas.iooss@xxxxxxx> · Thu, 12 Nov 2020 22:04:53 +0100

On Thu, Nov 12, 2020 at 3:16 PM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote:
>
> On Wed, Nov 11, 2020 at 10:30 PM Nicolas Iooss <nicolas.iooss@xxxxxxx> wrote:
> > In get_class_info(), if realloc(class_buf, new_class_buf_len) fails to
> > grow the memory, the function returns NULL without freeing class_buf.
> > This leads to a memory leak which is reported by clang's static
> > analyzer:
> > https://580-118970575-gh.circle-artifacts.com/0/output-scan-build/2020-11-11-194150-6152-1/report-42a899.html#EndPath
> >
> > Fix the memory leak by calling free(class_buf).
> >
> > While at it, use size_t insted of int to store the size of the buffer
> > which is growing.
> >
> > Signed-off-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>
> > ---
> >  libsepol/src/services.c | 19 +++++++++++--------
> >  1 file changed, 11 insertions(+), 8 deletions(-)
> >
> > diff --git a/libsepol/src/services.c b/libsepol/src/services.c
> > index beb0711f6680..72b39657cd2e 100644
> > --- a/libsepol/src/services.c
> > +++ b/libsepol/src/services.c
> > @@ -312,17 +312,20 @@ static char *get_class_info(sepol_security_class_t tclass,
> >         else
> >                 state_num = mls + 2;
> >
> > -       int class_buf_len = 0;
> > -       int new_class_buf_len;
> > -       int len, buf_used;
> > +       size_t class_buf_len = 0;
> > +       size_t new_class_buf_len;
> > +       size_t buf_used;
> > +       int len;
> >         char *class_buf = NULL, *p;
> >         char *new_class_buf = NULL;
> >
> >         while (1) {
> >                 new_class_buf_len = class_buf_len + EXPR_BUF_SIZE;
> >                 new_class_buf = realloc(class_buf, new_class_buf_len);
> > -                       if (!new_class_buf)
> > -                               return NULL;
> > +               if (!new_class_buf) {
> > +                       free(class_buf);
> > +                       return NULL;
> > +               }
> >                 class_buf_len = new_class_buf_len;
> >                 class_buf = new_class_buf;
> >                 buf_used = 0;
> > @@ -330,7 +333,7 @@ static char *get_class_info(sepol_security_class_t tclass,
> >
> >                 /* Add statement type */
> >                 len = snprintf(p, class_buf_len - buf_used, "%s", statements[state_num]);
> > -               if (len < 0 || len >= class_buf_len - buf_used)
> > +               if (len < 0 || (size_t)len >= class_buf_len - buf_used)
> >                         continue;
> >
> >                 /* Add class entry */
> > @@ -338,7 +341,7 @@ static char *get_class_info(sepol_security_class_t tclass,
> >                 buf_used += len;
> >                 len = snprintf(p, class_buf_len - buf_used, "%s ",
> >                                 policydb->p_class_val_to_name[tclass - 1]);
> > -               if (len < 0 || len >= class_buf_len - buf_used)
> > +               if (len < 0 || (size_t)len >= class_buf_len - buf_used)
> >                         continue;
> >
> >                 /* Add permission entries (validatetrans does not have perms) */
> > @@ -351,7 +354,7 @@ static char *get_class_info(sepol_security_class_t tclass,
> >                 } else {
> >                         len = snprintf(p, class_buf_len - buf_used, "(");
> >                 }
> > -               if (len < 0 || len >= class_buf_len - buf_used)
> > +               if (len < 0 || (size_t)len >= class_buf_len - buf_used)
> >                         continue;
> >                 break;
> >         }
> > --
> > 2.29.2
>
> Acked-by: Ondrej Mosnacek <omosnace@xxxxxxxxxx>
>
> Feel free to apply the patch yourself together with the manpage and CI
> patches if you want to.

Thanks, I did this and applied all the patches.

Nicolas