On Wed, Sep 1, 2021 at 3:22 PM Nicolas Iooss <nicolas.iooss@xxxxxxx> wrote:
>
> On Fri, Aug 27, 2021 at 4:20 PM James Carter <jwcart2@xxxxxxxxx> wrote:
> >
> > The function cil_tree_get_next_path() does not check whether the
> > parse tree node that stores the high-level language file path of a
> > src_info rule actually exists before trying to read the path. This
> > can result in a NULL dereference.
> >
> > Check that all of the parse tree nodes of a src_info rule exist
> > before reading the data from them.
> >
> > This bug was found by the secilc-fuzzer.
> >
> > Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
>
> For the 3 patches:
>
> Acked-by: Nicolas Iooss <nicolas.iooss@xxxxxxx>
>
This series has been merged.
Thanks,
Jim
> Thanks,
> Nicolas
>
> > ---
> > libsepol/cil/src/cil_tree.c | 5 ++++-
> > 1 file changed, 4 insertions(+), 1 deletion(-)
> >
> > diff --git a/libsepol/cil/src/cil_tree.c b/libsepol/cil/src/cil_tree.c
> > index 75293005..e70722ec 100644
> > --- a/libsepol/cil/src/cil_tree.c
> > +++ b/libsepol/cil/src/cil_tree.c
> > @@ -62,7 +62,10 @@ struct cil_tree_node *cil_tree_get_next_path(struct cil_tree_node *node, char **
> >
> > while (node) {
> > if (node->flavor == CIL_NODE && node->data == NULL) {
> > - if (node->cl_head->data == CIL_KEY_SRC_INFO && node->cl_head->next != NULL && node->cl_head->next->next != NULL) {
> > + if (node->cl_head && node->cl_head->data == CIL_KEY_SRC_INFO) {
> > + if (!node->cl_head->next || !node->cl_head->next->next || !node->cl_head->next->next->next) {
> > + goto exit;
> > + }
> > /* Parse Tree */
> > *info_kind = node->cl_head->next->data;
> > rc = cil_string_to_uint32(node->cl_head->next->next->data, hll_line, 10);
> > --
> > 2.31.1
> >
>
