Free the local access vector list on failure as it does not get moved
into the policy structure.
Direct leak of 16 byte(s) in 1 object(s) allocated from:
#0 0x52596d in malloc (./out/binpolicy-fuzzer+0x52596d)
#1 0x5b30d2 in cond_insertf ./libsepol/src/conditional.c:682:9
#2 0x5ac218 in avtab_read_item ./libsepol/src/avtab.c:583:10
#3 0x5b21f4 in cond_read_av_list ./libsepol/src/conditional.c:725:8
#4 0x5b21f4 in cond_read_node ./libsepol/src/conditional.c:798:7
#5 0x5b21f4 in cond_read_list ./libsepol/src/conditional.c:847:7
#6 0x576b6e in policydb_read ./libsepol/src/policydb.c:4436:8
#7 0x55a1fe in LLVMFuzzerTestOneInput ./libsepol/fuzz/binpolicy-fuzzer.c:24:6
#8 0x45aed3 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) fuzzer.o
#9 0x446a12 in fuzzer::RunOneTest(fuzzer::Fuzzer*, char const*, unsigned long) fuzzer.o
#10 0x44c93b in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) fuzzer.o
#11 0x475dd2 in main (./out/binpolicy-fuzzer+0x475dd2)
#12 0x7f47abeb87ec in __libc_start_main csu/../csu/libc-start.c:332:16
Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
libsepol/src/conditional.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/libsepol/src/conditional.c b/libsepol/src/conditional.c
index 9a10aae1..50cb5395 100644
--- a/libsepol/src/conditional.c
+++ b/libsepol/src/conditional.c
@@ -724,8 +724,10 @@ static int cond_read_av_list(policydb_t * p, void *fp,
for (i = 0; i < len; i++) {
rc = avtab_read_item(fp, p->policyvers, &p->te_cond_avtab,
cond_insertf, &data);
- if (rc)
+ if (rc) {
+ cond_av_list_destroy(data.head);
return rc;
+ }
}
--
2.33.0
