On Mon, Dec 20, 2021 at 3:16 PM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> Do not continue with a negative return value once a string append
> operation fails to avoid increasing the buffer length variable
> `str_len`, potentially leading to an out-of-bounds write.
>
> Found by GitHub CodeQL.
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
Acked-by: James Carter <jwcart2@xxxxxxxxx>
> ---
> libsepol/cil/src/cil.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
> index 9916cbee..38edcf8e 100644
> --- a/libsepol/cil/src/cil.c
> +++ b/libsepol/cil/src/cil.c
> @@ -1456,6 +1456,12 @@ int cil_userprefixes_to_string(struct cil_db *db, char **out, size_t *size)
>
> buf_pos = snprintf(str_tmp, str_len, "user %s prefix %s;\n", user->datum.fqn,
> userprefix->prefix_str);
> + if (buf_pos < 0) {
> + free(str_tmp);
> + *size = 0;
> + *out = NULL;
> + goto exit;
> + }
> str_len -= buf_pos;
> str_tmp += buf_pos;
> }
> --
> 2.34.1
>
