On Fri, Jan 31, 2025 at 1:03 PM Christian Göttsche
<cgoettsche@xxxxxxxxxxxxx> wrote:
>
> From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
>
> Limit the length of regular expression paths in fcontext source
> definitions to reduce the worst case regex compilation time for abnormal
> inputs.
>
> Reported-by: oss-fuzz (issue 393203212)
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
> ---
> libselinux/src/label_file.h | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h
> index ad7699e6..7a9834a0 100644
> --- a/libselinux/src/label_file.h
> +++ b/libselinux/src/label_file.h
> @@ -434,6 +434,12 @@ static inline int compile_regex(struct regex_spec *spec, char *errbuf, size_t er
> reg_buf = spec->regex_str;
> /* Anchor the regular expression. */
> len = strlen(reg_buf);
> + if (len >= 4096) {
I am assuming that 4096 was chosen as a reasonably larger number and
not because there is some other constraint.
I would just like to see a comment explaining that.
Thanks,
Jim
> + __pthread_mutex_unlock(&spec->regex_lock);
> + snprintf(errbuf, errbuf_size, "regex of length %zu too long", len);
> + errno = EINVAL;
> + return -1;
> + }
> cp = anchored_regex = malloc(len + 3);
> if (!anchored_regex) {
> __pthread_mutex_unlock(&spec->regex_lock);
> --
> 2.45.2
>
>
