[v2,4/5] genfs_read: fix use heap-use-after-free

Commit Message

Roberts, William C Aug. 10, 2016, 10:35 p.m. UTC

From: William Roberts <william.c.roberts@intel.com>

The newc variable is calloc'd and assigned to a new
owner during a loop. After the first assignment of newc
to newgenfs->head, the subsequent iteration could fail
before the newc is reseated with a new heap allocation
pointer. When the subsequent iteration fails, the
newc variable is freed. Later, an attempt it made to
free the same pointer assigned to newgenfs->head.

To correct this, clear newc after every loop iteration.

Signed-off-by: William Roberts <william.c.roberts@intel.com>
---
 libsepol/src/policydb.c | 2 ++
 1 file changed, 2 insertions(+)

Patch

diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index 6a80f94..971793d 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -2812,6 +2812,8 @@  static int genfs_read(policydb_t * p, struct policy_file *fp)
 				l->next = newc;
 			else
 				newgenfs->head = newc;
+			/* clear newc after a new owner has the pointer */
+			newc = NULL;
 		}
 	}