diff mbox series

[1/1] libsepol: free memory when realloc() fails

Message ID 20201111212944.17659-1-nicolas.iooss@m4x.org (mailing list archive)
State Accepted
Headers show
Series [1/1] libsepol: free memory when realloc() fails | expand

Commit Message

Nicolas Iooss Nov. 11, 2020, 9:29 p.m. UTC 
In get_class_info(), if realloc(class_buf, new_class_buf_len) fails to
grow the memory, the function returns NULL without freeing class_buf.
This leads to a memory leak which is reported by clang's static
analyzer:
https://580-118970575-gh.circle-artifacts.com/0/output-scan-build/2020-11-11-194150-6152-1/report-42a899.html#EndPath

Fix the memory leak by calling free(class_buf).

While at it, use size_t insted of int to store the size of the buffer
which is growing.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 libsepol/src/services.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

Comments

Ondrej Mosnacek Nov. 12, 2020, 2:16 p.m. UTC | #1 
On Wed, Nov 11, 2020 at 10:30 PM Nicolas Iooss <nicolas.iooss@m4x.org> wrote:
> In get_class_info(), if realloc(class_buf, new_class_buf_len) fails to
> grow the memory, the function returns NULL without freeing class_buf.
> This leads to a memory leak which is reported by clang's static
> analyzer:
> https://580-118970575-gh.circle-artifacts.com/0/output-scan-build/2020-11-11-194150-6152-1/report-42a899.html#EndPath
>
> Fix the memory leak by calling free(class_buf).
>
> While at it, use size_t insted of int to store the size of the buffer
> which is growing.
>
> Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
> ---
>  libsepol/src/services.c | 19 +++++++++++--------
>  1 file changed, 11 insertions(+), 8 deletions(-)
>
> diff --git a/libsepol/src/services.c b/libsepol/src/services.c
> index beb0711f6680..72b39657cd2e 100644
> --- a/libsepol/src/services.c
> +++ b/libsepol/src/services.c
> @@ -312,17 +312,20 @@ static char *get_class_info(sepol_security_class_t tclass,
>         else
>                 state_num = mls + 2;
>
> -       int class_buf_len = 0;
> -       int new_class_buf_len;
> -       int len, buf_used;
> +       size_t class_buf_len = 0;
> +       size_t new_class_buf_len;
> +       size_t buf_used;
> +       int len;
>         char *class_buf = NULL, *p;
>         char *new_class_buf = NULL;
>
>         while (1) {
>                 new_class_buf_len = class_buf_len + EXPR_BUF_SIZE;
>                 new_class_buf = realloc(class_buf, new_class_buf_len);
> -                       if (!new_class_buf)
> -                               return NULL;
> +               if (!new_class_buf) {
> +                       free(class_buf);
> +                       return NULL;
> +               }
>                 class_buf_len = new_class_buf_len;
>                 class_buf = new_class_buf;
>                 buf_used = 0;
> @@ -330,7 +333,7 @@ static char *get_class_info(sepol_security_class_t tclass,
>
>                 /* Add statement type */
>                 len = snprintf(p, class_buf_len - buf_used, "%s", statements[state_num]);
> -               if (len < 0 || len >= class_buf_len - buf_used)
> +               if (len < 0 || (size_t)len >= class_buf_len - buf_used)
>                         continue;
>
>                 /* Add class entry */
> @@ -338,7 +341,7 @@ static char *get_class_info(sepol_security_class_t tclass,
>                 buf_used += len;
>                 len = snprintf(p, class_buf_len - buf_used, "%s ",
>                                 policydb->p_class_val_to_name[tclass - 1]);
> -               if (len < 0 || len >= class_buf_len - buf_used)
> +               if (len < 0 || (size_t)len >= class_buf_len - buf_used)
>                         continue;
>
>                 /* Add permission entries (validatetrans does not have perms) */
> @@ -351,7 +354,7 @@ static char *get_class_info(sepol_security_class_t tclass,
>                 } else {
>                         len = snprintf(p, class_buf_len - buf_used, "(");
>                 }
> -               if (len < 0 || len >= class_buf_len - buf_used)
> +               if (len < 0 || (size_t)len >= class_buf_len - buf_used)
>                         continue;
>                 break;
>         }
> --
> 2.29.2

Acked-by: Ondrej Mosnacek <omosnace@redhat.com>

Feel free to apply the patch yourself together with the manpage and CI
patches if you want to.
Nicolas Iooss Nov. 12, 2020, 9:04 p.m. UTC | #2 
On Thu, Nov 12, 2020 at 3:16 PM Ondrej Mosnacek <omosnace@redhat.com> wrote:
>
> On Wed, Nov 11, 2020 at 10:30 PM Nicolas Iooss <nicolas.iooss@m4x.org> wrote:
> > In get_class_info(), if realloc(class_buf, new_class_buf_len) fails to
> > grow the memory, the function returns NULL without freeing class_buf.
> > This leads to a memory leak which is reported by clang's static
> > analyzer:
> > https://580-118970575-gh.circle-artifacts.com/0/output-scan-build/2020-11-11-194150-6152-1/report-42a899.html#EndPath
> >
> > Fix the memory leak by calling free(class_buf).
> >
> > While at it, use size_t insted of int to store the size of the buffer
> > which is growing.
> >
> > Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
> > ---
> >  libsepol/src/services.c | 19 +++++++++++--------
> >  1 file changed, 11 insertions(+), 8 deletions(-)
> >
> > diff --git a/libsepol/src/services.c b/libsepol/src/services.c
> > index beb0711f6680..72b39657cd2e 100644
> > --- a/libsepol/src/services.c
> > +++ b/libsepol/src/services.c
> > @@ -312,17 +312,20 @@ static char *get_class_info(sepol_security_class_t tclass,
> >         else
> >                 state_num = mls + 2;
> >
> > -       int class_buf_len = 0;
> > -       int new_class_buf_len;
> > -       int len, buf_used;
> > +       size_t class_buf_len = 0;
> > +       size_t new_class_buf_len;
> > +       size_t buf_used;
> > +       int len;
> >         char *class_buf = NULL, *p;
> >         char *new_class_buf = NULL;
> >
> >         while (1) {
> >                 new_class_buf_len = class_buf_len + EXPR_BUF_SIZE;
> >                 new_class_buf = realloc(class_buf, new_class_buf_len);
> > -                       if (!new_class_buf)
> > -                               return NULL;
> > +               if (!new_class_buf) {
> > +                       free(class_buf);
> > +                       return NULL;
> > +               }
> >                 class_buf_len = new_class_buf_len;
> >                 class_buf = new_class_buf;
> >                 buf_used = 0;
> > @@ -330,7 +333,7 @@ static char *get_class_info(sepol_security_class_t tclass,
> >
> >                 /* Add statement type */
> >                 len = snprintf(p, class_buf_len - buf_used, "%s", statements[state_num]);
> > -               if (len < 0 || len >= class_buf_len - buf_used)
> > +               if (len < 0 || (size_t)len >= class_buf_len - buf_used)
> >                         continue;
> >
> >                 /* Add class entry */
> > @@ -338,7 +341,7 @@ static char *get_class_info(sepol_security_class_t tclass,
> >                 buf_used += len;
> >                 len = snprintf(p, class_buf_len - buf_used, "%s ",
> >                                 policydb->p_class_val_to_name[tclass - 1]);
> > -               if (len < 0 || len >= class_buf_len - buf_used)
> > +               if (len < 0 || (size_t)len >= class_buf_len - buf_used)
> >                         continue;
> >
> >                 /* Add permission entries (validatetrans does not have perms) */
> > @@ -351,7 +354,7 @@ static char *get_class_info(sepol_security_class_t tclass,
> >                 } else {
> >                         len = snprintf(p, class_buf_len - buf_used, "(");
> >                 }
> > -               if (len < 0 || len >= class_buf_len - buf_used)
> > +               if (len < 0 || (size_t)len >= class_buf_len - buf_used)
> >                         continue;
> >                 break;
> >         }
> > --
> > 2.29.2
>
> Acked-by: Ondrej Mosnacek <omosnace@redhat.com>
>
> Feel free to apply the patch yourself together with the manpage and CI
> patches if you want to.

Thanks, I did this and applied all the patches.

Nicolas
diff mbox series

Patch

diff --git a/libsepol/src/services.c b/libsepol/src/services.c
index beb0711f6680..72b39657cd2e 100644
--- a/libsepol/src/services.c
+++ b/libsepol/src/services.c
@@ -312,17 +312,20 @@  static char *get_class_info(sepol_security_class_t tclass,
 	else
 		state_num = mls + 2;
 
-	int class_buf_len = 0;
-	int new_class_buf_len;
-	int len, buf_used;
+	size_t class_buf_len = 0;
+	size_t new_class_buf_len;
+	size_t buf_used;
+	int len;
 	char *class_buf = NULL, *p;
 	char *new_class_buf = NULL;
 
 	while (1) {
 		new_class_buf_len = class_buf_len + EXPR_BUF_SIZE;
 		new_class_buf = realloc(class_buf, new_class_buf_len);
-			if (!new_class_buf)
-				return NULL;
+		if (!new_class_buf) {
+			free(class_buf);
+			return NULL;
+		}
 		class_buf_len = new_class_buf_len;
 		class_buf = new_class_buf;
 		buf_used = 0;
@@ -330,7 +333,7 @@  static char *get_class_info(sepol_security_class_t tclass,
 
 		/* Add statement type */
 		len = snprintf(p, class_buf_len - buf_used, "%s", statements[state_num]);
-		if (len < 0 || len >= class_buf_len - buf_used)
+		if (len < 0 || (size_t)len >= class_buf_len - buf_used)
 			continue;
 
 		/* Add class entry */
@@ -338,7 +341,7 @@  static char *get_class_info(sepol_security_class_t tclass,
 		buf_used += len;
 		len = snprintf(p, class_buf_len - buf_used, "%s ",
 				policydb->p_class_val_to_name[tclass - 1]);
-		if (len < 0 || len >= class_buf_len - buf_used)
+		if (len < 0 || (size_t)len >= class_buf_len - buf_used)
 			continue;
 
 		/* Add permission entries (validatetrans does not have perms) */
@@ -351,7 +354,7 @@  static char *get_class_info(sepol_security_class_t tclass,
 		} else {
 			len = snprintf(p, class_buf_len - buf_used, "(");
 		}
-		if (len < 0 || len >= class_buf_len - buf_used)
+		if (len < 0 || (size_t)len >= class_buf_len - buf_used)
 			continue;
 		break;
 	}