| Message ID | 20211220180318.37453-1-cgzones@googlemail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | libsepol/cil: bail out on snprintf failure | expand |
On Mon, Dec 20, 2021 at 3:16 PM Christian Göttsche <cgzones@googlemail.com> wrote: > > Do not continue with a negative return value once a string append > operation fails to avoid increasing the buffer length variable > `str_len`, potentially leading to an out-of-bounds write. > > Found by GitHub CodeQL. > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com> > --- > libsepol/cil/src/cil.c | 6 ++++++ > 1 file changed, 6 insertions(+) > > diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c > index 9916cbee..38edcf8e 100644 > --- a/libsepol/cil/src/cil.c > +++ b/libsepol/cil/src/cil.c > @@ -1456,6 +1456,12 @@ int cil_userprefixes_to_string(struct cil_db *db, char **out, size_t *size) > > buf_pos = snprintf(str_tmp, str_len, "user %s prefix %s;\n", user->datum.fqn, > userprefix->prefix_str); > + if (buf_pos < 0) { > + free(str_tmp); > + *size = 0; > + *out = NULL; > + goto exit; > + } > str_len -= buf_pos; > str_tmp += buf_pos; > } > -- > 2.34.1 >
On Mon, Jan 3, 2022 at 12:45 PM James Carter <jwcart2@gmail.com> wrote: > > On Mon, Dec 20, 2021 at 3:16 PM Christian Göttsche > <cgzones@googlemail.com> wrote: > > > > Do not continue with a negative return value once a string append > > operation fails to avoid increasing the buffer length variable > > `str_len`, potentially leading to an out-of-bounds write. > > > > Found by GitHub CodeQL. > > > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > > Acked-by: James Carter <jwcart2@gmail.com> > Merged. Thanks, Jim > > --- > > libsepol/cil/src/cil.c | 6 ++++++ > > 1 file changed, 6 insertions(+) > > > > diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c > > index 9916cbee..38edcf8e 100644 > > --- a/libsepol/cil/src/cil.c > > +++ b/libsepol/cil/src/cil.c > > @@ -1456,6 +1456,12 @@ int cil_userprefixes_to_string(struct cil_db *db, char **out, size_t *size) > > > > buf_pos = snprintf(str_tmp, str_len, "user %s prefix %s;\n", user->datum.fqn, > > userprefix->prefix_str); > > + if (buf_pos < 0) { > > + free(str_tmp); > > + *size = 0; > > + *out = NULL; > > + goto exit; > > + } > > str_len -= buf_pos; > > str_tmp += buf_pos; > > } > > -- > > 2.34.1 > >
diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c index 9916cbee..38edcf8e 100644 --- a/libsepol/cil/src/cil.c +++ b/libsepol/cil/src/cil.c @@ -1456,6 +1456,12 @@ int cil_userprefixes_to_string(struct cil_db *db, char **out, size_t *size) buf_pos = snprintf(str_tmp, str_len, "user %s prefix %s;\n", user->datum.fqn, userprefix->prefix_str); + if (buf_pos < 0) { + free(str_tmp); + *size = 0; + *out = NULL; + goto exit; + } str_len -= buf_pos; str_tmp += buf_pos; }
Do not continue with a negative return value once a string append operation fails to avoid increasing the buffer length variable `str_len`, potentially leading to an out-of-bounds write. Found by GitHub CodeQL. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- libsepol/cil/src/cil.c | 6 ++++++ 1 file changed, 6 insertions(+)