diff mbox series

[2/3] libselinux: Fix RESOURCE_LEAK defects reported by coverity scan

Message ID 20190131132226.19030-2-plautrba@redhat.com (mailing list archive)
State Not Applicable
Headers show
Series [1/3] libsepol: Fix RESOURCE_LEAK defects reported by coverity scan | expand

Commit Message

Petr Lautrbach Jan. 31, 2019, 1:22 p.m. UTC 
Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
---
 libselinux/src/checkAccess.c        |  4 +++-
 libselinux/src/label_db.c           |  3 +++
 libselinux/src/label_file.c         |  4 +++-
 libselinux/src/load_policy.c        |  4 +++-
 libselinux/src/selinux_config.c     | 17 +++++++++--------
 libselinux/src/selinux_restorecon.c | 12 ++++++++++--
 6 files changed, 31 insertions(+), 13 deletions(-)

Comments

Nicolas Iooss Jan. 31, 2019, 9:47 p.m. UTC | #1 
On Thu, Jan 31, 2019 at 2:22 PM Petr Lautrbach <plautrba@redhat.com> wrote:
>
> Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
> ---
>  libselinux/src/checkAccess.c        |  4 +++-
>  libselinux/src/label_db.c           |  3 +++
>  libselinux/src/label_file.c         |  4 +++-
>  libselinux/src/load_policy.c        |  4 +++-
>  libselinux/src/selinux_config.c     | 17 +++++++++--------
>  libselinux/src/selinux_restorecon.c | 12 ++++++++++--
>  6 files changed, 31 insertions(+), 13 deletions(-)
>
> diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c
> index 8de57477..16bfcfb6 100644
> --- a/libselinux/src/checkAccess.c
> +++ b/libselinux/src/checkAccess.c
> @@ -89,8 +89,10 @@ int selinux_check_passwd_access(access_vector_t requested)
>                 int retval;
>
>                 passwd_class = string_to_security_class("passwd");
> -               if (passwd_class == 0)
> +               if (passwd_class == 0) {
> +                       freecon(user_context);
>                         return 0;
> +               }
>
>                 retval = security_compute_av_raw(user_context,
>                                                      user_context,
> diff --git a/libselinux/src/label_db.c b/libselinux/src/label_db.c
> index c46d0a1d..fa481e04 100644
> --- a/libselinux/src/label_db.c
> +++ b/libselinux/src/label_db.c
> @@ -283,10 +283,12 @@ db_init(const struct selinux_opt *opts, unsigned nopts,
>         }
>         if (fstat(fileno(filp), &sb) < 0) {
>                 free(catalog);
> +    fclose(filp);
>                 return NULL;
>         }
>         if (!S_ISREG(sb.st_mode)) {
>                 free(catalog);
> +    fclose(filp);
>                 errno = EINVAL;
>                 return NULL;
>         }

Please indent with tabs instead of spaces, like the other lines.
All the other changes in this patch look good to me.

Nicolas
diff mbox series

Patch

diff --git a/libselinux/src/checkAccess.c b/libselinux/src/checkAccess.c
index 8de57477..16bfcfb6 100644
--- a/libselinux/src/checkAccess.c
+++ b/libselinux/src/checkAccess.c
@@ -89,8 +89,10 @@  int selinux_check_passwd_access(access_vector_t requested)
 		int retval;
 
 		passwd_class = string_to_security_class("passwd");
-		if (passwd_class == 0)
+		if (passwd_class == 0) {
+			freecon(user_context);
 			return 0;
+		}
 
 		retval = security_compute_av_raw(user_context,
 						     user_context,
diff --git a/libselinux/src/label_db.c b/libselinux/src/label_db.c
index c46d0a1d..fa481e04 100644
--- a/libselinux/src/label_db.c
+++ b/libselinux/src/label_db.c
@@ -283,10 +283,12 @@  db_init(const struct selinux_opt *opts, unsigned nopts,
 	}
 	if (fstat(fileno(filp), &sb) < 0) {
 		free(catalog);
+    fclose(filp);
 		return NULL;
 	}
 	if (!S_ISREG(sb.st_mode)) {
 		free(catalog);
+    fclose(filp);
 		errno = EINVAL;
 		return NULL;
 	}
@@ -340,6 +342,7 @@  out_error:
 		free(spec->lr.ctx_trans);
 	}
 	free(catalog);
+	fclose(filp);
 
 	return NULL;
 }
diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index dbf51a93..b81fd552 100644
--- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c
@@ -317,8 +317,10 @@  end_arch_check:
 			goto out;
 		}
 		rc = next_entry(str_buf, mmap_area, entry_len);
-		if (rc < 0)
+		if (rc < 0) {
+			free(str_buf);
 			goto out;
+		}
 
 		if (str_buf[entry_len - 1] != '\0') {
 			free(str_buf);
diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
index e9f1264a..20052beb 100644
--- a/libselinux/src/load_policy.c
+++ b/libselinux/src/load_policy.c
@@ -262,8 +262,10 @@  checkbool:
 			rc = security_get_boolean_names(&names, &len);
 			if (!rc) {
 				values = malloc(sizeof(int) * len);
-				if (!values)
+				if (!values) {
+					free(names);
 					goto unmap;
+				}
 				for (i = 0; i < len; i++)
 					values[i] =
 						security_get_boolean_active(names[i]);
diff --git a/libselinux/src/selinux_config.c b/libselinux/src/selinux_config.c
index 292728f3..b06cb63b 100644
--- a/libselinux/src/selinux_config.c
+++ b/libselinux/src/selinux_config.c
@@ -177,8 +177,7 @@  static void init_selinux_config(void)
 
 			if (!strncasecmp(buf_p, SELINUXTYPETAG,
 					 sizeof(SELINUXTYPETAG) - 1)) {
-				selinux_policytype = type =
-				    strdup(buf_p + sizeof(SELINUXTYPETAG) - 1);
+				type = strdup(buf_p + sizeof(SELINUXTYPETAG) - 1);
 				if (!type)
 					return;
 				end = type + strlen(type) - 1;
@@ -187,6 +186,11 @@  static void init_selinux_config(void)
 					*end = 0;
 					end--;
 				}
+				if (setpolicytype(type) != 0) {
+					free(type);
+					return;
+				}
+				free(type);
 				continue;
 			} else if (!strncmp(buf_p, SETLOCALDEFS,
 					    sizeof(SETLOCALDEFS) - 1)) {
@@ -212,13 +216,10 @@  static void init_selinux_config(void)
 		fclose(fp);
 	}
 
-	if (!type) {
-		selinux_policytype = type = strdup(SELINUXDEFAULT);
-		if (!type)
-			return;
-	}
+	if (!selinux_policytype && setpolicytype(SELINUXDEFAULT) != 0)
+		return;
 
-	if (asprintf(&selinux_policyroot, "%s%s", SELINUXDIR, type) == -1)
+	if (asprintf(&selinux_policyroot, "%s%s", SELINUXDIR, selinux_policytype) == -1)
 		return;
 
 	for (i = 0; i < NEL; i++)
diff --git a/libselinux/src/selinux_restorecon.c b/libselinux/src/selinux_restorecon.c
index 42a48f5a..955732e5 100644
--- a/libselinux/src/selinux_restorecon.c
+++ b/libselinux/src/selinux_restorecon.c
@@ -351,12 +351,19 @@  static int add_xattr_entry(const char *directory, bool delete_nonmatch,
 	new_entry->next = NULL;
 
 	new_entry->directory = strdup(directory);
-	if (!new_entry->directory)
+	if (!new_entry->directory) {
+		free(new_entry);
+		free(sha1_buf);
 		goto oom;
+	}
 
 	new_entry->digest = strdup(sha1_buf);
-	if (!new_entry->digest)
+	if (!new_entry->digest) {
+		free(new_entry->directory);
+		free(new_entry);
+		free(sha1_buf);
 		goto oom;
+	}
 
 	new_entry->result = digest_result;
 
@@ -850,6 +857,7 @@  int selinux_restorecon(const char *pathname_orig,
 
 	if (lstat(pathname, &sb) < 0) {
 		if (flags.ignore_noent && errno == ENOENT) {
+			free(xattr_value);
 			free(pathdnamer);
 			free(pathname);
 			return 0;