diff mbox

[4/5] libsepol/cil: do not leak left-hand side of an invalid constraint

Message ID 20170219103058.32429-4-nicolas.iooss@m4x.org (mailing list archive)
State Not Applicable
Headers show

Commit Message

Nicolas Iooss Feb. 19, 2017, 10:30 a.m. UTC 
__cil_fill_constraint_expr() does not destroy the list associated with
the first operand of a two-operand operation when the second operand is
invalid.

This memory leak can be reproduced with the following policy:

    (constrain (files (read))
        (not (or (and (eq t1 exec_t) (%q t2 bin_t)) (eq r1 r2))))

This memory leak has been found by running clang's Address Sanitizer on
a set of policies generated from secilc/test/policy.cil by American
Fuzzy Lop.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
---
 libsepol/cil/src/cil_build_ast.c | 1 +
 1 file changed, 1 insertion(+)
diff mbox

Patch

diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index e4a0539f64ad..d3d663b06512 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -2753,6 +2753,7 @@  static int __cil_fill_constraint_expr(struct cil_tree_node *current, enum cil_fl
 		}
 		rc = __cil_fill_constraint_expr(current->next->next->cl_head, flavor, &rexpr, depth);
 		if (rc != SEPOL_OK) {
+			cil_list_destroy(&lexpr, CIL_TRUE);
 			goto exit;
 		}
 		cil_list_init(expr, flavor);