diff mbox series

[v3,4/4] libselinux: limit fcontext regex path length

Message ID 20250314131751.28289-3-cgoettsche@seltendoof.de (mailing list archive)
State New
Headers show
Series [v3,1/4] libselinux: constify global strings | expand

Commit Message

Christian Göttsche March 14, 2025, 1:17 p.m. UTC
From: Christian Göttsche <cgzones@googlemail.com>

Limit the length of regular expression paths in fcontext source
definitions to reduce the worst case regex compilation time for abnormal
inputs.

Reported-by: oss-fuzz (issue 393203212)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
v3: add in-line comment
---
 libselinux/src/label_file.h | 8 ++++++++
 1 file changed, 8 insertions(+)
diff mbox series

Patch

diff --git a/libselinux/src/label_file.h b/libselinux/src/label_file.h
index 470e2385..67db78e5 100644
--- a/libselinux/src/label_file.h
+++ b/libselinux/src/label_file.h
@@ -439,6 +439,14 @@  static inline int compile_regex(struct regex_spec *spec, char *errbuf, size_t er
 	reg_buf = spec->regex_str;
 	/* Anchor the regular expression. */
 	len = strlen(reg_buf);
+	/* Use a sufficient large upper bound for regular expression lengths
+	 * to limit the compilation time on malformed inputs. */
+	if (len >= 4096) {
+		__pthread_mutex_unlock(&spec->regex_lock);
+		snprintf(errbuf, errbuf_size, "regex of length %zu too long", len);
+		errno = EINVAL;
+		return -1;
+	}
 	cp = anchored_regex = malloc(len + 3);
 	if (!anchored_regex) {
 		__pthread_mutex_unlock(&spec->regex_lock);