From: Stephen Smalley <sds@tycho.nsa.gov>
To: Nicolas Iooss <nicolas.iooss@m4x.org>, selinux@vger.kernel.org
Subject: Re: [PATCH 1/1] libselinux: ensure strlen() is not called on NULL
Date: Thu, 19 Sep 2019 12:57:16 -0400 [thread overview]
Message-ID: <1800df5d-121c-e275-f3bc-ec71d2b0d3e7@tycho.nsa.gov> (raw)
In-Reply-To: <20190918210450.8692-1-nicolas.iooss@m4x.org>
On 9/18/19 5:04 PM, Nicolas Iooss wrote:
> When compile_regex() calls regex_prepare_data() and this function fails
> in the following condition:
>
> *regex = regex_data_create();
> if (!(*regex))
> return -1;
>
> ... error_data has been zero-ed and compile_regex() calls:
>
> regex_format_error(&error_data,
> regex_error_format_buffer,
> sizeof(regex_error_format_buffer));
>
> This leads to a call to strlen(error_data->error_buffer), where
> error_data->error_buffer is NULL.
>
> Avoid this by checking that error_data->error_buffer is not NULL before
> calling strlen().
It seems like regex_format_error() should just return immediately if
!error_data->error_code (#ifdef USE_PCRE2) or !error_data->error_buffer
(#ifndef USE_PCRE2), since there is no back-end error message to get and
report in that situation.
>
> This issue has been found using clang's static analyzer:
> https://337-118970575-gh.circle-artifacts.com/0/output-scan-build/2019-09-01-181851-6152-1/report-0b122b.html#EndPath
>
> Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
> ---
> libselinux/src/regex.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/libselinux/src/regex.c b/libselinux/src/regex.c
> index a6fcbbfec1f3..f967efe4a32f 100644
> --- a/libselinux/src/regex.c
> +++ b/libselinux/src/regex.c
> @@ -546,7 +546,7 @@ void regex_format_error(struct regex_error_data const *error_data, char *buffer,
> if (rc < 0)
> abort();
>
> - if ((size_t)rc < strlen(error_data->error_buffer))
> + if (error_data->error_buffer && (size_t)rc < strlen(error_data->error_buffer))
> goto truncated;
> #endif
>
>
next prev parent reply other threads:[~2019-09-19 16:57 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-18 21:04 [PATCH 1/1] libselinux: ensure strlen() is not called on NULL Nicolas Iooss
2019-09-19 16:57 ` Stephen Smalley [this message]
2019-09-19 20:51 ` Nicolas Iooss
2019-09-20 12:12 ` Stephen Smalley
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1800df5d-121c-e275-f3bc-ec71d2b0d3e7@tycho.nsa.gov \
--to=sds@tycho.nsa.gov \
--cc=nicolas.iooss@m4x.org \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).