From 5d3404acf99ac42cba5182fcbb099930754fc588 Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@tycho.nsa.gov>
Date: Tue, 18 Oct 2016 14:21:59 -0400
Subject: [PATCH] libsepol/cil: Check if identifier is NULL when verifying name

Nicolas Iooss found while fuzzing secilc with AFL that the statement
"(class C (()))" will cause a segfault.

When CIL checks the syntax of the class statement it sees "(())" as a
valid permission list, but since "()" is not an identifier a NULL is
passed as the string for name verification. A segfault occurs because
name verification assumes that the string being checked is non-NULL.

Check if identifier is NULL when verifying name.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
 libsepol/cil/src/cil_verify.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c
index 038f77af57d7..47dcfaa27ca0 100644
--- a/libsepol/cil/src/cil_verify.c
+++ b/libsepol/cil/src/cil_verify.c
@@ -50,9 +50,15 @@
 int __cil_verify_name(const char *name)
 {
 	int rc = SEPOL_ERR;
-	int len = strlen(name);
+	int len;
 	int i = 0;
 
+	if (name == NULL) {
+		cil_log(CIL_ERR, "Name is NULL\n");
+		goto exit;
+	}
+
+	len = strlen(name);
 	if (len >= CIL_MAX_NAME_LENGTH) {
 		cil_log(CIL_ERR, "Name length greater than max name length of %d", 
 			CIL_MAX_NAME_LENGTH);
-- 
2.10.2