From 5d3404acf99ac42cba5182fcbb099930754fc588 Mon Sep 17 00:00:00 2001 From: James Carter <jwcart2@tycho.nsa.gov> Date: Tue, 18 Oct 2016 14:21:59 -0400 Subject: [PATCH] libsepol/cil: Check if identifier is NULL when verifying name Nicolas Iooss found while fuzzing secilc with AFL that the statement "(class C (()))" will cause a segfault. When CIL checks the syntax of the class statement it sees "(())" as a valid permission list, but since "()" is not an identifier a NULL is passed as the string for name verification. A segfault occurs because name verification assumes that the string being checked is non-NULL. Check if identifier is NULL when verifying name. Signed-off-by: James Carter <jwcart2@tycho.nsa.gov> --- libsepol/cil/src/cil_verify.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c index 038f77af57d7..47dcfaa27ca0 100644 --- a/libsepol/cil/src/cil_verify.c +++ b/libsepol/cil/src/cil_verify.c @@ -50,9 +50,15 @@ int __cil_verify_name(const char *name) { int rc = SEPOL_ERR; - int len = strlen(name); + int len; int i = 0; + if (name == NULL) { + cil_log(CIL_ERR, "Name is NULL\n"); + goto exit; + } + + len = strlen(name); if (len >= CIL_MAX_NAME_LENGTH) { cil_log(CIL_ERR, "Name length greater than max name length of %d", CIL_MAX_NAME_LENGTH); -- 2.10.2