blob: 7f286e02e244994b39962a5bc9d95d18aafd0fa2 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
|
From 5d3404acf99ac42cba5182fcbb099930754fc588 Mon Sep 17 00:00:00 2001
From: James Carter <jwcart2@tycho.nsa.gov>
Date: Tue, 18 Oct 2016 14:21:59 -0400
Subject: [PATCH] libsepol/cil: Check if identifier is NULL when verifying name
Nicolas Iooss found while fuzzing secilc with AFL that the statement
"(class C (()))" will cause a segfault.
When CIL checks the syntax of the class statement it sees "(())" as a
valid permission list, but since "()" is not an identifier a NULL is
passed as the string for name verification. A segfault occurs because
name verification assumes that the string being checked is non-NULL.
Check if identifier is NULL when verifying name.
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
---
libsepol/cil/src/cil_verify.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c
index 038f77af57d7..47dcfaa27ca0 100644
--- a/libsepol/cil/src/cil_verify.c
+++ b/libsepol/cil/src/cil_verify.c
@@ -50,9 +50,15 @@
int __cil_verify_name(const char *name)
{
int rc = SEPOL_ERR;
- int len = strlen(name);
+ int len;
int i = 0;
+ if (name == NULL) {
+ cil_log(CIL_ERR, "Name is NULL\n");
+ goto exit;
+ }
+
+ len = strlen(name);
if (len >= CIL_MAX_NAME_LENGTH) {
cil_log(CIL_ERR, "Name length greater than max name length of %d",
CIL_MAX_NAME_LENGTH);
--
2.10.2
|
