Red Hat Bugzilla – Bug 432462
small buffer for sprintf in krb5-1.6.1/src/util/support/selinux.c::push_fscreatecon
Last modified: 2008-04-15 13:23:34 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:220.127.116.11) Gecko/20071128 Fedora/18.104.22.168-2.fc7 Firefox/22.214.171.124
Description of problem:
This bug is finding during code reviewing.
In push_fscreatecon function, I found
3 wrong codes realted to memory handling.
1. genpath buffer passed to sprintf is 1 byte smaller to hold formatted string formated by sprintf. In the sprintf call, '/' is inserted. However genpath is allocated by following code:
len = strlen(wd) + strlen(pathname) + 1;
genpath = malloc(len);
+ 1 is good. But it is for '\0' C string terminator.
2. previous, security_context_t type object is not freed in some code path.
It is freed only if it points NULL.
3. next, security_context_t type object is not freed is one code path.
Else-clause for freeing it is missed.
See the patch for more detail.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
There is no obvious way to reproduce. Valgrind may help.
Explained in the Description.
1. genpath buffer should has enough space to hold formatted string.
2. previous should be freed if it is possible.
3. next should be freed.
See the attached patch.
Created attachment 294627 [details]
A patch for fixing the reported problem
*** This bug has been marked as a duplicate of 426085 ***