Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
For bugs related to Red Hat Enterprise Linux 5 product line. The current stable release is 5.10. For Red Hat Enterprise Linux 6 and above, please visit Red Hat JIRA https://issues.redhat.com/secure/CreateIssue!default.jspa?pid=12332745 to report new issues.

Bug 432462

Summary: small buffer for sprintf in krb5-1.6.1/src/util/support/selinux.c::push_fscreatecon
Product: Red Hat Enterprise Linux 5 Reporter: Masatake YAMATO <yamato>
Component: krb5Assignee: Nalin Dahyabhai <nalin>
Status: CLOSED DUPLICATE QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.1CC: jplans
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-15 17:23:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
A patch for fixing the reported problem none

Description Masatake YAMATO 2008-02-12 05:22:45 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.10) Gecko/20071128 Fedora/2.0.0.10-2.fc7 Firefox/2.0.0.10

Description of problem:
This bug is finding during code reviewing.

In push_fscreatecon function, I found 
3 wrong codes realted to memory handling.

1. genpath buffer passed to sprintf is 1 byte smaller to hold formatted string formated by sprintf. In the sprintf call, '/' is inserted. However genpath is allocated by following code:

  len = strlen(wd) + strlen(pathname) + 1;
  genpath = malloc(len);

+ 1 is good. But it is for '\0' C string terminator.

2. previous, security_context_t type object is not freed in some code path.
   It is freed only if it points NULL.

3. next, security_context_t type object is not freed is one code path.
   Else-clause for freeing it is missed.

See the patch for more detail.

Version-Release number of selected component (if applicable):
krb5-1.6.1-17.el5

How reproducible:
Couldn't Reproduce


Steps to Reproduce:
There is no obvious way to reproduce. Valgrind may help.

1.
2.
3.

Actual Results:
Explained in the Description.

Expected Results:
1. genpath buffer should has enough space to hold formatted string.
2. previous should be freed if it is possible.
3. next should be freed.

Additional info:
See the attached patch.
Comment 1 Masatake YAMATO 2008-02-12 05:24:29 UTC 
Created attachment 294627 [details]
A patch for fixing the reported problem
Comment 2 Nalin Dahyabhai 2008-04-15 17:23:34 UTC 

*** This bug has been marked as a duplicate of 426085 ***