Bug 432462 - small buffer for sprintf in krb5-1.6.1/src/util/support/selinux.c::push_fscreatecon
small buffer for sprintf in krb5-1.6.1/src/util/support/selinux.c::push_fscre...
Status: CLOSED DUPLICATE of bug 426085
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: krb5 (Show other bugs)
All Linux
medium Severity medium
: rc
: ---
Assigned To: Nalin Dahyabhai
Brian Brock
Depends On:
  Show dependency treegraph
Reported: 2008-02-12 00:22 EST by Masatake YAMATO
Modified: 2008-04-15 13:23 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-04-15 13:23:34 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
A patch for fixing the reported problem (762 bytes, patch)
2008-02-12 00:24 EST, Masatake YAMATO
no flags Details | Diff

  None (edit)
Description Masatake YAMATO 2008-02-12 00:22:45 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20071128 Fedora/ Firefox/

Description of problem:
This bug is finding during code reviewing.

In push_fscreatecon function, I found 
3 wrong codes realted to memory handling.

1. genpath buffer passed to sprintf is 1 byte smaller to hold formatted string formated by sprintf. In the sprintf call, '/' is inserted. However genpath is allocated by following code:

  len = strlen(wd) + strlen(pathname) + 1;
  genpath = malloc(len);

+ 1 is good. But it is for '\0' C string terminator.

2. previous, security_context_t type object is not freed in some code path.
   It is freed only if it points NULL.

3. next, security_context_t type object is not freed is one code path.
   Else-clause for freeing it is missed.

See the patch for more detail.

Version-Release number of selected component (if applicable):

How reproducible:
Couldn't Reproduce

Steps to Reproduce:
There is no obvious way to reproduce. Valgrind may help.


Actual Results:
Explained in the Description.

Expected Results:
1. genpath buffer should has enough space to hold formatted string.
2. previous should be freed if it is possible.
3. next should be freed.

Additional info:
See the attached patch.
Comment 1 Masatake YAMATO 2008-02-12 00:24:29 EST
Created attachment 294627 [details]
A patch for fixing the reported problem
Comment 2 Nalin Dahyabhai 2008-04-15 13:23:34 EDT

*** This bug has been marked as a duplicate of 426085 ***

Note You need to log in before you can comment on or make changes to this bug.