selinux: free str on error in str_read()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

In [see "Fixes:"] I missed the fact that str_read() may give back an
allocated pointer even if it returns an error, causing a potential
memory leak in filename_trans_read_one(). Fix this by making the
function free the allocated string whenever it returns a non-zero value,
which also makes its behavior more obvious and prevents repeating the
same mistake in the future.

Reported-by: coverity-bot <keescook+coverity-bot@chromium.org>
Addresses-Coverity-ID: 1461665 ("Resource leaks")
Fixes: c3a276111ea2 ("selinux: optimize storage of filename transitions")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Paul Moore <paul@paul-moore.com>

authored by

Ondrej Mosnacek and committed by

Paul Moore 6 years ago af15f14c c753924b

+4 -4

1 changed file

expand all

security

selinux

policydb.c

+4 -4

security/selinux/ss/policydb.c

··· 1035 1035 if (!str) 1036 1036 return -ENOMEM; 1037 1037 1038 - /* it's expected the caller should free the str */ 1039 - *strp = str; 1040 - 1041 1038 rc = next_entry(str, fp, len); 1042 - if (rc) 1039 + if (rc) { 1040 + kfree(str); 1043 1041 return rc; 1042 + } 1044 1043 1045 1044 str[len] = '\0'; 1045 + *strp = str; 1046 1046 return 0; 1047 1047 } 1048 1048