[PATCH 1/6] libsepol: range_trans_clone memory leak

[serue@xxxxxxxxxx]

This next patchset addresses about the next third of real bugs
(I hope).  Will try to finish libsepol by the end of the week.

This patch fixes a memory leak found by Coverity:

	If an mls_level_clone() failed in range_trans_clone(), then
	the new_range being built was not freed.

thanks,
-serge

Index: src/expand.c
===================================================================
--- src.orig/expand.c
+++ src/expand.c
@@ -1361,17 +1361,18 @@ static int genfs_copy(expand_state_t *st
 
 static int range_trans_clone(expand_state_t *state)
 {
-        range_trans_t *range = state->base->range_tr, *last_new_range = NULL;
+        range_trans_t *range = state->base->range_tr, *last_new_range = NULL,
+				*new_range = NULL;
         state->out->range_tr = NULL;
 
         if (state->verbose)
                 printf("copying range transitions\n");
 
         while (range != NULL) {
-                range_trans_t *new_range;
                 if ((new_range = malloc(sizeof(*new_range))) == NULL) {
                         goto out_of_mem;
                 }
+		memset(new_range, 0, sizeof(*new_range));
                 new_range->dom = state->typemap[range->dom-1];
                 new_range->type = state->typemap[range->type-1];
                 if (mls_level_clone(&new_range->range.level[0], &range->range.level[0]) == -1 ||
@@ -1392,6 +1393,11 @@ static int range_trans_clone(expand_stat
 
  out_of_mem:
         write_error(state, "Out of memory!");
+	if(new_range) {
+		ebitmap_destroy(&new_range->range.level[0].cat);
+		ebitmap_destroy(&new_range->range.level[1].cat);
+		free(new_range);
+	}
         return -1;
 }
 

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.