[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[PATCH 2/6] libsepol: conditional.c resource leaks
This patch fixes a few bugs found by Coverity:
in cond_node_find:
1. new_node was memset before the check for (!new_node).
2. new_node was not freed on an error path.
in cond_copy_expr:
3. on memory failure, NULL was returned without freeing
the list built thus far.
thanks,
-serge
Index: src/conditional.c
===================================================================
--- src.orig/conditional.c
+++ src/conditional.c
@@ -144,13 +144,15 @@ cond_node_t *cond_node_find(policydb_t *
}
*was_created = 1;
new_node = (cond_node_t *)malloc(sizeof (cond_node_t));
- memset(new_node, 0, sizeof(cond_node_t));
if (!new_node) {
return NULL;
}
+ memset(new_node, 0, sizeof(cond_node_t));
new_node->expr = cond_copy_expr(needle->expr);
- if (!new_node->expr)
+ if (!new_node->expr) {
+ free(new_node);
return NULL;
+ }
new_node->cur_state = cond_evaluate_expr(p, new_node->expr);
new_node->nbools = needle->nbools;
for (i = 0; i < needle->nbools; i++)
@@ -247,7 +249,7 @@ cond_expr_t *cond_copy_expr(cond_expr_t
while (cur) {
new_expr = (cond_expr_t*)malloc(sizeof(cond_expr_t));
if (!new_expr)
- return NULL;
+ goto free_head;
memset(new_expr, 0, sizeof(cond_expr_t));
new_expr->expr_type = cur->expr_type;
@@ -261,6 +263,14 @@ cond_expr_t *cond_copy_expr(cond_expr_t
cur = cur->next;
}
return head;
+
+free_head:
+ while (head) {
+ tail = head->next;
+ free(head);
+ head = tail;
+ }
+ return NULL;
}
/*
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.
This mailing list archive is a service of Copilot Consulting.