libsepol: free memory when realloc() fails

fishilico · fishilico · commit 89dab4675dc7 · 2020-11-12T21:24:06.000+01:00
In get_class_info(), if realloc(class_buf, new_class_buf_len) fails to grow the memory, the function returns NULL without freeing class_buf. This leads to a memory leak which is reported by clang's static analyzer: https://580-118970575-gh.circle-artifacts.com/0/output-scan-build/2020-11-11-194150-6152-1/report-42a899.html#EndPath Fix the memory leak by calling free(class_buf). While at it, use size_t insted of int to store the size of the buffer which is growing. Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
diff --git a/libsepol/src/services.c b/libsepol/src/services.c
@@ -312,33 +312,36 @@ static char *get_class_info(sepol_security_class_t tclass,
 	else
 		state_num = mls + 2;
 
-	int class_buf_len = 0;
-	int new_class_buf_len;
-	int len, buf_used;
+	size_t class_buf_len = 0;
+	size_t new_class_buf_len;
+	size_t buf_used;
+	int len;
 	char *class_buf = NULL, *p;
 	char *new_class_buf = NULL;
 
 	while (1) {
 		new_class_buf_len = class_buf_len + EXPR_BUF_SIZE;
 		new_class_buf = realloc(class_buf, new_class_buf_len);
-			if (!new_class_buf)
-				return NULL;
+		if (!new_class_buf) {
+			free(class_buf);
+			return NULL;
+		}
 		class_buf_len = new_class_buf_len;
 		class_buf = new_class_buf;
 		buf_used = 0;
 		p = class_buf;
 
 		/* Add statement type */
 		len = snprintf(p, class_buf_len - buf_used, "%s", statements[state_num]);
-		if (len < 0 || len >= class_buf_len - buf_used)
+		if (len < 0 || (size_t)len >= class_buf_len - buf_used)
 			continue;
 
 		/* Add class entry */
 		p += len;
 		buf_used += len;
 		len = snprintf(p, class_buf_len - buf_used, "%s ",
 				policydb->p_class_val_to_name[tclass - 1]);
-		if (len < 0 || len >= class_buf_len - buf_used)
+		if (len < 0 || (size_t)len >= class_buf_len - buf_used)
 			continue;
 
 		/* Add permission entries (validatetrans does not have perms) */
@@ -351,7 +354,7 @@ static char *get_class_info(sepol_security_class_t tclass,
 		} else {
 			len = snprintf(p, class_buf_len - buf_used, "(");
 		}
-		if (len < 0 || len >= class_buf_len - buf_used)
+		if (len < 0 || (size_t)len >= class_buf_len - buf_used)
 			continue;
 		break;
 	}
