Nicolas Looss found while fuzzing secilc with AFL that the statement
"(class C (()))" will cause a segfault.
When CIL checks the syntax of the class statement it sees "(())" as a
valid permission list, but since "()" is not an identifier a NULL is
passed as the string for name verification. A segfault occurs because
name verification assumes that the string being checked is non-NULL.
Check if identifier is NULL when verifying name.
Signed-off-by: James Carter <jwca...@tycho.nsa.gov>
---
libsepol/cil/src/cil_verify.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c
index 038f77a..47dcfaa 100644
--- a/libsepol/cil/src/cil_verify.c
+++ b/libsepol/cil/src/cil_verify.c
@@ -50,9 +50,15 @@
int __cil_verify_name(const char *name)
{
int rc = SEPOL_ERR;
- int len = strlen(name);
+ int len;
int i = 0;
+ if (name == NULL) {
+ cil_log(CIL_ERR, "Name is NULL\n");
+ goto exit;
+ }
+
+ len = strlen(name);
if (len >= CIL_MAX_NAME_LENGTH) {
cil_log(CIL_ERR, "Name length greater than max name length of
%d",
CIL_MAX_NAME_LENGTH);
--
2.7.4
_______________________________________________
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
