When common_to_cil() or class_to_cil() fail to allocate an array to map
a permissions hashtable (for example when permissions.nprim is too big),
class_perm_to_array() gets called on a NULL pointer. Fix this.
This issue has been found while fuzzing hll/pp with the American Fuzzy
Lop.
Signed-off-by: Nicolas Iooss <nicolas.io...@m4x.org>
---
libsepol/src/module_to_cil.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 7d8eb204d2fd..e2bc4b2e6bec 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -1662,6 +1662,9 @@ static int common_to_cil(char *key, void *data, void
*UNUSED(arg))
arr.count = 0;
arr.perms = calloc(common->permissions.nprim, sizeof(*arr.perms));
+ if (arr.perms == NULL) {
+ goto exit;
+ }
rc = hashtab_map(common->permissions.table, class_perm_to_array, &arr);
if (rc != 0) {
goto exit;
@@ -1952,6 +1955,9 @@ static int class_to_cil(int indent, struct policydb *pdb,
struct avrule_block *U
arr.count = 0;
arr.perms = calloc(class->permissions.nprim, sizeof(*arr.perms));
+ if (arr.perms == NULL) {
+ goto exit;
+ }
rc = hashtab_map(class->permissions.table, class_perm_to_array, &arr);
if (rc != 0) {
goto exit;
--
2.12.2
