Verify that the final path does not exceed the size of the buffer before copying. This can only occur if an alternate path for the policy root and/or the policy store root has been specified and if the resulting path would exceed PATH_MAX. A similar check is already applied by semanage_make_final().
Signed-off-by: Stephen Smalley <[email protected]> --- libsemanage/src/semanage_store.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/libsemanage/src/semanage_store.c b/libsemanage/src/semanage_store.c index bce648c4..f1984c50 100644 --- a/libsemanage/src/semanage_store.c +++ b/libsemanage/src/semanage_store.c @@ -1597,7 +1597,12 @@ static int semanage_install_final_tmp(semanage_handle_t * sh) /* skip genhomedircon if configured */ if (sh->conf->disable_genhomedircon && i == SEMANAGE_FC_HOMEDIRS) continue; - + + if (strlen(dst) >= sizeof(fn)) { + ERR(sh, "Unable to compose the final paths."); + status = -1; + goto cleanup; + } strcpy(fn, dst); ret = semanage_mkpath(sh, dirname(fn)); if (ret < 0) { -- 2.14.3
