[apparmor] [PATCH 1/7] libapparmor: Safeguard aa_getpeercon buffer reallocation
Tyler Hicks
tyhicks at canonical.com
Sun Jun 23 23:23:13 UTC 2013
From: John Johansen <john.johansen at canonical.com>
Protect against bugs in AppArmor's getsockopt() LSM hook from sending
aa_getpeercon() into an infinite loop.
Signed-off-by: John Johansen <john.johansen at canonical.com>
---
libraries/libapparmor/src/kernel_interface.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/libraries/libapparmor/src/kernel_interface.c b/libraries/libapparmor/src/kernel_interface.c
index 8252b88..1c3b4df 100644
--- a/libraries/libapparmor/src/kernel_interface.c
+++ b/libraries/libapparmor/src/kernel_interface.c
@@ -599,7 +599,7 @@ out:
*/
int aa_getpeercon(int fd, char **con)
{
- int rc, size = INITIAL_GUESS_SIZE;
+ int rc, last_size, size = INITIAL_GUESS_SIZE;
char *buffer = NULL;
if (!con) {
@@ -608,13 +608,15 @@ int aa_getpeercon(int fd, char **con)
}
do {
+ last_size = size;
buffer = realloc(buffer, size);
if (!buffer)
return -1;
memset(buffer, 0, size);
rc = aa_getpeercon_raw(fd, buffer, &size);
- } while (rc == -1 && errno == ERANGE);
+ /* size should contain actual size needed if errno == ERANGE */
+ } while (rc == -1 && errno == ERANGE && size > last_size);
if (rc == -1) {
free(buffer);
--
1.8.1.2
More information about the AppArmor
mailing list