libsepol/cil: bail out on snprintf failure

Do not continue with a negative return value once a string append operation fails to avoid increasing the buffer length variable `str_len`, potentially leading to an out-of-bounds write. Found by GitHub CodeQL. Signed-off-by: Christian Göttsche <[email protected]>
bachradsusi · Jan 5, 2022 · b2ba721 · b2ba721
1 parent 5e6e516
commit b2ba721
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
@@ -1456,6 +1456,12 @@ int cil_userprefixes_to_string(struct cil_db *db, char **out, size_t *size)
 
 		buf_pos = snprintf(str_tmp, str_len, "user %s prefix %s;\n", user->datum.fqn,
 									userprefix->prefix_str);
+		if (buf_pos < 0) {
+			free(str_tmp);
+			*size = 0;
+			*out = NULL;
+			goto exit;
+		}
 		str_len -= buf_pos;
 		str_tmp += buf_pos;
 	}