84b277
From 161ad7deb00e31cb47fdc29f2e795690ffa66be4 Mon Sep 17 00:00:00 2001
84b277
From: Michal Sekletar <msekleta@redhat.com>
84b277
Date: Mon, 13 Oct 2014 13:41:06 +0200
84b277
Subject: [PATCH] selinux: fix potential double free crash in child process
84b277
84b277
Before returning from function we should reset ret to NULL, thus cleanup
84b277
function is nop.
84b277
84b277
Also context_str() returns pointer to a string containing context but not a
84b277
copy, hence we must make copy it explicitly.
84b277
84b277
Related: #1113790
84b277
---
84b277
 src/shared/label.c | 5 +++--
84b277
 1 file changed, 3 insertions(+), 2 deletions(-)
84b277
84b277
diff --git a/src/shared/label.c b/src/shared/label.c
84b277
index 8f7dfb4..52aea4f 100644
84b277
--- a/src/shared/label.c
84b277
+++ b/src/shared/label.c
84b277
@@ -270,7 +270,8 @@ int label_get_child_mls_label(int socket_fd, const char *exe, char **label) {
84b277
         }
84b277
 
84b277
         freecon(mycon);
84b277
-        mycon = context_str(bcon);
84b277
+        mycon = NULL;
84b277
+        mycon = strdup(context_str(bcon));
84b277
         if (!mycon) {
84b277
                 r = -errno;
84b277
                 goto out;
84b277
@@ -284,8 +285,8 @@ int label_get_child_mls_label(int socket_fd, const char *exe, char **label) {
84b277
         }
84b277
 
84b277
         *label = ret;
84b277
+        ret = NULL;
84b277
         r = 0;
84b277
-
84b277
 out:
84b277
         if (r < 0 && security_getenforce() == 1)
84b277
                 return r;