Skip to content

Commit

Permalink
libsemanage/direct_api: INTEGER_OVERFLOW read_len = read()
Browse files Browse the repository at this point in the history
The following statement is always true if read_len is unsigned:
(read_len = read(fd, data_read + data_read_len, max_len - data_read_len)) > 0

Fixes:
 Error: INTEGER_OVERFLOW (CWE-190): [#def19] [important]
 libsemanage-3.7/src/direct_api.c:598:2: tainted_data_return: Called function "read(fd, data_read + data_read_len, max_len - data_read_len)", and a possible return value may be less than zero.
 libsemanage-3.7/src/direct_api.c:598:2: cast_underflow: An assign of a possibly negative number to an unsigned type, which might trigger an underflow.
 libsemanage-3.7/src/direct_api.c:599:3: overflow: The expression "data_read_len += read_len" is deemed underflowed because at least one of its arguments has underflowed.
 libsemanage-3.7/src/direct_api.c:598:2: overflow: The expression "max_len - data_read_len" is deemed underflowed because at least one of its arguments has underflowed.
 libsemanage-3.7/src/direct_api.c:598:2: overflow_sink: "max_len - data_read_len", which might have underflowed, is passed to "read(fd, data_read + data_read_len, max_len - data_read_len)". [Note: The source code implementation of the function has been overridden by a builtin model.]
 \#  596|   	}
 \#  597|
 \#  598|-> 	while ((read_len = read(fd, data_read + data_read_len, max_len - data_read_len)) > 0) {
 \#  599|   		data_read_len += read_len;
 \#  600|   		if (data_read_len == max_len) {

Signed-off-by: Vit Mojzis <[email protected]>
Acked-by: James Carter <[email protected]>
  • Loading branch information
vmojzis authored and jwcart2 committed Oct 30, 2024
1 parent f18f9e5 commit 9b4eff9
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion libsemanage/src/direct_api.c
Original file line number Diff line number Diff line change
Expand Up @@ -582,7 +582,7 @@ static int semanage_direct_update_seuser(semanage_handle_t * sh, cil_db_t *cildb
static int read_from_pipe_to_data(semanage_handle_t *sh, size_t initial_len, int fd, char **out_data_read, size_t *out_read_len)
{
size_t max_len = initial_len;
size_t read_len = 0;
ssize_t read_len = 0;
size_t data_read_len = 0;
char *data_read = NULL;

Expand Down

0 comments on commit 9b4eff9

Please sign in to comment.