SELinux: null-terminate context string in selinux_xfrm_sec_ctx_alloc

xfrm_audit_log() expects the context string to be null-terminated which currently doesn't happen with user-supplied contexts. Signed-off-by: N Venkat Yekkirala <vyekkirala@TrustedCS.com> Acked-by: N Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: N James Morris <jmorris@namei.org>

SELinux: null-terminate context string in selinux_xfrm_sec_ctx_alloc
xfrm_audit_log() expects the context string to be null-terminated which currently doesn't happen with user-supplied contexts. Signed-off-by: N Venkat Yekkirala <vyekkirala@TrustedCS.com> Acked-by: N Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: N James Morris <jmorris@namei.org>
910949a6 · Venkat Yekkirala · James Morris · 0de085bb · 910949a6
隐藏空白更改
内联并排

Showing with 2 addition and 1 deletion

security/selinux/xfrm.c security/selinux/xfrm.c +2 -1

未找到文件。
--- a/security/selinux/xfrm.c
+++ b/security/selinux/xfrm.c
@@ -216,7 +216,7 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp,
 		return -ENOMEM;

 	*ctxp = ctx = kmalloc(sizeof(*ctx) +
-			      uctx->ctx_len,
+			      uctx->ctx_len + 1,
 			      GFP_KERNEL);

 	if (!ctx)
@@ -229,6 +229,7 @@ static int selinux_xfrm_sec_ctx_alloc(struct xfrm_sec_ctx **ctxp,
 	memcpy(ctx->ctx_str,
 	       uctx+1,
 	       ctx->ctx_len);
+	ctx->ctx_str[ctx->ctx_len] = 0;
 	rc = security_context_to_sid(ctx->ctx_str,
 				     ctx->ctx_len,
 				     &ctx->ctx_sid);