libacl: fix potential null pointer dereference

stanse found that acl_copy_int() derefences ext_acl when initializing ent_p and then later checks if ext_acl is NULL. Delay initializing ent_p and size until the NULL check has been made on ext_acl. Fix this bug: https://bugzilla.novell.com/show_bug.cgi?id=564733 Signed-off-by: Brandon Philips <bphilips@suse.de>
author: Brandon Philips <brandon@ifup.org> 2009-12-17 16:30:43 -0800
committer: Brandon Philips <brandon@ifup.org> 2009-12-17 16:30:43 -0800
commit: 2e8f820c8c5ab0ab9444398cc122e3a63fa4bc3e (patch)
tree: e4405879bea8ea1894dd0947ee75de65fc30cf5f /libacl
parent: a1815d4ad4ffe84e8f7d128a38955e3dab306e0d (diff)
download: acl-2e8f820c8c5ab0ab9444398cc122e3a63fa4bc3e.tar.gz
1 files changed, 5 insertions, 4 deletions
diff --git a/libacl/acl_copy_int.c b/libacl/acl_copy_int.c
index e58bbe3..7bcb0c9 100644
--- a/libacl/acl_copy_int.c
+++ b/libacl/acl_copy_int.c
@@ -27,17 +27,18 @@ acl_t
 acl_copy_int(const void *buf_p)
 {
 	const struct __acl *ext_acl = (struct __acl *)buf_p;
-	const struct __acl_entry *ent_p = ext_acl->x_entries, *end_p;
-	size_t size = ext_acl ? ext_acl->x_size : 0;
+	const struct __acl_entry *ent_p, *end_p;
+	size_t size;
 	int entries;
 	acl_obj *acl_obj_p;
 	acl_entry_obj *entry_obj_p;
 
-	if (!ext_acl || size < sizeof(struct __acl)) {
+	if (!ext_acl || ext_acl->x_size < sizeof(struct __acl)) {
 		errno = EINVAL;
 		return NULL;
 	}
-	size -= sizeof(struct __acl);
+	ent_p = ext_acl->x_entries;
+	size = ext_acl->x_size - sizeof(struct __acl);
 	if (size % sizeof(struct __acl_entry)) {
 		errno = EINVAL;
 		return NULL;
author	Brandon Philips <brandon@ifup.org>	2009-12-17 16:30:43 -0800
committer	Brandon Philips <brandon@ifup.org>	2009-12-17 16:30:43 -0800
commit	2e8f820c8c5ab0ab9444398cc122e3a63fa4bc3e (patch)
tree	e4405879bea8ea1894dd0947ee75de65fc30cf5f /libacl
parent	a1815d4ad4ffe84e8f7d128a38955e3dab306e0d (diff)
download	acl-2e8f820c8c5ab0ab9444398cc122e3a63fa4bc3e.tar.gz