From cd13a40667a2e23ecc699b42d6b775dcacde91b4 Mon Sep 17 00:00:00 2001 From: "Enrico Weigelt, metux IT consult" Date: Tue, 6 May 2025 19:14:57 +0200 Subject: [PATCH] Xext: selinux: fix possible NULL dereference MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit > ../Xext/xselinux_ext.c: In function ‘SELinuxSendItemsToClient’: > ../Xext/xselinux_ext.c:358:18: warning: dereference of possibly-NULL ‘buf’ [CWE-690] [-Wanalyzer-possible-null-dereference] > 358 | buf[pos] = items[k].id; > | ~~~~~~~~~^~~~~~~~~~~~~ > ../Xext/xselinux_ext.c: In function ‘SELinuxFreeItems’: > ../Xext/xselinux_ext.c:335:9: warning: dereference of possibly-NULL ‘items’ [CWE-690] [-Wanalyzer-possible-null-dereference] > 335 | freecon(items[k].octx); > | ^~~~~~~~~~~~~~~~~~~~~~ > ../Xext/xselinux_ext.c: In function ‘SELinuxPopulateItem’: > ../Xext/xselinux_ext.c:321:11: warning: dereference of possibly-NULL ‘i’ [CWE-690] [-Wanalyzer-possible-null-dereference] > 321 | i->id = id; > | ~~~~~~^~~~ Signed-off-by: Enrico Weigelt, metux IT consult --- Xext/xselinux_ext.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/Xext/xselinux_ext.c b/Xext/xselinux_ext.c index dd5ace348..faf401634 100644 --- a/Xext/xselinux_ext.c +++ b/Xext/xselinux_ext.c @@ -313,6 +313,8 @@ SELinuxPopulateItem(SELinuxListItemRec * i, PrivateRec ** privPtr, CARD32 id, SELinuxObjectRec *obj = dixLookupPrivate(privPtr, objectKey); SELinuxObjectRec *data = dixLookupPrivate(privPtr, dataKey); + if (!i) + return BadValue; if (avc_sid_to_context_raw(obj->sid, &i->octx) < 0) return BadValue; if (avc_sid_to_context_raw(data->sid, &i->dctx) < 0) @@ -331,6 +333,9 @@ SELinuxFreeItems(SELinuxListItemRec * items, int count) { int k; + if (!items) + return; + for (k = 0; k < count; k++) { freecon(items[k].octx); freecon(items[k].dctx); @@ -348,6 +353,9 @@ SELinuxSendItemsToClient(ClientPtr client, SELinuxListItemRec * items, goto out; } + if (!buf) // silence analyzer warning + goto sendreply; + /* Fill in the buffer */ for (k = 0; k < count; k++) { buf[pos] = items[k].id; @@ -371,6 +379,7 @@ SELinuxSendItemsToClient(ClientPtr client, SELinuxListItemRec * items, pos += items[k].dctx_len; } +sendreply: ; /* Send reply to client */ SELinuxListItemsReply rep = { .type = X_Reply,