1 commit 2e8f820c8c5ab0ab9444398cc122e3a63fa4bc3e
2 Author: Brandon Philips <brandon@ifup.org>
3 Date: Thu Dec 17 16:30:43 2009 -0800
5 libacl: fix potential null pointer dereference
7 stanse found that acl_copy_int() derefences ext_acl when initializing
8 ent_p and then later checks if ext_acl is NULL.
10 Delay initializing ent_p and size until the NULL check has been made on
14 https://bugzilla.novell.com/show_bug.cgi?id=564733
16 Signed-off-by: Brandon Philips <bphilips@suse.de>
18 diff --git a/libacl/acl_copy_int.c b/libacl/acl_copy_int.c
19 index e58bbe3..7bcb0c9 100644
20 --- a/libacl/acl_copy_int.c
21 +++ b/libacl/acl_copy_int.c
22 @@ -27,17 +27,18 @@ acl_t
23 acl_copy_int(const void *buf_p)
25 const struct __acl *ext_acl = (struct __acl *)buf_p;
26 - const struct __acl_entry *ent_p = ext_acl->x_entries, *end_p;
27 - size_t size = ext_acl ? ext_acl->x_size : 0;
28 + const struct __acl_entry *ent_p, *end_p;
32 acl_entry_obj *entry_obj_p;
34 - if (!ext_acl || size < sizeof(struct __acl)) {
35 + if (!ext_acl || ext_acl->x_size < sizeof(struct __acl)) {
39 - size -= sizeof(struct __acl);
40 + ent_p = ext_acl->x_entries;
41 + size = ext_acl->x_size - sizeof(struct __acl);
42 if (size % sizeof(struct __acl_entry)) {