selabel_lookup leaks 2048 bytes per call on CentOS 6.7 under Samba?

[Jeremy Allison]

On Thu, Feb 18, 2016 at 11:11:37AM -0800, Jeremy Allison wrote:
> On Thu, Feb 18, 2016 at 04:03:01PM +0100, Andreas Schneider wrote:
> > Can we move the discussion to the Red Hat Bugzilla? I've opened
> > 
> > https://bugzilla.redhat.com/show_bug.cgi?id=1309730
> > 
> > for the issue. This sounds really serious ...
> 
> I think I've found the bug. Can't bloody log into
> the redhat bugzilla though as I doesn't like my
> old password :-(. I'll update once it's allowed
> me to set a new one.

Here is the patch. If the init() function inside
libselinux-2.0.94/src/label_file.c fails it doesn't
properly clean up the half-constructed regexp
regex_t contexts (or any of the other allocated
blobs).

This should compile, but (obviously) hasn't
yet been tested. Andreas, if you can add this
to the bug report (still haven't gotten my
password reset link yet :-( ) under my name
(and maybe even test it :-) I'd appreciate it !

Richard, if you can try this fix it might confirm
the memory leak is fixed. Not promising though,
the libselinux-2.0.94/src/ code is *really*
overly complex shitty C code - the kind Samba moved
away from 15+ years ago. Just waiting for an exploitable
error IMHO. Not impressed.

Jeremy.
-------------- next part --------------
--- src/label_file.c.orig	2016-02-18 11:02:57.474680166 -0800
+++ src/label_file.c	2016-02-18 11:30:36.831055661 -0800
@@ -395,6 +395,8 @@
 	return 0;
 }
 
+static void closef(struct selabel_handle *rec);
+
 static int init(struct selabel_handle *rec, struct selinux_opt *opts,
 		unsigned n)
 {
@@ -536,12 +538,18 @@
 	status = 0;
 finish:
 	fclose(fp);
-	if (data->spec_arr != spec_copy)
-		free(data->spec_arr);
 	if (homedirfp)
 		fclose(homedirfp);
 	if (localfp)
 		fclose(localfp);
+	if (status != 0) {
+		/*
+		 * Don't leave a half-constructed
+		 * rec->data pointer on error.
+		 */
+		closef(rec);
+		rec->data = NULL;
+	}
 	return status;
 }