selinux: fix potential double free crash in child process

Before returning from function we should reset ret to NULL, thus cleanup
function is nop.

Also context_str() returns pointer to a string containing context but not a
copy, hence we must make copy it explicitly.

diff --git a/src/shared/label.c b/src/shared/label.c
index b6af38d82d39a0940c6133c4ca886d7384c59cdb..69d4616183b3bf4dcdb04e5bfde8a137384bd35f 100644 (file)
--- a/src/shared/label.c
+++ b/src/shared/label.c
@@ -334,7 +334,7 @@ int label_get_child_mls_label(int socket_fd, const char *exe, char **label) {
         }
 
         freecon(mycon);
         }
 
         freecon(mycon);

-        mycon = context_str(bcon);
+        mycon = strdup(context_str(bcon));

         if (!mycon) {
                 r = -errno;
                 goto out;
         if (!mycon) {
                 r = -errno;
                 goto out;


@@ -348,6 +348,7 @@ int label_get_child_mls_label(int socket_fd, const char *exe, char **label) {
         }
 
         *label = ret;
         }
 
         *label = ret;

+        ret = NULL;

         r = 0;
 
 out:
         r = 0;
 
 out: