setfiles: avoid unsigned integer underflow

While well-defined unsigned integer underflow might signal a logic mistake or processing of unchecked user input. Please Clang's undefined behavior sanitizer: restore.c:91:37: runtime error: unsigned integer overflow: 1 - 2 cannot be represented in type 'unsigned long' Signed-off-by: Christian Göttsche <[email protected]> Acked-by: James Carter <[email protected]>
SELinuxProject · Jan 25, 2024 · fc2e931 · fc2e931
1 parent 454a9f2
commit fc2e931
Showing 1 changed file with 5 additions and 5 deletions.
diff --git a/policycoreutils/setfiles/restore.c b/policycoreutils/setfiles/restore.c
@@ -77,8 +77,8 @@ int process_glob(char *name, struct restore_opts *opts, size_t nthreads,
  long unsigned *skipped_errors)
 {
  glob_t globbuf;
- size_t i = 0;
- int len, rc, errors;
+ size_t i, len;
+ int rc, errors;
 
  memset(&globbuf, 0, sizeof(globbuf));
 
@@ -88,10 +88,10 @@ int process_glob(char *name, struct restore_opts *opts, size_t nthreads,
  return errors;
 
  for (i = 0; i < globbuf.gl_pathc; i++) {
- len = strlen(globbuf.gl_pathv[i]) - 2;
- if (len > 0 && strcmp(&globbuf.gl_pathv[i][len--], "/.") == 0)
+ len = strlen(globbuf.gl_pathv[i]);
+ if (len > 2 && strcmp(&globbuf.gl_pathv[i][len - 2], "/.") == 0)
  continue;
- if (len > 0 && strcmp(&globbuf.gl_pathv[i][len], "/..") == 0)
+ if (len > 3 && strcmp(&globbuf.gl_pathv[i][len - 3], "/..") == 0)
  continue;
  rc = selinux_restorecon_parallel(globbuf.gl_pathv[i],
  opts->restorecon_flags,