apparmor: add missing id bounds check on dfa verification

Signed-off-by: John Johansen <john.johansen@canonical.com>

apparmor: add missing id bounds check on dfa verification
Signed-off-by: John Johansen <john.johansen@canonical.com>
15756178 · John Johansen · ff118479 · 15756178 · 15756178
Commit 15756178 authored Jun 02, 2016 by John Johansen
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 0 deletions

security/apparmor/include/match.h security/apparmor/include/match.h +1 -0

security/apparmor/match.c security/apparmor/match.c +2 -0

No files found.
--- a/security/apparmor/include/match.h
+++ b/security/apparmor/include/match.h
@@ -62,6 +62,7 @@ struct table_set_header {
 #define YYTD_ID_ACCEPT2 6
 #define YYTD_ID_NXT	7
 #define YYTD_ID_TSIZE	8
+#define YYTD_ID_MAX	8

 #define YYTD_DATA8	1
 #define YYTD_DATA16	2

--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -47,6 +47,8 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
 	 * it every time we use td_id as an index
 	 */
 	th.td_id = be16_to_cpu(*(u16 *) (blob)) - 1;
+	if (th.td_id > YYTD_ID_MAX)
+		goto out;
 	th.td_flags = be16_to_cpu(*(u16 *) (blob + 2));
 	th.td_lolen = be32_to_cpu(*(u32 *) (blob + 8));
 	blob += sizeof(struct table_header);