Commit c27c6bd2 authored by John Johansen's avatar John Johansen

apparmor: ensure that dfa state tables have entries

Currently it is possible to specify a state machine table with 0 length,
this is not valid as optional tables are specified by not defining
the table as present. Further this allows by-passing the base tables
range check against the next/check tables.

Fixes: d901d6a2 ("apparmor: dfa split verification of table headers")
Reported-by: default avatarMike Salvatore <mike.salvatore@canonical.com>
Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent 01df52d7
...@@ -97,6 +97,9 @@ static struct table_header *unpack_table(char *blob, size_t bsize) ...@@ -97,6 +97,9 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
th.td_flags == YYTD_DATA8)) th.td_flags == YYTD_DATA8))
goto out; goto out;
/* if we have a table it must have some entries */
if (th.td_lolen == 0)
goto out;
tsize = table_size(th.td_lolen, th.td_flags); tsize = table_size(th.td_lolen, th.td_flags);
if (bsize < tsize) if (bsize < tsize)
goto out; goto out;
...@@ -198,6 +201,8 @@ static int verify_dfa(struct aa_dfa *dfa) ...@@ -198,6 +201,8 @@ static int verify_dfa(struct aa_dfa *dfa)
state_count = dfa->tables[YYTD_ID_BASE]->td_lolen; state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
trans_count = dfa->tables[YYTD_ID_NXT]->td_lolen; trans_count = dfa->tables[YYTD_ID_NXT]->td_lolen;
if (state_count == 0)
goto out;
for (i = 0; i < state_count; i++) { for (i = 0; i < state_count; i++) {
if (!(BASE_TABLE(dfa)[i] & MATCH_FLAG_DIFF_ENCODE) && if (!(BASE_TABLE(dfa)[i] & MATCH_FLAG_DIFF_ENCODE) &&
(DEFAULT_TABLE(dfa)[i] >= state_count)) (DEFAULT_TABLE(dfa)[i] >= state_count))
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment