apparmor: add missing id bounds check on dfa verification

author John Johansen <john.johansen@canonical.com>

Thu, 2 Jun 2016 09:37:02 +0000 (02:37 -0700)

committer Willy Tarreau <w@1wt.eu>

Tue, 20 Jun 2017 12:04:12 +0000 (14:04 +0200)
author John Johansen <john.johansen@canonical.com>
Thu, 2 Jun 2016 09:37:02 +0000 (02:37 -0700)
committer Willy Tarreau <w@1wt.eu>
Tue, 20 Jun 2017 12:04:12 +0000 (14:04 +0200)
diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h

index 775843e7f984b93dc9d68d1f84df7b3c5d99a7ab..b5029c77c3e3fcab1bd5d1ac57aec6a8e87752ed 100644 (file)
--- a/security/apparmor/include/match.h
+++ b/security/apparmor/include/match.h
@@ -57,6 +57,7 @@ struct table_set_header {
  #define YYTD_ID_ACCEPT2 6
  #define YYTD_ID_NXT    7
  #define YYTD_ID_TSIZE  8
+#define YYTD_ID_MAX    8
  
  #define YYTD_DATA8     1
  #define YYTD_DATA16    2
diff --git a/security/apparmor/match.c b/security/apparmor/match.c

index 90971a8c37898256b1d60b211bdf27865d1f75e4..630f325b87a84115cdd83c48c916f7ea602a52f9 100644 (file)
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -45,6 +45,8 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
          * it every time we use td_id as an index
          */
         th.td_id = be16_to_cpu(*(u16 *) (blob)) - 1;
+       if (th.td_id > YYTD_ID_MAX)
+               goto out;
         th.td_flags = be16_to_cpu(*(u16 *) (blob + 2));
         th.td_lolen = be32_to_cpu(*(u32 *) (blob + 8));
         blob += sizeof(struct table_header);
author	John Johansen <john.johansen@canonical.com>
	Thu, 2 Jun 2016 09:37:02 +0000 (02:37 -0700)
committer	Willy Tarreau <w@1wt.eu>
	Tue, 20 Jun 2017 12:04:12 +0000 (14:04 +0200)
security/apparmor/include/match.h		patch \| blob \| blame \| history
security/apparmor/match.c		patch \| blob \| blame \| history