From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Thu, 16 Oct 2025 13:59:50 +0000 (+0100)
Subject: dissect: fix image policy check for bare dm-verity filesystem
X-Git-Tag: v259-rc1~304^2~4
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5e97d50e171fcaf5f50fd349a2be189b61593f31;p=thirdparty%2Fsystemd.git

dissect: fix image policy check for bare dm-verity filesystem

The root_hash_sig pointer might be set, but to an empty iovec. Check
that the length is > 0 instead.

Follow-up for cd22d8562dd085f5c234cf26b4dd773029418833
---

diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c
index de9475e6d32..be40c772608 100644
--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@@ -881,7 +881,7 @@ static int dissect_image(
                         encrypted = streq_ptr(fstype, "crypto_LUKS");
 
                         if (verity_settings_data_covers(verity, PARTITION_ROOT))
-                                found_flags = verity->root_hash_sig ? PARTITION_POLICY_SIGNED : PARTITION_POLICY_VERITY;
+                                found_flags = verity->root_hash_sig_size > 0 ? PARTITION_POLICY_SIGNED : PARTITION_POLICY_VERITY;
                         else
                                 found_flags = encrypted ? PARTITION_POLICY_ENCRYPTED : PARTITION_POLICY_UNPROTECTED;