apparmor: fix dfa size check

AppArmor dfas need a minimum of two states to be valid. State 0 is the
default trap state, and State 1 the default start state. When verifying
the dfa ensure that this is the case.

Fixes: c27c6bd2c4d6b ("apparmor: ensure that dfa state tables have entries")
Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/match.c b/security/apparmor/match.c
index 8fa0a1494acdc3e57e4ca17dccff7ad4c3456f1d..4704b5904b150f4737995f8f802f9ea5961cee75 100644 (file)
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -157,7 +157,7 @@ static int verify_dfa(struct aa_dfa *dfa)
 
        state_count = dfa->tables[YYTD_ID_BASE]->td_lolen;
        trans_count = dfa->tables[YYTD_ID_NXT]->td_lolen;
-       if (state_count == 0)
+       if (state_count < 2)
                goto out;
        for (i = 0; i < state_count; i++) {
                if (!(BASE_TABLE(dfa)[i] & MATCH_FLAG_DIFF_ENCODE) &&