Skip to content

Commit

Permalink
libsepol: validate common classes have at least one permissions
Browse files Browse the repository at this point in the history 
The traditional language and CIL permit common classes only to be
defined with at least one permission.  Thus writing a common class
without one will fail.

Reported-by: oss-fuzz (issue 64059)
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
  • Loading branch information
@cgzones @jwcart2
cgzones authored and jwcart2 committed Nov 15, 2023
1 parent 23c743c commit 4f6a3ab
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion libsepol/src/policydb_validate.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -370,7 +370,7 @@ static int validate_common_datum(sepol_handle_t *handle, const common_datum_t *c
{
if (validate_value(common->s.value, &flavors[SYM_COMMONS]))
goto bad;
if (common->permissions.nprim > PERM_SYMTAB_SIZE)
if (common->permissions.table->nel == 0 || common->permissions.nprim > PERM_SYMTAB_SIZE)
goto bad;

return 0;
Expand Down

0 comments on commit 4f6a3ab

Please sign in to comment.