apparmor: add missing id bounds check on dfa verification

Signed-off-by: John Johansen <john.johansen@canonical.com>

diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h
index 001c43aa04065b99bdc3f6484b85213de3a2bf7e..a1c04fe8679022dd21e9eb468947b314de58452f 100644 (file)
--- a/security/apparmor/include/match.h
+++ b/security/apparmor/include/match.h
@@ -62,6 +62,7 @@ struct table_set_header {
 #define YYTD_ID_ACCEPT2 6
 #define YYTD_ID_NXT    7
 #define YYTD_ID_TSIZE  8
+#define YYTD_ID_MAX    8
 
 #define YYTD_DATA8     1
 #define YYTD_DATA16    2

diff --git a/security/apparmor/match.c b/security/apparmor/match.c
index 727eb4200d5c922d8818a6f0a84ace38fd759306..f9f57c626f54952ad355b45a9efcb837b50de00b 100644 (file)
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -47,6 +47,8 @@ static struct table_header *unpack_table(char *blob, size_t bsize)
         * it every time we use td_id as an index
         */
        th.td_id = be16_to_cpu(*(u16 *) (blob)) - 1;
+       if (th.td_id > YYTD_ID_MAX)
+               goto out;
        th.td_flags = be16_to_cpu(*(u16 *) (blob + 2));
        th.td_lolen = be32_to_cpu(*(u32 *) (blob + 8));
        blob += sizeof(struct table_header);