Commit dae60293 authored by John Johansen's avatar John Johansen
Browse files

apparmor: add consistency check between state and dfa diff encode flags 



Check that a states diff encode flag is only set if diff encode is
enabled in the dfa header.

Signed-off-by: default avatarJohn Johansen <john.johansen@canonical.com>
parent c6596969

security/apparmor/match.c

+6 −0
Original line number Diff line number Diff line
@@ -206,6 +206,12 @@ static int verify_dfa(struct aa_dfa *dfa) 
			pr_err("AppArmor DFA state with invalid match flags");

			goto out;

		}

		if ((BASE_TABLE(dfa)[i] & MATCH_FLAG_DIFF_ENCODE)) {

			if (!(dfa->flags & YYTH_FLAG_DIFF_ENCODE)) {

				pr_err("AppArmor DFA diff encoded transition state without header flag");

				goto out;

			}

		}

		if (base_idx(BASE_TABLE(dfa)[i]) + 255 >= trans_count) {

			pr_err("AppArmor DFA next/check upper bounds error\n");

			goto out;

CRA Git | Maintained and supported by SUSTech CRA and CCSE