On Thu, Sep 3, 2020 at 3:42 PM Stephen Smalley <stephen.smalley.work@xxxxxxxxx> wrote: > > On Thu, Sep 3, 2020 at 2:19 PM James Carter <jwcart2@xxxxxxxxx> wrote: > > > > CIL was not correctly determining the depth of constraint expressions > > which prevented it from giving an error when the max depth was exceeded. > > This allowed invalid policy binaries with constraint expressions exceeding > > the max depth to be created. > > > > Correctly calculate the depth of constraint expressions when building > > the AST and give an error when the max depth is exceeded. > > Does a similar bug exist for conditional boolean expression depth checking? Yes it does. Jim
