Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
libsepol/src/policydb_validate.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index da18282b..fcd3154a 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -1,6 +1,7 @@
#include <sepol/policydb/conditional.h>
#include <sepol/policydb/ebitmap.h>
+#include <sepol/policydb/initialsids.h>
#include <sepol/policydb/policydb.h>
#include <sepol/policydb/services.h>
@@ -1041,6 +1042,10 @@ static int validate_ocontexts(sepol_handle_t *handle, policydb_t *p, validate_t
if (p->target_platform == SEPOL_TARGET_SELINUX) {
switch (i) {
+ case OCON_ISID:
+ if (octx->sid[0] < 1 || octx->sid[0] >= SELINUX_SID_SZ)
+ goto bad;
+ break;
case OCON_FS:
case OCON_NETIF:
if (validate_context(&octx->context[1], flavors, p->mls))
@@ -1057,6 +1062,14 @@ static int validate_ocontexts(sepol_handle_t *handle, policydb_t *p, validate_t
}
}
}
+ if (p->target_platform == SEPOL_TARGET_XEN) {
+ switch (i) {
+ case OCON_XEN_ISID:
+ if (octx->sid[0] < 1 || octx->sid[0] >= XEN_SID_SZ)
+ goto bad;
+ break;
+ }
+ }
}
}
--
2.36.1
