On Fri, Nov 3, 2023 at 2:27 PM Christian Göttsche <cgzones@xxxxxxxxxxxxxx> wrote: > > Ensure the ibendport port is not 0 (similar to the kernel). > > More general depth test for boolean expressions. > > Ensure the boolean id is not set for logic operators. > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> Acked-by: James Carter <jwcart2@xxxxxxxxx> > --- > libsepol/src/policydb_validate.c | 8 +++++++- > 1 file changed, 7 insertions(+), 1 deletion(-) > > diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c > index b20ed579..d04f6bcd 100644 > --- a/libsepol/src/policydb_validate.c > +++ b/libsepol/src/policydb_validate.c > @@ -1002,13 +1002,15 @@ static int validate_cond_expr(sepol_handle_t *handle, const struct cond_expr *ex > case COND_BOOL: > if (validate_value(expr->boolean, boolean)) > goto bad; > - if (depth == (COND_EXPR_MAXDEPTH - 1)) > + if (depth >= (COND_EXPR_MAXDEPTH - 1)) > goto bad; > depth++; > break; > case COND_NOT: > if (depth < 0) > goto bad; > + if (expr->boolean != 0) > + goto bad; > break; > case COND_OR: > case COND_AND: > @@ -1017,6 +1019,8 @@ static int validate_cond_expr(sepol_handle_t *handle, const struct cond_expr *ex > case COND_NEQ: > if (depth < 1) > goto bad; > + if (expr->boolean != 0) > + goto bad; > depth--; > break; > default: > @@ -1203,6 +1207,8 @@ static int validate_ocontexts(sepol_handle_t *handle, const policydb_t *p, valid > goto bad; > break; > case OCON_IBENDPORT: > + if (octx->u.ibendport.port == 0) > + goto bad; > if (!octx->u.ibendport.dev_name) > goto bad; > break; > -- > 2.42.0 >
