The traditional language and CIL permit common classes only to be
defined with at least one permission. Thus writing a common class
without one will fail.
Reported-by: oss-fuzz (issue 64059)
Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
libsepol/src/policydb_validate.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index 016ab655..1121c8bb 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -369,7 +369,7 @@ static int validate_common_datum(sepol_handle_t *handle, const common_datum_t *c
{
if (validate_value(common->s.value, &flavors[SYM_COMMONS]))
goto bad;
- if (common->permissions.nprim > PERM_SYMTAB_SIZE)
+ if (common->permissions.table->nel == 0 || common->permissions.nprim > PERM_SYMTAB_SIZE)
goto bad;
return 0;
--
2.42.0
