On Mon, Nov 13, 2023 at 8:59 PM <luhuaxin1@xxxxxxxxxx> wrote: > > From: Huaxin Lu <luhuaxin1@xxxxxxxxxx> > > In mls_semantic_level_expand(), there is a explicitly determine > whether category is 0, which may cause an potential integer > overflow in error branch. > > Signed-off-by: Huaxin Lu <luhuaxin1@xxxxxxxxxx> > --- > libsepol/src/expand.c | 4 ++-- > 1 file changed, 2 insertions(+), 2 deletions(-) > > diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c > index ee5f9185..9ed22bfd 100644 > --- a/libsepol/src/expand.c > +++ b/libsepol/src/expand.c > @@ -945,8 +945,8 @@ int mls_semantic_level_expand(mls_semantic_level_t * sl, mls_level_t * l, > for (cat = sl->cat; cat; cat = cat->next) { > if (!cat->low || cat->low > cat->high) { > ERR(h, "Category range is not valid %s.%s", > - p->p_cat_val_to_name[cat->low - 1], > - p->p_cat_val_to_name[cat->high - 1]); > + cat->low > 0 ? p->p_cat_val_to_name[cat->low - 1] : "n/a", > + cat->high > 0 ? p->p_cat_val_to_name[cat->high - 1] : "n/a"); I would prefer "Invalid", "Bad Category", "NULL", or something along those lines instead of "n/a". Thanks, Jim > return -1; > } > for (i = cat->low - 1; i < cat->high; i++) { > -- > 2.33.0 >