On Mon, Nov 13, 2023 at 8:59 PM <luhuaxin1@xxxxxxxxxx> wrote:
>
> From: Huaxin Lu <luhuaxin1@xxxxxxxxxx>
>
> In mls_semantic_level_expand(), there is a explicitly determine
> whether category is 0, which may cause an potential integer
> overflow in error branch.
>
> Signed-off-by: Huaxin Lu <luhuaxin1@xxxxxxxxxx>
> ---
> libsepol/src/expand.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/libsepol/src/expand.c b/libsepol/src/expand.c
> index ee5f9185..9ed22bfd 100644
> --- a/libsepol/src/expand.c
> +++ b/libsepol/src/expand.c
> @@ -945,8 +945,8 @@ int mls_semantic_level_expand(mls_semantic_level_t * sl, mls_level_t * l,
> for (cat = sl->cat; cat; cat = cat->next) {
> if (!cat->low || cat->low > cat->high) {
> ERR(h, "Category range is not valid %s.%s",
> - p->p_cat_val_to_name[cat->low - 1],
> - p->p_cat_val_to_name[cat->high - 1]);
> + cat->low > 0 ? p->p_cat_val_to_name[cat->low - 1] : "n/a",
> + cat->high > 0 ? p->p_cat_val_to_name[cat->high - 1] : "n/a");
I would prefer "Invalid", "Bad Category", "NULL", or something along
those lines instead of "n/a".
Thanks,
Jim
> return -1;
> }
> for (i = cat->low - 1; i < cat->high; i++) {
> --
> 2.33.0
>
