On Tue, Nov 14, 2023 at 3:40 PM James Carter <jwcart2@xxxxxxxxx> wrote: > > On Mon, Nov 13, 2023 at 2:26 PM Christian Göttsche > <cgzones@xxxxxxxxxxxxxx> wrote: > > > > The traditional language and CIL permit common classes only to be > > defined with at least one permission. Thus writing a common class > > without one will fail. > > > > Reported-by: oss-fuzz (issue 64059) > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> > > Acked-by: James Carter <jwcart2@xxxxxxxxx> > This patch has been merged. Thanks, Jim > > --- > > libsepol/src/policydb_validate.c | 2 +- > > 1 file changed, 1 insertion(+), 1 deletion(-) > > > > diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c > > index 016ab655..1121c8bb 100644 > > --- a/libsepol/src/policydb_validate.c > > +++ b/libsepol/src/policydb_validate.c > > @@ -369,7 +369,7 @@ static int validate_common_datum(sepol_handle_t *handle, const common_datum_t *c > > { > > if (validate_value(common->s.value, &flavors[SYM_COMMONS])) > > goto bad; > > - if (common->permissions.nprim > PERM_SYMTAB_SIZE) > > + if (common->permissions.table->nel == 0 || common->permissions.nprim > PERM_SYMTAB_SIZE) > > goto bad; > > > > return 0; > > -- > > 2.42.0 > >