If MLS support is enabled check the policy version supports MLS. Reported-by: oss-fuzz (issue #67322) Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> --- libsepol/src/policydb_validate.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c index 6e46f426..e987d8da 100644 --- a/libsepol/src/policydb_validate.c +++ b/libsepol/src/policydb_validate.c @@ -1554,11 +1554,15 @@ static int validate_properties(sepol_handle_t *handle, const policydb_t *p) case POLICY_KERN: if (p->policyvers < POLICYDB_VERSION_MIN || p->policyvers > POLICYDB_VERSION_MAX) goto bad; + if (p->mls && p->policyvers < POLICYDB_VERSION_MLS) + goto bad; break; case POLICY_BASE: case POLICY_MOD: if (p->policyvers < MOD_POLICYDB_VERSION_MIN || p->policyvers > MOD_POLICYDB_VERSION_MAX) goto bad; + if (p->mls && p->policyvers < MOD_POLICYDB_VERSION_MLS) + goto bad; break; default: goto bad; -- 2.43.0
