libsepol: make parsing symbol table headers more robust

When hll/pp loads a policy file which has been modified so that the nprim field of one of its non-empty symbol table was changed to zero, it crashes with a segmentation fault. A quick analysis leads to "p->sym_val_to_name[i] = (char **)alloc(p->symtab[i].nprim, sizeof(char *));" in policydb_index_others(), which is not executed when p->symtab[i].nprim is zero even though there are items in p->symtab[i].table. Detect such an oddity in the policy file early to exit with a clean error message. Signed-off-by: Nicolas Iooss <[email protected]>
nkeuning · Nov 16, 2016 · 02a7d77 · 02a7d77
1 parent 0a32f3b
commit 02a7d77
Showing 1 changed file with 8 additions and 0 deletions.
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
@@ -3510,6 +3510,10 @@ static int avrule_decl_read(policydb_t * p, avrule_decl_t * decl,
 			return -1;
 		nprim = le32_to_cpu(buf[0]);
 		nel = le32_to_cpu(buf[1]);
+		if (nel && !nprim) {
+			ERR(fp->handle, "unexpected items in decl symbol table with no symbol");
+			return -1;
+		}
 		for (j = 0; j < nel; j++) {
 			if (read_f[i] (p, decl->symtab[i].table, fp)) {
 				return -1;
@@ -3881,6 +3885,10 @@ int policydb_read(policydb_t * p, struct policy_file *fp, unsigned verbose)
 			goto bad;
 		nprim = le32_to_cpu(buf[0]);
 		nel = le32_to_cpu(buf[1]);
+		if (nel && !nprim) {
+			ERR(fp->handle, "unexpected items in symbol table with no symbol");
+			goto bad;
+		}
 		for (j = 0; j < nel; j++) {
 			if (read_f[i] (p, p->symtab[i].table, fp))
 				goto bad;