apparmor: add missing id bounds check on dfa verification Signed-off-by: John Johansen <john.johansen@canonical.com>

commit: 15756178c6a65b261a080e21af4766f59cafc112 [log] [tgz]
author: John Johansen <john.johansen@canonical.com> Thu Jun 02 02:37:02 2016 -0700
committer: John Johansen <john.johansen@canonical.com> Tue Jul 12 08:43:10 2016 -0700
tree: 98fabd29ae0f62c2f3b99ae0e57ba5d253e4bf82
parent: ff118479a76dbece9ae1c65c7c6a3ebe9cfa73e0 [diff]
diff --git a/security/apparmor/include/match.h b/security/apparmor/include/match.h
index 001c43a..a1c04fe 100644
--- a/security/apparmor/include/match.h
+++ b/security/apparmor/include/match.h

@@ -62,6 +62,7 @@
 #define YYTD_ID_ACCEPT2 6
 #define YYTD_ID_NXT	7
 #define YYTD_ID_TSIZE	8
+#define YYTD_ID_MAX	8
 
 #define YYTD_DATA8	1
 #define YYTD_DATA16	2

diff --git a/security/apparmor/match.c b/security/apparmor/match.c
index 727eb42..f9f57c6 100644
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c

@@ -47,6 +47,8 @@
 	 * it every time we use td_id as an index
 	 */
 	th.td_id = be16_to_cpu(*(u16 *) (blob)) - 1;
+	if (th.td_id > YYTD_ID_MAX)
+		goto out;
 	th.td_flags = be16_to_cpu(*(u16 *) (blob + 2));
 	th.td_lolen = be32_to_cpu(*(u32 *) (blob + 8));
 	blob += sizeof(struct table_header);
commit	15756178c6a65b261a080e21af4766f59cafc112	[log] [tgz]
author	John Johansen <john.johansen@canonical.com>	Thu Jun 02 02:37:02 2016 -0700
committer	John Johansen <john.johansen@canonical.com>	Tue Jul 12 08:43:10 2016 -0700
tree	98fabd29ae0f62c2f3b99ae0e57ba5d253e4bf82
parent	ff118479a76dbece9ae1c65c7c6a3ebe9cfa73e0 [diff]