aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--libselinux/src/label_file.c2
-rw-r--r--libselinux/src/regex.c2
-rw-r--r--libsepol/src/kernel_to_cil.c8
-rw-r--r--libsepol/src/kernel_to_conf.c8
-rw-r--r--libsepol/src/module_to_cil.c4
-rw-r--r--libsepol/src/policydb.c32
-rw-r--r--mcstrans/src/mcstransd.c10
7 files changed, 37 insertions, 29 deletions
diff --git a/libselinux/src/label_file.c b/libselinux/src/label_file.c
index 3a9fb3b1..c3a903c8 100644
--- a/libselinux/src/label_file.c
+++ b/libselinux/src/label_file.c
@@ -232,7 +232,7 @@ end_arch_check:
/* allocate the stems_data array */
rc = next_entry(&stem_map_len, mmap_area, sizeof(uint32_t));
- if (rc < 0 || !stem_map_len)
+ if (rc < 0)
return -1;
/*
diff --git a/libselinux/src/regex.c b/libselinux/src/regex.c
index dfc15d63..a6fcbbfe 100644
--- a/libselinux/src/regex.c
+++ b/libselinux/src/regex.c
@@ -348,7 +348,7 @@ int regex_load_mmap(struct mmap_area *mmap_area, struct regex_data **regex,
goto err;
rc = next_entry(&entry_len, mmap_area, sizeof(uint32_t));
- if (rc < 0 || !entry_len)
+ if (rc < 0)
goto err;
if (entry_len) {
diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index d173144e..2c12ae9b 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -536,7 +536,7 @@ static int write_sids_to_cil(FILE *out, const char *const *sid_to_str,
struct strs *strs;
char *sid;
char *prev;
- char unknown[17];
+ char unknown[18];
unsigned i;
int rc;
@@ -550,7 +550,7 @@ static int write_sids_to_cil(FILE *out, const char *const *sid_to_str,
if (i < num_sids) {
sid = (char *)sid_to_str[i];
} else {
- snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
+ snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
sid = strdup(unknown);
}
rc = strs_add_at_index(strs, sid, i);
@@ -2498,7 +2498,7 @@ static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const
struct ocontext *isid;
struct strs *strs;
char *sid;
- char unknown[17];
+ char unknown[18];
char *ctx, *rule;
unsigned i;
int rc = -1;
@@ -2513,7 +2513,7 @@ static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const
if (i < num_sids) {
sid = (char *)sid_to_str[i];
} else {
- snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
+ snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
sid = unknown;
}
diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index 7e04a13b..219a2489 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -434,7 +434,7 @@ static int write_sids_to_conf(FILE *out, const char *const *sid_to_str,
struct ocontext *isid;
struct strs *strs;
char *sid;
- char unknown[17];
+ char unknown[18];
unsigned i;
int rc;
@@ -448,7 +448,7 @@ static int write_sids_to_conf(FILE *out, const char *const *sid_to_str,
if (i < num_sids) {
sid = (char *)sid_to_str[i];
} else {
- snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
+ snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
sid = strdup(unknown);
}
rc = strs_add_at_index(strs, sid, i);
@@ -2358,7 +2358,7 @@ static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, cons
struct ocontext *isid;
struct strs *strs;
char *sid;
- char unknown[17];
+ char unknown[18];
char *ctx, *rule;
unsigned i;
int rc;
@@ -2373,7 +2373,7 @@ static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, cons
if (i < num_sids) {
sid = (char *)sid_to_str[i];
} else {
- snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
+ snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
sid = unknown;
}
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 7fc29cbd..4cb44e0e 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -2562,7 +2562,7 @@ static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_
struct sid_item *head = NULL;
struct sid_item *item = NULL;
char *sid;
- char unknown[17];
+ char unknown[18];
unsigned i;
for (isid = isids; isid != NULL; isid = isid->next) {
@@ -2570,7 +2570,7 @@ static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_
if (i < num_sids) {
sid = (char*)sid_to_string[i];
} else {
- snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
+ snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
sid = unknown;
}
cil_println(0, "(sid %s)", sid);
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index a6d76ca3..96176d80 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -2828,22 +2828,35 @@ static int ocontext_read_selinux(struct policydb_compat_info *info,
(&c->context[1], p, fp))
return -1;
break;
- case OCON_IBPKEY:
+ case OCON_IBPKEY: {
+ uint32_t pkey_lo, pkey_hi;
+
rc = next_entry(buf, fp, sizeof(uint32_t) * 4);
- if (rc < 0 || buf[2] > 0xffff || buf[3] > 0xffff)
+ if (rc < 0)
+ return -1;
+
+ pkey_lo = le32_to_cpu(buf[2]);
+ pkey_hi = le32_to_cpu(buf[3]);
+
+ if (pkey_lo > UINT16_MAX || pkey_hi > UINT16_MAX)
return -1;
+ c->u.ibpkey.low_pkey = pkey_lo;
+ c->u.ibpkey.high_pkey = pkey_hi;
+
+ /* we want c->u.ibpkey.subnet_prefix in network
+ * (big-endian) order, just memcpy it */
memcpy(&c->u.ibpkey.subnet_prefix, buf,
sizeof(c->u.ibpkey.subnet_prefix));
- c->u.ibpkey.low_pkey = le32_to_cpu(buf[2]);
- c->u.ibpkey.high_pkey = le32_to_cpu(buf[3]);
-
if (context_read_and_validate
(&c->context[0], p, fp))
return -1;
break;
- case OCON_IBENDPORT:
+ }
+ case OCON_IBENDPORT: {
+ uint32_t port;
+
rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
if (rc < 0)
return -1;
@@ -2851,6 +2864,10 @@ static int ocontext_read_selinux(struct policydb_compat_info *info,
if (len == 0 || len > IB_DEVICE_NAME_MAX - 1)
return -1;
+ port = le32_to_cpu(buf[1]);
+ if (port > UINT8_MAX || port == 0)
+ return -1;
+
c->u.ibendport.dev_name = malloc(len + 1);
if (!c->u.ibendport.dev_name)
return -1;
@@ -2858,11 +2875,12 @@ static int ocontext_read_selinux(struct policydb_compat_info *info,
if (rc < 0)
return -1;
c->u.ibendport.dev_name[len] = 0;
- c->u.ibendport.port = le32_to_cpu(buf[1]);
+ c->u.ibendport.port = port;
if (context_read_and_validate
(&c->context[0], p, fp))
return -1;
break;
+ }
case OCON_PORT:
rc = next_entry(buf, fp, sizeof(uint32_t) * 3);
if (rc < 0)
diff --git a/mcstrans/src/mcstransd.c b/mcstrans/src/mcstransd.c
index d7fc5dea..85899493 100644
--- a/mcstrans/src/mcstransd.c
+++ b/mcstrans/src/mcstransd.c
@@ -142,17 +142,8 @@ process_request(int fd, uint32_t function, char *data1, char *UNUSED(data2))
{
int32_t result;
char *out = NULL;
- char *peercon = NULL;
int ret;
- ret = getpeercon_raw(fd, &peercon);
- if (ret < 0)
- return ret;
-
- /* TODO: Check if MLS clearance (in peercon) dominates the MLS label
- * (in the request input).
- */
-
switch (function) {
case SETRANS_INIT:
result = 0;
@@ -184,7 +175,6 @@ process_request(int fd, uint32_t function, char *data1, char *UNUSED(data2))
}
free(out);
- freecon(peercon);
return ret;
}
generated by cgit v1.2.3 (git 2.25.1) at 2025-07-14 13:28:13 +0000