1 files changed, 29 insertions, 25 deletions

diff --git a/libsepol/src/link.c b/libsepol/src/link.c
index 01d3231c..defab475 100644
--- a/libsepol/src/link.c
+++ b/libsepol/src/link.c
@@ -676,13 +676,17 @@ static int sens_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
 			    "%s: Modules may not declare new sensitivities.",
 			    state->cur_mod_name);
 			return SEPOL_ENOTSUP;
-		}
-		if (scope->scope == SCOPE_REQ) {
+		} else if (scope->scope == SCOPE_REQ) {
 			/* unmet requirement */
 			ERR(state->handle,
 			    "%s: Sensitivity %s not declared by base.",
 			    state->cur_mod_name, id);
 			return SEPOL_ENOTSUP;
+		} else {
+			ERR(state->handle,
+			    "%s: has an unknown scope: %d\n",
+			    state->cur_mod_name, scope->scope);
+			return SEPOL_ENOTSUP;
 		}
 	}
 
@@ -704,8 +708,7 @@ static int cat_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
 
 	base_cat = hashtab_search(state->base->p_cats.table, id);
 	if (!base_cat) {
-		scope =
-		    hashtab_search(state->cur->policy->p_cat_scope.table, id);
+		scope = hashtab_search(state->cur->policy->p_cat_scope.table, id);
 		if (!scope)
 			return SEPOL_ERR;
 		if (scope->scope == SCOPE_DECL) {
@@ -714,13 +717,18 @@ static int cat_copy_callback(hashtab_key_t key, hashtab_datum_t datum,
 			    "%s: Modules may not declare new categories.",
 			    state->cur_mod_name);
 			return SEPOL_ENOTSUP;
-		}
-		if (scope->scope == SCOPE_REQ) {
+		} else if (scope->scope == SCOPE_REQ) {
 			/* unmet requirement */
 			ERR(state->handle,
 			    "%s: Category %s not declared by base.",
 			    state->cur_mod_name, id);
 			return SEPOL_ENOTSUP;
+		} else {
+			/* unknown scope?  malformed policy? */
+			ERR(state->handle,
+			    "%s: has an unknown scope: %d\n",
+			    state->cur_mod_name, scope->scope);
+			return SEPOL_ENOTSUP;
 		}
 	}
 
@@ -2001,6 +2009,7 @@ static int is_decl_requires_met(link_state_t * state,
 			struct find_perm_arg fparg;
 			class_datum_t *cladatum;
 			uint32_t perm_value = j + 1;
+			int rc;
 			scope_datum_t *scope;
 
 			if (!ebitmap_node_get_bit(node, j)) {
@@ -2022,11 +2031,13 @@ static int is_decl_requires_met(link_state_t * state,
 			fparg.valuep = perm_value;
 			fparg.key = NULL;
 
-			hashtab_map(cladatum->permissions.table, find_perm,
+			(void)hashtab_map(cladatum->permissions.table, find_perm,
 				    &fparg);
-			if (fparg.key == NULL && cladatum->comdatum != NULL)
-				hashtab_map(cladatum->comdatum->permissions.
-					    table, find_perm, &fparg);
+			if (fparg.key == NULL && cladatum->comdatum != NULL) {
+				rc = hashtab_map(cladatum->comdatum->permissions.table,
+						 find_perm, &fparg);
+				assert(rc == 1);
+			}
 			perm_id = fparg.key;
 
 			assert(perm_id != NULL);
@@ -2050,6 +2061,7 @@ static int debug_requirements(link_state_t * state, policydb_t * p)
 	int ret;
 	avrule_block_t *cur;
 	missing_requirement_t req;
+	memset(&req, 0, sizeof(req));
 
 	for (cur = p->global; cur != NULL; cur = cur->next) {
 		if (cur->enabled != NULL)
@@ -2062,34 +2074,27 @@ static int debug_requirements(link_state_t * state, policydb_t * p)
 			char *mod_name = cur->branch_list->module_name ?
 			    cur->branch_list->module_name : "BASE";
 			if (req.symbol_type == SYM_CLASSES) {
-
 				struct find_perm_arg fparg;
 
 				class_datum_t *cladatum;
-				cladatum =
-				    p->class_val_to_struct[req.symbol_value -
-							   1];
+				cladatum = p->class_val_to_struct[req.symbol_value - 1];
 
 				fparg.valuep = req.perm_value;
 				fparg.key = NULL;
-				hashtab_map(cladatum->permissions.table,
-					    find_perm, &fparg);
+				(void)hashtab_map(cladatum->permissions.table,
+						  find_perm, &fparg);
 
 				if (cur->flags & AVRULE_OPTIONAL) {
 					ERR(state->handle,
 					    "%s[%d]'s optional requirements were not met: class %s, permission %s",
 					    mod_name, cur->branch_list->decl_id,
-					    p->p_class_val_to_name[req.
-								   symbol_value
-								   - 1],
+					    p->p_class_val_to_name[req.symbol_value - 1],
 					    fparg.key);
 				} else {
 					ERR(state->handle,
 					    "%s[%d]'s global requirements were not met: class %s, permission %s",
 					    mod_name, cur->branch_list->decl_id,
-					    p->p_class_val_to_name[req.
-								   symbol_value
-								   - 1],
+					    p->p_class_val_to_name[req.symbol_value - 1],
 					    fparg.key);
 				}
 			} else {
@@ -2137,7 +2142,7 @@ static void print_missing_requirements(link_state_t * state,
 
 		fparg.valuep = req->perm_value;
 		fparg.key = NULL;
-		hashtab_map(cladatum->permissions.table, find_perm, &fparg);
+		(void)hashtab_map(cladatum->permissions.table, find_perm, &fparg);
 
 		ERR(state->handle,
 		    "%s's global requirements were not met: class %s, permission %s",
@@ -2148,8 +2153,7 @@ static void print_missing_requirements(link_state_t * state,
 		    "%s's global requirements were not met: %s %s",
 		    mod_name,
 		    symtab_names[req->symbol_type],
-		    p->sym_val_to_name[req->symbol_type][req->symbol_value -
-							 1]);
+		    p->sym_val_to_name[req->symbol_type][req->symbol_value - 1]);
 	}
 }