4 files changed, 35 insertions, 17 deletions

diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index d173144e..2c12ae9b 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -536,7 +536,7 @@ static int write_sids_to_cil(FILE *out, const char *const *sid_to_str,
 	struct strs *strs;
 	char *sid;
 	char *prev;
-	char unknown[17];
+	char unknown[18];
 	unsigned i;
 	int rc;
 
@@ -550,7 +550,7 @@ static int write_sids_to_cil(FILE *out, const char *const *sid_to_str,
 		if (i < num_sids) {
 			sid = (char *)sid_to_str[i];
 		} else {
-			snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
+			snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
 			sid = strdup(unknown);
 		}
 		rc = strs_add_at_index(strs, sid, i);
@@ -2498,7 +2498,7 @@ static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const
 	struct ocontext *isid;
 	struct strs *strs;
 	char *sid;
-	char unknown[17];
+	char unknown[18];
 	char *ctx, *rule;
 	unsigned i;
 	int rc = -1;
@@ -2513,7 +2513,7 @@ static int write_sid_context_rules_to_cil(FILE *out, struct policydb *pdb, const
 		if (i < num_sids) {
 			sid = (char *)sid_to_str[i];
 		} else {
-			snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
+			snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
 			sid = unknown;
 		}
 
diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index 7e04a13b..219a2489 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -434,7 +434,7 @@ static int write_sids_to_conf(FILE *out, const char *const *sid_to_str,
 	struct ocontext *isid;
 	struct strs *strs;
 	char *sid;
-	char unknown[17];
+	char unknown[18];
 	unsigned i;
 	int rc;
 
@@ -448,7 +448,7 @@ static int write_sids_to_conf(FILE *out, const char *const *sid_to_str,
 		if (i < num_sids) {
 			sid = (char *)sid_to_str[i];
 		} else {
-			snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
+			snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
 			sid = strdup(unknown);
 		}
 		rc = strs_add_at_index(strs, sid, i);
@@ -2358,7 +2358,7 @@ static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, cons
 	struct ocontext *isid;
 	struct strs *strs;
 	char *sid;
-	char unknown[17];
+	char unknown[18];
 	char *ctx, *rule;
 	unsigned i;
 	int rc;
@@ -2373,7 +2373,7 @@ static int write_sid_context_rules_to_conf(FILE *out, struct policydb *pdb, cons
 		if (i < num_sids) {
 			sid = (char *)sid_to_str[i];
 		} else {
-			snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
+			snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
 			sid = unknown;
 		}
 
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 7fc29cbd..4cb44e0e 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -2562,7 +2562,7 @@ static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_
 	struct sid_item *head = NULL;
 	struct sid_item *item = NULL;
 	char *sid;
-	char unknown[17];
+	char unknown[18];
 	unsigned i;
 
 	for (isid = isids; isid != NULL; isid = isid->next) {
@@ -2570,7 +2570,7 @@ static int ocontext_isid_to_cil(struct policydb *pdb, const char *const *sid_to_
 		if (i < num_sids) {
 			sid = (char*)sid_to_string[i];
 		} else {
-			snprintf(unknown, 17, "%s%u", "UNKNOWN", i);
+			snprintf(unknown, 18, "%s%u", "UNKNOWN", i);
 			sid = unknown;
 		}
 		cil_println(0, "(sid %s)", sid);
diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
index a6d76ca3..96176d80 100644
--- a/libsepol/src/policydb.c
+++ b/libsepol/src/policydb.c
@@ -2828,22 +2828,35 @@ static int ocontext_read_selinux(struct policydb_compat_info *info,
 				    (&c->context[1], p, fp))
 					return -1;
 				break;
-			case OCON_IBPKEY:
+			case OCON_IBPKEY: {
+				uint32_t pkey_lo, pkey_hi;
+
 				rc = next_entry(buf, fp, sizeof(uint32_t) * 4);
-				if (rc < 0 || buf[2] > 0xffff || buf[3] > 0xffff)
+				if (rc < 0)
+					return -1;
+
+				pkey_lo = le32_to_cpu(buf[2]);
+				pkey_hi = le32_to_cpu(buf[3]);
+
+				if (pkey_lo > UINT16_MAX || pkey_hi > UINT16_MAX)
 					return -1;
 
+				c->u.ibpkey.low_pkey  = pkey_lo;
+				c->u.ibpkey.high_pkey = pkey_hi;
+
+				/* we want c->u.ibpkey.subnet_prefix in network
+				 * (big-endian) order, just memcpy it */
 				memcpy(&c->u.ibpkey.subnet_prefix, buf,
 				       sizeof(c->u.ibpkey.subnet_prefix));
 
-				c->u.ibpkey.low_pkey = le32_to_cpu(buf[2]);
-				c->u.ibpkey.high_pkey = le32_to_cpu(buf[3]);
-
 				if (context_read_and_validate
 				    (&c->context[0], p, fp))
 					return -1;
 				break;
-			case OCON_IBENDPORT:
+			}
+			case OCON_IBENDPORT: {
+				uint32_t port;
+
 				rc = next_entry(buf, fp, sizeof(uint32_t) * 2);
 				if (rc < 0)
 					return -1;
@@ -2851,6 +2864,10 @@ static int ocontext_read_selinux(struct policydb_compat_info *info,
 				if (len == 0 || len > IB_DEVICE_NAME_MAX - 1)
 					return -1;
 
+				port = le32_to_cpu(buf[1]);
+				if (port > UINT8_MAX || port == 0)
+					return -1;
+
 				c->u.ibendport.dev_name = malloc(len + 1);
 				if (!c->u.ibendport.dev_name)
 					return -1;
@@ -2858,11 +2875,12 @@ static int ocontext_read_selinux(struct policydb_compat_info *info,
 				if (rc < 0)
 					return -1;
 				c->u.ibendport.dev_name[len] = 0;
-				c->u.ibendport.port = le32_to_cpu(buf[1]);
+				c->u.ibendport.port = port;
 				if (context_read_and_validate
 				    (&c->context[0], p, fp))
 					return -1;
 				break;
+			}
 			case OCON_PORT:
 				rc = next_entry(buf, fp, sizeof(uint32_t) * 3);
 				if (rc < 0)