Skip to content

Commit

Permalink
selinux: check sidtab limit before adding a new entry
Browse files Browse the repository at this point in the history 
We need to error out when trying to add an entry above SIDTAB_MAX in
sidtab_reverse_lookup() to avoid overflow on the odd chance that this
happens.

Cc: [email protected]
Fixes: ee1a84f ("selinux: overhaul sidtab to fix bug and improve performance")
Signed-off-by: Ondrej Mosnacek <[email protected]>
Reviewed-by: Kees Cook <[email protected]>
Signed-off-by: Paul Moore <[email protected]>
  • Loading branch information
@WOnder93 @pcmoore
WOnder93 authored and pcmoore committed Jul 24, 2019
1 parent ea74a68 commit acbc372
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions security/selinux/ss/sidtab.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -286,6 +286,11 @@ static int sidtab_reverse_lookup(struct sidtab *s, struct context *context,
++count;
}

/* bail out if we already reached max entries */
rc = -EOVERFLOW;
if (count >= SIDTAB_MAX)
goto out_unlock;

/* insert context into new entry */
rc = -ENOMEM;
dst = sidtab_do_lookup(s, count, 1);
Expand Down

0 comments on commit acbc372

Please sign in to comment.