From 7b754f703d704c9d9931497536771e6124ca2418 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= <cgzones@googlemail.com>
Date: Fri, 3 Nov 2023 19:26:37 +0100
Subject: [PATCH] libsepol: more strict validation
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Ensure the ibendport port is not 0 (similar to the kernel).

More general depth test for boolean expressions.

Ensure the boolean id is not set for logic operators.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
---
 libsepol/src/policydb_validate.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/libsepol/src/policydb_validate.c b/libsepol/src/policydb_validate.c
index b20ed579..d04f6bcd 100644
--- a/libsepol/src/policydb_validate.c
+++ b/libsepol/src/policydb_validate.c
@@ -1002,13 +1002,15 @@ static int validate_cond_expr(sepol_handle_t *handle, const struct cond_expr *ex
 		case COND_BOOL:
 			if (validate_value(expr->boolean, boolean))
 				goto bad;
-			if (depth == (COND_EXPR_MAXDEPTH - 1))
+			if (depth >= (COND_EXPR_MAXDEPTH - 1))
 				goto bad;
 			depth++;
 			break;
 		case COND_NOT:
 			if (depth < 0)
 				goto bad;
+			if (expr->boolean != 0)
+				goto bad;
 			break;
 		case COND_OR:
 		case COND_AND:
@@ -1017,6 +1019,8 @@ static int validate_cond_expr(sepol_handle_t *handle, const struct cond_expr *ex
 		case COND_NEQ:
 			if (depth < 1)
 				goto bad;
+			if (expr->boolean != 0)
+				goto bad;
 			depth--;
 			break;
 		default:
@@ -1203,6 +1207,8 @@ static int validate_ocontexts(sepol_handle_t *handle, const policydb_t *p, valid
 						goto bad;
 					break;
 				case OCON_IBENDPORT:
+					if (octx->u.ibendport.port == 0)
+						goto bad;
 					if (!octx->u.ibendport.dev_name)
 						goto bad;
 					break;