From 7255b38de44bb13e1070e0fc1705825a32886337 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Mon, 1 Nov 2010 18:16:54 -0400
Subject: UBUNTU: SAUCE: AppArmor: Fix unpack of network tables.

The unpacking of network rules, unpacks 1 more rule than it should.  It
should drop all rules with network types AF_MAX or greater.

Fix suggested by Tetsuo Handa in
https://lists.ubuntu.com/archives/kernel-team/2010-November/013327.html

Reported-by: Tetsuo Handa <from-ubuntu@I-love.SAKURA.ne.jp>
Signed-off-by: John Johansen <john.johansen@canonical.com>
Signed-off-by: Tim Gardner <tim.gardner@canonical.com>
---
 security/apparmor/policy_unpack.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'security')

diff --git a/security/apparmor/policy_unpack.c b/security/apparmor/policy_unpack.c
index f78370bf801..f4874c4cd73 100644
--- a/security/apparmor/policy_unpack.c
+++ b/security/apparmor/policy_unpack.c
@@ -580,7 +580,7 @@ static struct aa_profile *unpack_profile(struct aa_ext *e)
 			/* discard extraneous rules that this kernel will
 			 * never request
 			 */
-			if (i > AF_MAX) {
+			if (i >= AF_MAX) {
 				u16 tmp;
 				if (!unpack_u16(e, &tmp, NULL) ||
 				    !unpack_u16(e, &tmp, NULL) ||
-- 
cgit v1.2.3