From 15756178c6a65b261a080e21af4766f59cafc112 Mon Sep 17 00:00:00 2001
From: John Johansen <john.johansen@canonical.com>
Date: Thu, 2 Jun 2016 02:37:02 -0700
Subject: [PATCH] apparmor: add missing id bounds check on dfa verification
Git-commit: 15756178c6a65b261a080e21af4766f59cafc112
Patch-mainline: 4.8-rc1
References: bsc#1000304

Signed-off-by: John Johansen <john.johansen@canonical.com>
Acked-by: Takashi Iwai <tiwai@suse.de>

---
 security/apparmor/include/match.h |    1 +
 security/apparmor/match.c         |    2 ++
 2 files changed, 3 insertions(+)

--- a/security/apparmor/include/match.h
+++ b/security/apparmor/include/match.h
@@ -62,6 +62,7 @@ struct table_set_header {
 #define YYTD_ID_ACCEPT2 6
 #define YYTD_ID_NXT	7
 #define YYTD_ID_TSIZE	8
+#define YYTD_ID_MAX	8
 
 #define YYTD_DATA8	1
 #define YYTD_DATA16	2
--- a/security/apparmor/match.c
+++ b/security/apparmor/match.c
@@ -47,6 +47,8 @@ static struct table_header *unpack_table
 	 * it every time we use td_id as an index
 	 */
 	th.td_id = be16_to_cpu(*(u16 *) (blob)) - 1;
+	if (th.td_id > YYTD_ID_MAX)
+		goto out;
 	th.td_flags = be16_to_cpu(*(u16 *) (blob + 2));
 	th.td_lolen = be32_to_cpu(*(u32 *) (blob + 8));
 	blob += sizeof(struct table_header);
