@@ -575,7 +575,7 @@
size = unpack_array(e, "net_allowed_af");
if (size) {
- for (i = 0; i < size; i++) {
+ for (i = 0; i < size && i < AF_MAX; i++) {
if (!unpack_u16(e, &profile->net.allow[i], NULL))
goto fail;
if (!unpack_u16(e, &profile->net.audit[i], NULL))
@@ -583,6 +583,20 @@
if (!unpack_u16(e, &profile->net.quiet[i], NULL))
goto fail;
}
+ /*
+ * A newer version of userspace tools might support more
+ * address families than this kernel supports. Read and discard
+ * address families which are not supported by this kernel.
+ */
+ for (; i < size; i++) {
+ u16 dummy;
+ if (!unpack_u16(e, &dummy, NULL))
+ goto fail;
+ if (!unpack_u16(e, &dummy, NULL))
+ goto fail;
+ if (!unpack_u16(e, &dummy, NULL))
+ goto fail;
+ }
if (!unpack_nameX(e, AA_ARRAYEND, NULL))
goto fail;
/*