From 5e97d50e171fcaf5f50fd349a2be189b61593f31 Mon Sep 17 00:00:00 2001
From: Luca Boccassi <luca.boccassi@gmail.com>
Date: Thu, 16 Oct 2025 14:59:50 +0100
Subject: [PATCH] dissect: fix image policy check for bare dm-verity filesystem

The root_hash_sig pointer might be set, but to an empty iovec. Check
that the length is > 0 instead.

Follow-up for cd22d8562dd085f5c234cf26b4dd773029418833
---
 src/shared/dissect-image.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/shared/dissect-image.c b/src/shared/dissect-image.c
index de9475e6d3..be40c77260 100644
--- a/src/shared/dissect-image.c
+++ b/src/shared/dissect-image.c
@@ -881,7 +881,7 @@ static int dissect_image(
                         encrypted = streq_ptr(fstype, "crypto_LUKS");
 
                         if (verity_settings_data_covers(verity, PARTITION_ROOT))
-                                found_flags = verity->root_hash_sig ? PARTITION_POLICY_SIGNED : PARTITION_POLICY_VERITY;
+                                found_flags = verity->root_hash_sig_size > 0 ? PARTITION_POLICY_SIGNED : PARTITION_POLICY_VERITY;
                         else
                                 found_flags = encrypted ? PARTITION_POLICY_ENCRYPTED : PARTITION_POLICY_UNPROTECTED;