[SELINUX] Fix error handling bug.

From: James Morris
Date: Sat Feb 14 2004 - 13:59:43 EST

Next message: Jeff Garzik: "Re: libata patch"
Previous message: Martin Schlemmer: "Re: [BK PATCHES] 2.6.x libata update"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

The patch below fixes an error handling flaw, where we need to return a
Netfilter verdict from the function rather than a standard error code.

Please apply.

- James
--
James Morris
<jmorris@xxxxxxxxxx>

diff -urpN -X dontdiff linux-2.6.3-rc2-mm1.o/security/selinux/hooks.c linux-2.6.3-rc2-mm1.w3/security/selinux/hooks.c
--- linux-2.6.3-rc2-mm1.o/security/selinux/hooks.c 2004-02-13 20:27:58.000000000 -0500
+++ linux-2.6.3-rc2-mm1.w3/security/selinux/hooks.c 2004-02-14 13:44:52.000000000 -0500
@@ -3179,8 +3179,9 @@ static unsigned int selinux_ip_postroute

/* Fixme: this lookup is inefficient */
iph = skb->nh.iph;
- err = security_node_sid(PF_INET, &iph->daddr, sizeof(iph->daddr), &node_sid);
- if (err)
+ err = security_node_sid(PF_INET, &iph->daddr, sizeof(iph->daddr),
+ &node_sid) ? NF_DROP : NF_ACCEPT;
+ if (err != NF_ACCEPT)
goto out;

err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Jeff Garzik: "Re: libata patch"
Previous message: Martin Schlemmer: "Re: [BK PATCHES] 2.6.x libata update"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]