[patch] selinux: Fix address length checks in connect hook

[Stephen Smalley]

This patch fixes the address length checks in the selinux_socket_connect
hook to be no more restrictive than the underlying ipv4 and ipv6 code;
otherwise, this hook can reject valid connect calls.  This patch is in
response to a bug report where an application was calling connect on an
INET6 socket with an address that didn't include the optional scope id
and failing due to these checks.  Please apply.  To 2.6.13, if possible.

Signed-off-by:  Stephen Smalley <sds@xxxxxxxxxxxxx>
Signed-off-by:  James Morris <jmorris@xxxxxxxxxx>

---

 security/selinux/hooks.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff -rup linux-2.6.13-rc3-mm3/security/selinux/hooks.c linux-2.6.13-rc3-mm3-fix/security/selinux/hooks.c
--- linux-2.6.13-rc3-mm3/security/selinux/hooks.c	2005-07-28 14:59:58.000000000 -0400
+++ linux-2.6.13-rc3-mm3-fix/security/selinux/hooks.c	2005-07-28 14:56:58.000000000 -0400
@@ -3073,12 +3073,12 @@ static int selinux_socket_connect(struct
 
 		if (sk->sk_family == PF_INET) {
 			addr4 = (struct sockaddr_in *)address;
-			if (addrlen != sizeof(struct sockaddr_in))
+			if (addrlen < sizeof(struct sockaddr_in))
 				return -EINVAL;
 			snum = ntohs(addr4->sin_port);
 		} else {
 			addr6 = (struct sockaddr_in6 *)address;
-			if (addrlen != sizeof(struct sockaddr_in6))
+			if (addrlen < SIN6_LEN_RFC2133)
 				return -EINVAL;
 			snum = ntohs(addr6->sin6_port);
 		}
  
-- 
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/