[thirdparty/kernel/stable-queue.git] / releases / 2.6.19.2 / netlabel-correctly-fill-in-unused-cipsov4-level-and-category-mappings.patch

From stable-bounces@linux.kernel.org  Fri Jan  5 11:35:00 2007
From: "Paul Moore" <paul.moore@hp.com>
Message-Id: <20061218180735.795797000@hp.com>
Date: Mon, 18 Dec 2006 13:07:29 -0500
To: stable@kernel.org
Subject: NetLabel: correctly fill in unused CIPSOv4 level and category mappings

From: Paul Moore <paul.moore@hp.com>

Back when the original NetLabel patches were being changed to use Netlink
attributes correctly some code was accidentially dropped which set all of the
undefined CIPSOv4 level and category mappings to a sentinel value.  The result
is the mappings data in the kernel contains bogus mappings which always map to
zero.  Having level and category mappings that map to zero could result in the
kernel assigning incorrect security attributes to packets.

This patch restores the old/correct behavior by initializing the mapping
data to the correct sentinel value.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
 net/netlabel/netlabel_cipso_v4.c |    9 +++++++++
 1 file changed, 9 insertions(+)

--- linux-2.6.19.1.orig/net/netlabel/netlabel_cipso_v4.c
+++ linux-2.6.19.1/net/netlabel/netlabel_cipso_v4.c
@@ -162,6 +162,7 @@ static int netlbl_cipsov4_add_std(struct
 	struct nlattr *nla_b;
 	int nla_a_rem;
 	int nla_b_rem;
+	u32 iter;
 
 	if (!info->attrs[NLBL_CIPSOV4_A_TAGLST] ||
 	    !info->attrs[NLBL_CIPSOV4_A_MLSLVLLST])
@@ -223,6 +224,10 @@ static int netlbl_cipsov4_add_std(struct
 		ret_val = -ENOMEM;
 		goto add_std_failure;
 	}
+	for (iter = 0; iter < doi_def->map.std->lvl.local_size; iter++)
+		doi_def->map.std->lvl.local[iter] = CIPSO_V4_INV_LVL;
+	for (iter = 0; iter < doi_def->map.std->lvl.cipso_size; iter++)
+		doi_def->map.std->lvl.cipso[iter] = CIPSO_V4_INV_LVL;
 	nla_for_each_nested(nla_a,
 			    info->attrs[NLBL_CIPSOV4_A_MLSLVLLST],
 			    nla_a_rem)
@@ -296,6 +301,10 @@ static int netlbl_cipsov4_add_std(struct
 			ret_val = -ENOMEM;
 			goto add_std_failure;
 		}
+		for (iter = 0; iter < doi_def->map.std->cat.local_size; iter++)
+			doi_def->map.std->cat.local[iter] = CIPSO_V4_INV_CAT;
+		for (iter = 0; iter < doi_def->map.std->cat.cipso_size; iter++)
+			doi_def->map.std->cat.cipso[iter] = CIPSO_V4_INV_CAT;
 		nla_for_each_nested(nla_a,
 				    info->attrs[NLBL_CIPSOV4_A_MLSCATLST],
 				    nla_a_rem)
Commit	Line	Data
2532c0bb CW	1	From stable-bounces@linux.kernel.org Fri Jan 5 11:35:00 2007
	2	From: "Paul Moore" <paul.moore@hp.com>
	3	Message-Id: <20061218180735.795797000@hp.com>
	4	Date: Mon, 18 Dec 2006 13:07:29 -0500
	5	To: stable@kernel.org
	6	Subject: NetLabel: correctly fill in unused CIPSOv4 level and category mappings
	7
	8	From: Paul Moore <paul.moore@hp.com>
	9
	10	Back when the original NetLabel patches were being changed to use Netlink
	11	attributes correctly some code was accidentially dropped which set all of the
	12	undefined CIPSOv4 level and category mappings to a sentinel value. The result
	13	is the mappings data in the kernel contains bogus mappings which always map to
	14	zero. Having level and category mappings that map to zero could result in the
	15	kernel assigning incorrect security attributes to packets.
	16
	17	This patch restores the old/correct behavior by initializing the mapping
	18	data to the correct sentinel value.
	19
	20	Signed-off-by: Paul Moore <paul.moore@hp.com>
	21	Signed-off-by: Chris Wright <chrisw@sous-sol.org>
	22	---
	23	net/netlabel/netlabel_cipso_v4.c \| 9 +++++++++
	24	1 file changed, 9 insertions(+)
	25
	26	--- linux-2.6.19.1.orig/net/netlabel/netlabel_cipso_v4.c
	27	+++ linux-2.6.19.1/net/netlabel/netlabel_cipso_v4.c
	28	@@ -162,6 +162,7 @@ static int netlbl_cipsov4_add_std(struct
	29	struct nlattr *nla_b;
	30	int nla_a_rem;
	31	int nla_b_rem;
	32	+ u32 iter;
	33
	34	if (!info->attrs[NLBL_CIPSOV4_A_TAGLST] \|\|
	35	!info->attrs[NLBL_CIPSOV4_A_MLSLVLLST])
	36	@@ -223,6 +224,10 @@ static int netlbl_cipsov4_add_std(struct
	37	ret_val = -ENOMEM;
	38	goto add_std_failure;
	39	}
	40	+ for (iter = 0; iter < doi_def->map.std->lvl.local_size; iter++)
	41	+ doi_def->map.std->lvl.local[iter] = CIPSO_V4_INV_LVL;
	42	+ for (iter = 0; iter < doi_def->map.std->lvl.cipso_size; iter++)
	43	+ doi_def->map.std->lvl.cipso[iter] = CIPSO_V4_INV_LVL;
	44	nla_for_each_nested(nla_a,
	45	info->attrs[NLBL_CIPSOV4_A_MLSLVLLST],
	46	nla_a_rem)
	47	@@ -296,6 +301,10 @@ static int netlbl_cipsov4_add_std(struct
	48	ret_val = -ENOMEM;
	49	goto add_std_failure;
	50	}
	51	+ for (iter = 0; iter < doi_def->map.std->cat.local_size; iter++)
	52	+ doi_def->map.std->cat.local[iter] = CIPSO_V4_INV_CAT;
	53	+ for (iter = 0; iter < doi_def->map.std->cat.cipso_size; iter++)
	54	+ doi_def->map.std->cat.cipso[iter] = CIPSO_V4_INV_CAT;
	55	nla_for_each_nested(nla_a,
	56	info->attrs[NLBL_CIPSOV4_A_MLSCATLST],
	57	nla_a_rem)