--- /dev/null
+From eteo@redhat.com Wed Apr 29 13:47:17 2009
+From: Eugene Teo <eteo@redhat.com>
+Date: Mon, 13 Apr 2009 10:04:41 +0800
+Subject: unreached code in selinux_ip_postroute_iptables_compat() (CVE-2009-1184)
+To: paul.moore@hp.com
+Cc: jmorris@namei.org, greg@kroah.com, chrisw@redhat.com, error27@gmail.com
+Message-ID: <20090413020434.GA29916@kernel.sg>
+
+From: Eugene Teo <eteo@redhat.com>
+
+Not upstream in 2.6.30, as the function was removed there, making this a
+non-issue.
+
+Node and port send checks can skip in the compat_net=1 case. This bug
+was introduced in commit effad8d.
+
+Signed-off-by: Eugene Teo <eugeneteo@kernel.sg>
+Reported-by: Dan Carpenter <error27@gmail.com>
+Acked-by: James Morris <jmorris@namei.org>
+Acked-by: Paul Moore <paul.moore@hp.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ security/selinux/hooks.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/security/selinux/hooks.c
++++ b/security/selinux/hooks.c
+@@ -4661,6 +4661,7 @@ static int selinux_ip_postroute_iptables
+ if (err)
+ return err;
+ err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
++ if (err)
+ return err;
+
+ err = sel_netnode_sid(addrp, family, &node_sid);
projects / thirdparty / kernel / stable-queue.git / commitdiff
