From patchwork Thu May 31 20:09:23 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Paul Moore X-Patchwork-Id: 162228 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 0852FB6FC4 for ; Fri, 1 Jun 2012 06:10:29 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S964832Ab2EaUKI (ORCPT ); Thu, 31 May 2012 16:10:08 -0400 Received: from mx1.redhat.com ([209.132.183.28]:25275 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S964826Ab2EaUJZ (ORCPT ); Thu, 31 May 2012 16:09:25 -0400 Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q4VK9OpJ012173 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Thu, 31 May 2012 16:09:24 -0400 Received: from [127.0.0.1] (vpn-11-115.rdu.redhat.com [10.11.11.115]) by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id q4VK9NIY025815; Thu, 31 May 2012 16:09:24 -0400 Subject: [PATCH] cipso: handle CIPSO options correctly when NetLabel is disabled To: netdev@vger.kernel.org From: Paul Moore Cc: linux-security-module@vger.kernel.org, stable@kernel.org Date: Thu, 31 May 2012 16:09:23 -0400 Message-ID: <20120531200922.6265.81763.stgit@sifl> User-Agent: StGit/0.16 MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org When NetLabel is not enabled, e.g. CONFIG_NETLABEL=n, and the system receives a CIPSO tagged packet it is dropped (cipso_v4_validate() returns non-zero). In most cases this is the correct and desired behavior, however, in the case where we are simply forwarding the traffic, e.g. acting as a network bridge, this becomes a problem. This patch fixes the forwarding problem by providing the basic CIPSO validation code directly in ip_options_compile() without the need for the NetLabel or CIPSO code. The new validation code can not perform any of the CIPSO option label/value verification that cipso_v4_validate() does, but it can verify the basic CIPSO option format. The behavior when NetLabel is enabled is unchanged. Signed-off-by: Paul Moore --- net/ipv4/ip_options.c | 20 ++++++++++++++++++++ 1 files changed, 20 insertions(+), 0 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/ipv4/ip_options.c b/net/ipv4/ip_options.c index 708b994..ca2c919 100644 --- a/net/ipv4/ip_options.c +++ b/net/ipv4/ip_options.c @@ -439,10 +439,30 @@ int ip_options_compile(struct net *net, goto error; } opt->cipso = optptr - iph; +#ifndef CONFIG_NETLABEL + if (optlen < 8) { + pp_ptr = optptr + 1; + goto error; + } + if (get_unaligned_be32(&optptr[2]) != 0) { + unsigned int iter; + for (iter = 6; iter < optlen;) { + if (optptr[iter+1] > (optlen - iter)) { + pp_ptr = optptr + iter; + goto error; + } + iter += optptr[iter + 1]; + } + } else { + pp_ptr = optptr + 2; + goto error; + } +#else if (cipso_v4_validate(skb, &optptr)) { pp_ptr = optptr; goto error; } +#endif /* CONFIG_NETLABEL */ break; case IPOPT_SEC: case IPOPT_SID: