On Mon, Jun 6, 2016 at 3:35 PM, Paul Moore <pmoore@xxxxxxxxxx> wrote:
> From: Paul Moore <paul@xxxxxxxxxxxxxx>
>
> It seems risky to always rely on the caller to ensure the socket's
> address family is correct before passing it to the NetLabel kAPI,
> especially since we see at least one LSM which didn't. Add address
> family checks to the *_delattr() functions to help prevent future
> problems.
>
> Cc: <stable@xxxxxxxxxxxxxxx>
> Reported-by: Maninder Singh <maninder1.s@xxxxxxxxxxx>
> Signed-off-by: Paul Moore <paul@xxxxxxxxxxxxxx>
> ---
> net/netlabel/netlabel_kapi.c | 12 ++++++++++--
> 1 file changed, 10 insertions(+), 2 deletions(-)
DaveM, since this is such a trivial fix I'm adding it into my
selinux#next branch right now, but if you would prefer to carry it via
netdev#next let me know.
> diff --git a/net/netlabel/netlabel_kapi.c b/net/netlabel/netlabel_kapi.c
> index 1325776..bd007a9 100644
> --- a/net/netlabel/netlabel_kapi.c
> +++ b/net/netlabel/netlabel_kapi.c
> @@ -824,7 +824,11 @@ socket_setattr_return:
> */
> void netlbl_sock_delattr(struct sock *sk)
> {
> - cipso_v4_sock_delattr(sk);
> + switch (sk->sk_family) {
> + case AF_INET:
> + cipso_v4_sock_delattr(sk);
> + break;
> + }
> }
>
> /**
> @@ -987,7 +991,11 @@ req_setattr_return:
> */
> void netlbl_req_delattr(struct request_sock *req)
> {
> - cipso_v4_req_delattr(req);
> + switch (req->rsk_ops->family) {
> + case AF_INET:
> + cipso_v4_req_delattr(req);
> + break;
> + }
> }
>
> /**
>
--
paul moore
security @ redhat
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
