On Mon, Nov 13, 2017 at 5:13 PM, Paul Moore <paul@xxxxxxxxxxxxxx> wrote:
> On Mon, Nov 13, 2017 at 3:54 PM, Richard Haines
> <richard_c_haines@xxxxxxxxxxxxxx> wrote:
>> When resolving a fallback label, check the sk_buff version as it
>> is possible (e.g. SCTP) to have family = PF_INET6 while
>> receiving ip_hdr(skb)->version = 4.
>>
>> Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
>> ---
>> net/netlabel/netlabel_unlabeled.c | 10 ++++++++++
>> 1 file changed, 10 insertions(+)
>
> Thanks Richard.
>
> Acked-by: Paul Moore <paul@xxxxxxxxxxxxxx>
I don't believe the netdev folks picked this up, but I haven't heard
any objections (and I can't imagine there would be any) so I'm going
to go ahead and pull this into the selinux/next tree.
>> diff --git a/net/netlabel/netlabel_unlabeled.c b/net/netlabel/netlabel_unlabeled.c
>> index 22dc1b9..c070dfc 100644
>> --- a/net/netlabel/netlabel_unlabeled.c
>> +++ b/net/netlabel/netlabel_unlabeled.c
>> @@ -1472,6 +1472,16 @@ int netlbl_unlabel_getattr(const struct sk_buff *skb,
>> iface = rcu_dereference(netlbl_unlhsh_def);
>> if (iface == NULL || !iface->valid)
>> goto unlabel_getattr_nolabel;
>> +
>> +#if IS_ENABLED(CONFIG_IPV6)
>> + /* When resolving a fallback label, check the sk_buff version as
>> + * it is possible (e.g. SCTP) to have family = PF_INET6 while
>> + * receiving ip_hdr(skb)->version = 4.
>> + */
>> + if (family == PF_INET6 && ip_hdr(skb)->version == 4)
>> + family = PF_INET;
>> +#endif /* IPv6 */
>> +
>> switch (family) {
>> case PF_INET: {
>> struct iphdr *hdr4;
>> --
>> 2.13.6
--
paul moore
www.paul-moore.com
