On Wed, May 8, 2024 at 1:04 PM Christian Göttsche
<cgoettsche@xxxxxxxxxxxxx> wrote:
>
> From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
>
> The contiguous check for network masks requires host byte order on the
> underlying integers.
> Convert from network byte order to avoid wrong warnings.
>
> Fixes: 01b88ac3 ("checkpolicy: warn on bogus IP address or netmask in nodecon statement")
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
For these two patches:
Acked-by: James Carter <jwcart2@xxxxxxxxx>
> ---
> checkpolicy/policy_define.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
> index aa2ac2e6..9671906f 100644
> --- a/checkpolicy/policy_define.c
> +++ b/checkpolicy/policy_define.c
> @@ -5292,7 +5292,7 @@ int define_ipv4_node_context(void)
>
> free(id);
>
> - if (mask.s_addr != 0 && ((~mask.s_addr + 1) & ~mask.s_addr) != 0) {
> + if (mask.s_addr != 0 && ((~be32toh(mask.s_addr) + 1) & ~be32toh(mask.s_addr)) != 0) {
> yywarn("ipv4 mask is not contiguous");
> }
>
> --
> 2.43.0
>
>
