The lower 64 bits of the subnet prefix for an ibpkeycon rule should
all be 0's. Unfortunately the check uses the s6_addr macro which refers
to the 16 entry array of 8-bit values in the union and does not refer
to the correct bits.
Use the s6_addr32 macro instead which refers to the 4 entry array of
32-bit values in the union and refers to the lower 64 bits.
Signed-off-by: James Carter <jwcart2@xxxxxxxxx>
---
checkpolicy/policy_define.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index 4931f23d..bfeda86b 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -5036,7 +5036,7 @@ int define_ibpkey_context(unsigned int low, unsigned int high)
goto out;
}
- if (subnet_prefix.s6_addr[2] || subnet_prefix.s6_addr[3]) {
+ if (subnet_prefix.s6_addr32[2] || subnet_prefix.s6_addr32[3]) {
yyerror("subnet prefix should be 0's in the low order 64 bits.");
rc = -1;
goto out;
--
2.45.2
