Patch "dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses." has been added to the 6.6-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses.

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     dccp-tcp-call-security_inet_conn_request-after-setti.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 3cbb4b9d137990cc1102800a91ef83438d20cae8
Author: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>
Date:   Mon Oct 30 13:10:42 2023 -0700

    dccp/tcp: Call security_inet_conn_request() after setting IPv6 addresses.
    
    [ Upstream commit 23be1e0e2a83a8543214d2599a31d9a2185a796b ]
    
    Initially, commit 4237c75c0a35 ("[MLSXFRM]: Auto-labeling of child
    sockets") introduced security_inet_conn_request() in some functions
    where reqsk is allocated.  The hook is added just after the allocation,
    so reqsk's IPv6 remote address was not initialised then.
    
    However, SELinux/Smack started to read it in netlbl_req_setattr()
    after commit e1adea927080 ("calipso: Allow request sockets to be
    relabelled by the lsm.").
    
    Commit 284904aa7946 ("lsm: Relocate the IPv4 security_inet_conn_request()
    hooks") fixed that kind of issue only in TCPv4 because IPv6 labeling was
    not supported at that time.  Finally, the same issue was introduced again
    in IPv6.
    
    Let's apply the same fix on DCCPv6 and TCPv6.
    
    Fixes: e1adea927080 ("calipso: Allow request sockets to be relabelled by the lsm.")
    Signed-off-by: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>
    Acked-by: Paul Moore <paul@xxxxxxxxxxxxxx>
    Signed-off-by: Paolo Abeni <pabeni@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index c693a570682fb..6f5a556f4f6d7 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -360,15 +360,15 @@ static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
 	if (dccp_parse_options(sk, dreq, skb))
 		goto drop_and_free;
 
-	if (security_inet_conn_request(sk, skb, req))
-		goto drop_and_free;
-
 	ireq = inet_rsk(req);
 	ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr;
 	ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr;
 	ireq->ireq_family = AF_INET6;
 	ireq->ir_mark = inet_request_mark(sk, skb);
 
+	if (security_inet_conn_request(sk, skb, req))
+		goto drop_and_free;
+
 	if (ipv6_opt_accepted(sk, skb, IP6CB(skb)) ||
 	    np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo ||
 	    np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim) {
diff --git a/net/ipv6/syncookies.c b/net/ipv6/syncookies.c
index 5014aa6634527..8698b49dfc8de 100644
--- a/net/ipv6/syncookies.c
+++ b/net/ipv6/syncookies.c
@@ -180,14 +180,15 @@ struct sock *cookie_v6_check(struct sock *sk, struct sk_buff *skb)
 	treq = tcp_rsk(req);
 	treq->tfo_listener = false;
 
-	if (security_inet_conn_request(sk, skb, req))
-		goto out_free;
-
 	req->mss = mss;
 	ireq->ir_rmt_port = th->source;
 	ireq->ir_num = ntohs(th->dest);
 	ireq->ir_v6_rmt_addr = ipv6_hdr(skb)->saddr;
 	ireq->ir_v6_loc_addr = ipv6_hdr(skb)->daddr;
+
+	if (security_inet_conn_request(sk, skb, req))
+		goto out_free;
+
 	if (ipv6_opt_accepted(sk, skb, &TCP_SKB_CB(skb)->header.h6) ||
 	    np->rxopt.bits.rxinfo || np->rxopt.bits.rxoinfo ||
 	    np->rxopt.bits.rxhlim || np->rxopt.bits.rxohlim) {



[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux