[PATCH] NetLabel: Verify sensitivity level has a valid CIPSO mapping

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] NetLabel: Verify sensitivity level has a valid CIPSO mapping
@ 2007-02-28 20:01 Paul Moore
  2007-02-28 20:45 ` James Morris
  2007-03-02 16:12 ` Paul Moore
  0 siblings, 2 replies; 5+ messages in thread
From: Paul Moore @ 2007-02-28 20:01 UTC (permalink / raw)
  To: netdev; +Cc: redhat-lspp

[-- Attachment #1: netlabel-cipso_std_bug --]
[-- Type: text/plain, Size: 1527 bytes --]

The current CIPSO engine has a problem where it does not verify that the given
sensitivity level has a valid CIPSO mapping when the "std" CIPSO DOI type is
used.  The end result is that bad packets are sent on the wire which should
have never been sent in the first place.  This patch corrects this problem by
verifying the sensitivity level mapping similar to what is done with the
category mapping.  This patch also changes the returned error code in this case
to -EPERM to better match what the category mapping verification code returns.

Signed-off-by: Paul Moore <paul.moore@hp.com>
---
 net/ipv4/cipso_ipv4.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

Index: net-2.6_bugfix/net/ipv4/cipso_ipv4.c
===================================================================
--- net-2.6_bugfix.orig/net/ipv4/cipso_ipv4.c
+++ net-2.6_bugfix/net/ipv4/cipso_ipv4.c
@@ -732,11 +732,12 @@ static int cipso_v4_map_lvl_hton(const s
 		*net_lvl = host_lvl;
 		return 0;
 	case CIPSO_V4_MAP_STD:
-		if (host_lvl < doi_def->map.std->lvl.local_size) {
+		if (host_lvl < doi_def->map.std->lvl.local_size &&
+		    doi_def->map.std->lvl.local[host_lvl] < CIPSO_V4_INV_LVL) {
 			*net_lvl = doi_def->map.std->lvl.local[host_lvl];
 			return 0;
 		}
-		break;
+		return -EPERM;
 	}
 
 	return -EINVAL;
@@ -771,7 +772,7 @@ static int cipso_v4_map_lvl_ntoh(const s
 			*host_lvl = doi_def->map.std->lvl.cipso[net_lvl];
 			return 0;
 		}
-		break;
+		return -EPERM;
 	}
 
 	return -EINVAL;

--
paul moore
linux security @ hp


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] NetLabel: Verify sensitivity level has a valid CIPSO mapping
  2007-02-28 20:01 [PATCH] NetLabel: Verify sensitivity level has a valid CIPSO mapping Paul Moore
@ 2007-02-28 20:45 ` James Morris
  2007-03-02 21:19   ` David Miller
  2007-03-02 16:12 ` Paul Moore
  1 sibling, 1 reply; 5+ messages in thread
From: James Morris @ 2007-02-28 20:45 UTC (permalink / raw)
  To: Paul Moore; +Cc: netdev

On Wed, 28 Feb 2007, Paul Moore wrote:

> The current CIPSO engine has a problem where it does not verify that the given
> sensitivity level has a valid CIPSO mapping when the "std" CIPSO DOI type is
> used.  The end result is that bad packets are sent on the wire which should
> have never been sent in the first place.  This patch corrects this problem by
> verifying the sensitivity level mapping similar to what is done with the
> category mapping.  This patch also changes the returned error code in this case
> to -EPERM to better match what the category mapping verification code returns.
> 
> Signed-off-by: Paul Moore <paul.moore@hp.com>

[removed redhat-lspp, which is subscriber only]

Acked-by: James Morris <jmorris@namei.org>


> ---
>  net/ipv4/cipso_ipv4.c |    7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
> 
> Index: net-2.6_bugfix/net/ipv4/cipso_ipv4.c
> ===================================================================
> --- net-2.6_bugfix.orig/net/ipv4/cipso_ipv4.c
> +++ net-2.6_bugfix/net/ipv4/cipso_ipv4.c
> @@ -732,11 +732,12 @@ static int cipso_v4_map_lvl_hton(const s
>  		*net_lvl = host_lvl;
>  		return 0;
>  	case CIPSO_V4_MAP_STD:
> -		if (host_lvl < doi_def->map.std->lvl.local_size) {
> +		if (host_lvl < doi_def->map.std->lvl.local_size &&
> +		    doi_def->map.std->lvl.local[host_lvl] < CIPSO_V4_INV_LVL) {
>  			*net_lvl = doi_def->map.std->lvl.local[host_lvl];
>  			return 0;
>  		}
> -		break;
> +		return -EPERM;
>  	}
>  
>  	return -EINVAL;
> @@ -771,7 +772,7 @@ static int cipso_v4_map_lvl_ntoh(const s
>  			*host_lvl = doi_def->map.std->lvl.cipso[net_lvl];
>  			return 0;
>  		}
> -		break;
> +		return -EPERM;
>  	}
>  
>  	return -EINVAL;
> 
> --
> paul moore
> linux security @ hp
> 
> -
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

-- 
James Morris
<jmorris@namei.org>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] NetLabel: Verify sensitivity level has a valid CIPSO mapping
  2007-02-28 20:45 ` James Morris
@ 2007-03-02 21:19   ` David Miller
  0 siblings, 0 replies; 5+ messages in thread
From: David Miller @ 2007-03-02 21:19 UTC (permalink / raw)
  To: jmorris; +Cc: paul.moore, netdev

From: James Morris <jmorris@namei.org>
Date: Wed, 28 Feb 2007 15:45:07 -0500 (EST)

> On Wed, 28 Feb 2007, Paul Moore wrote:
> 
> > The current CIPSO engine has a problem where it does not verify that the given
> > sensitivity level has a valid CIPSO mapping when the "std" CIPSO DOI type is
> > used.  The end result is that bad packets are sent on the wire which should
> > have never been sent in the first place.  This patch corrects this problem by
> > verifying the sensitivity level mapping similar to what is done with the
> > category mapping.  This patch also changes the returned error code in this case
> > to -EPERM to better match what the category mapping verification code returns.
> > 
> > Signed-off-by: Paul Moore <paul.moore@hp.com>
> 
> [removed redhat-lspp, which is subscriber only]
> 
> Acked-by: James Morris <jmorris@namei.org>

Applied, thanks everyone.

If -stable inclusion is desired, please submit this patch there.
You can add my signoff if you want:

Signed-off-by: David S. Miller <davem@davemloft.net>

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] NetLabel: Verify sensitivity level has a valid CIPSO mapping
  2007-02-28 20:01 [PATCH] NetLabel: Verify sensitivity level has a valid CIPSO mapping Paul Moore
  2007-02-28 20:45 ` James Morris
@ 2007-03-02 16:12 ` Paul Moore
  2007-03-02 19:23   ` David Miller
  1 sibling, 1 reply; 5+ messages in thread
From: Paul Moore @ 2007-03-02 16:12 UTC (permalink / raw)
  To: netdev; +Cc: James Morris, David Miller

On Wednesday, February 28 2007 3:01:31 pm Paul Moore wrote:
> The current CIPSO engine has a problem where it does not verify that the
> given sensitivity level has a valid CIPSO mapping when the "std" CIPSO DOI
> type is used.  The end result is that bad packets are sent on the wire
> which should have never been sent in the first place.  This patch corrects
> this problem by verifying the sensitivity level mapping similar to what is
> done with the category mapping.  This patch also changes the returned error
> code in this case to -EPERM to better match what the category mapping
> verification code returns.
>
> Signed-off-by: Paul Moore <paul.moore@hp.com>
> ---
>  net/ipv4/cipso_ipv4.c |    7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)

I probably should have been more clear in the original patch posting ... this 
is a bugfix patch which I believe should go into 2.6.21 (as well as 
the -stable tree, but I know they like to see it hit Linus' tree first).

-- 
paul moore
linux security @ hp

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH] NetLabel: Verify sensitivity level has a valid CIPSO mapping
  2007-03-02 16:12 ` Paul Moore
@ 2007-03-02 19:23   ` David Miller
  0 siblings, 0 replies; 5+ messages in thread
From: David Miller @ 2007-03-02 19:23 UTC (permalink / raw)
  To: paul.moore; +Cc: netdev, jmorris

From: Paul Moore <paul.moore@hp.com>
Date: Fri, 2 Mar 2007 11:12:12 -0500

> On Wednesday, February 28 2007 3:01:31 pm Paul Moore wrote:
> > The current CIPSO engine has a problem where it does not verify that the
> > given sensitivity level has a valid CIPSO mapping when the "std" CIPSO DOI
> > type is used.  The end result is that bad packets are sent on the wire
> > which should have never been sent in the first place.  This patch corrects
> > this problem by verifying the sensitivity level mapping similar to what is
> > done with the category mapping.  This patch also changes the returned error
> > code in this case to -EPERM to better match what the category mapping
> > verification code returns.
> >
> > Signed-off-by: Paul Moore <paul.moore@hp.com>
> > ---
> >  net/ipv4/cipso_ipv4.c |    7 ++++---
> >  1 file changed, 4 insertions(+), 3 deletions(-)
> 
> I probably should have been more clear in the original patch posting ... this 
> is a bugfix patch which I believe should go into 2.6.21 (as well as 
> the -stable tree, but I know they like to see it hit Linus' tree first).

I realize this and plan to apply the patch, I'm just backlogged
at the moment.

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2007-03-02 21:19 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-02-28 20:01 [PATCH] NetLabel: Verify sensitivity level has a valid CIPSO mapping Paul Moore
2007-02-28 20:45 ` James Morris
2007-03-02 21:19   ` David Miller
2007-03-02 16:12 ` Paul Moore
2007-03-02 19:23   ` David Miller

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.