[PATCH] NetLabel: Verify sensitivity level has a valid CIPSO mapping

[PATCH] NetLabel: Verify sensitivity level has a valid CIPSO mapping

[Paul Moore]

[-- Attachment #1: netlabel-cipso_std_bug --]
[-- Type: text/plain, Size: 1527 bytes --]

The current CIPSO engine has a problem where it does not verify that the given
sensitivity level has a valid CIPSO mapping when the "std" CIPSO DOI type is
used.  The end result is that bad packets are sent on the wire which should
have never been sent in the first place.  This patch corrects this problem by
verifying the sensitivity level mapping similar to what is done with the
category mapping.  This patch also changes the returned error code in this case
to -EPERM to better match what the category mapping verification code returns.

Signed-off-by: Paul Moore <paul.moore@hp.com>
---
 net/ipv4/cipso_ipv4.c |    7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

Index: net-2.6_bugfix/net/ipv4/cipso_ipv4.c
===================================================================
--- net-2.6_bugfix.orig/net/ipv4/cipso_ipv4.c
+++ net-2.6_bugfix/net/ipv4/cipso_ipv4.c
@@ -732,11 +732,12 @@ static int cipso_v4_map_lvl_hton(const s
 		*net_lvl = host_lvl;
 		return 0;
 	case CIPSO_V4_MAP_STD:
-		if (host_lvl < doi_def->map.std->lvl.local_size) {
+		if (host_lvl < doi_def->map.std->lvl.local_size &&
+		    doi_def->map.std->lvl.local[host_lvl] < CIPSO_V4_INV_LVL) {
 			*net_lvl = doi_def->map.std->lvl.local[host_lvl];
 			return 0;
 		}
-		break;
+		return -EPERM;
 	}
 
 	return -EINVAL;
@@ -771,7 +772,7 @@ static int cipso_v4_map_lvl_ntoh(const s
 			*host_lvl = doi_def->map.std->lvl.cipso[net_lvl];
 			return 0;
 		}
-		break;
+		return -EPERM;
 	}
 
 	return -EINVAL;

--
paul moore
linux security @ hp

Re: [PATCH] NetLabel: Verify sensitivity level has a valid CIPSO mapping

[James Morris]

On Wed, 28 Feb 2007, Paul Moore wrote:

> The current CIPSO engine has a problem where it does not verify that the given
> sensitivity level has a valid CIPSO mapping when the "std" CIPSO DOI type is
> used.  The end result is that bad packets are sent on the wire which should
> have never been sent in the first place.  This patch corrects this problem by
> verifying the sensitivity level mapping similar to what is done with the
> category mapping.  This patch also changes the returned error code in this case
> to -EPERM to better match what the category mapping verification code returns.
> 
> Signed-off-by: Paul Moore <paul.moore@hp.com>

[removed redhat-lspp, which is subscriber only]

Acked-by: James Morris <jmorris@namei.org>


> ---
>  net/ipv4/cipso_ipv4.c |    7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
> 
> Index: net-2.6_bugfix/net/ipv4/cipso_ipv4.c
> ===================================================================
> --- net-2.6_bugfix.orig/net/ipv4/cipso_ipv4.c
> +++ net-2.6_bugfix/net/ipv4/cipso_ipv4.c
> @@ -732,11 +732,12 @@ static int cipso_v4_map_lvl_hton(const s
>  		*net_lvl = host_lvl;
>  		return 0;
>  	case CIPSO_V4_MAP_STD:
> -		if (host_lvl < doi_def->map.std->lvl.local_size) {
> +		if (host_lvl < doi_def->map.std->lvl.local_size &&
> +		    doi_def->map.std->lvl.local[host_lvl] < CIPSO_V4_INV_LVL) {
>  			*net_lvl = doi_def->map.std->lvl.local[host_lvl];
>  			return 0;
>  		}
> -		break;
> +		return -EPERM;
>  	}
>  
>  	return -EINVAL;
> @@ -771,7 +772,7 @@ static int cipso_v4_map_lvl_ntoh(const s
>  			*host_lvl = doi_def->map.std->lvl.cipso[net_lvl];
>  			return 0;
>  		}
> -		break;
> +		return -EPERM;
>  	}
>  
>  	return -EINVAL;
> 
> --
> paul moore
> linux security @ hp
> 
> -
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

-- 
James Morris
<jmorris@namei.org>

Re: [PATCH] NetLabel: Verify sensitivity level has a valid CIPSO mapping

[Paul Moore]

On Wednesday, February 28 2007 3:01:31 pm Paul Moore wrote:
> The current CIPSO engine has a problem where it does not verify that the
> given sensitivity level has a valid CIPSO mapping when the "std" CIPSO DOI
> type is used.  The end result is that bad packets are sent on the wire
> which should have never been sent in the first place.  This patch corrects
> this problem by verifying the sensitivity level mapping similar to what is
> done with the category mapping.  This patch also changes the returned error
> code in this case to -EPERM to better match what the category mapping
> verification code returns.
>
> Signed-off-by: Paul Moore <paul.moore@hp.com>
> ---
>  net/ipv4/cipso_ipv4.c |    7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)

I probably should have been more clear in the original patch posting ... this 
is a bugfix patch which I believe should go into 2.6.21 (as well as 
the -stable tree, but I know they like to see it hit Linus' tree first).

-- 
paul moore
linux security @ hp

Re: [PATCH] NetLabel: Verify sensitivity level has a valid CIPSO mapping

[David Miller]

From: Paul Moore <paul.moore@hp.com>
Date: Fri, 2 Mar 2007 11:12:12 -0500

> On Wednesday, February 28 2007 3:01:31 pm Paul Moore wrote:
> > The current CIPSO engine has a problem where it does not verify that the
> > given sensitivity level has a valid CIPSO mapping when the "std" CIPSO DOI
> > type is used.  The end result is that bad packets are sent on the wire
> > which should have never been sent in the first place.  This patch corrects
> > this problem by verifying the sensitivity level mapping similar to what is
> > done with the category mapping.  This patch also changes the returned error
> > code in this case to -EPERM to better match what the category mapping
> > verification code returns.
> >
> > Signed-off-by: Paul Moore <paul.moore@hp.com>
> > ---
> >  net/ipv4/cipso_ipv4.c |    7 ++++---
> >  1 file changed, 4 insertions(+), 3 deletions(-)
> 
> I probably should have been more clear in the original patch posting ... this 
> is a bugfix patch which I believe should go into 2.6.21 (as well as 
> the -stable tree, but I know they like to see it hit Linus' tree first).

I realize this and plan to apply the patch, I'm just backlogged
at the moment.

Re: [PATCH] NetLabel: Verify sensitivity level has a valid CIPSO mapping

[David Miller]

From: James Morris <jmorris@namei.org>
Date: Wed, 28 Feb 2007 15:45:07 -0500 (EST)

> On Wed, 28 Feb 2007, Paul Moore wrote:
> 
> > The current CIPSO engine has a problem where it does not verify that the given
> > sensitivity level has a valid CIPSO mapping when the "std" CIPSO DOI type is
> > used.  The end result is that bad packets are sent on the wire which should
> > have never been sent in the first place.  This patch corrects this problem by
> > verifying the sensitivity level mapping similar to what is done with the
> > category mapping.  This patch also changes the returned error code in this case
> > to -EPERM to better match what the category mapping verification code returns.
> > 
> > Signed-off-by: Paul Moore <paul.moore@hp.com>
> 
> [removed redhat-lspp, which is subscriber only]
> 
> Acked-by: James Morris <jmorris@namei.org>

Applied, thanks everyone.

If -stable inclusion is desired, please submit this patch there.
You can add my signoff if you want:

Signed-off-by: David S. Miller <davem@davemloft.net>