diff options
Diffstat (limited to 'recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.23/0030-cipso-handle-CIPSO-options-correctly-when-NetLabel-i.patch')
| -rw-r--r-- | recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.23/0030-cipso-handle-CIPSO-options-correctly-when-NetLabel-i.patch | 80 |
1 files changed, 80 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.23/0030-cipso-handle-CIPSO-options-correctly-when-NetLabel-i.patch b/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.23/0030-cipso-handle-CIPSO-options-correctly-when-NetLabel-i.patch new file mode 100644 index 00000000..8310ad90 --- /dev/null +++ b/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.23/0030-cipso-handle-CIPSO-options-correctly-when-NetLabel-i.patch | |||
| @@ -0,0 +1,80 @@ | |||
| 1 | From e3e2beb00731e994722f01a1c284e3bcc69264ba Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Paul Moore <pmoore@redhat.com> | ||
| 3 | Date: Fri, 1 Jun 2012 05:54:56 +0000 | ||
| 4 | Subject: [PATCH 30/49] cipso: handle CIPSO options correctly when NetLabel is | ||
| 5 | disabled | ||
| 6 | |||
| 7 | [ Upstream commit 20e2a86485967c385d7c7befc1646e4d1d39362e ] | ||
| 8 | |||
| 9 | When NetLabel is not enabled, e.g. CONFIG_NETLABEL=n, and the system | ||
| 10 | receives a CIPSO tagged packet it is dropped (cipso_v4_validate() | ||
| 11 | returns non-zero). In most cases this is the correct and desired | ||
| 12 | behavior, however, in the case where we are simply forwarding the | ||
| 13 | traffic, e.g. acting as a network bridge, this becomes a problem. | ||
| 14 | |||
| 15 | This patch fixes the forwarding problem by providing the basic CIPSO | ||
| 16 | validation code directly in ip_options_compile() without the need for | ||
| 17 | the NetLabel or CIPSO code. The new validation code can not perform | ||
| 18 | any of the CIPSO option label/value verification that | ||
| 19 | cipso_v4_validate() does, but it can verify the basic CIPSO option | ||
| 20 | format. | ||
| 21 | |||
| 22 | The behavior when NetLabel is enabled is unchanged. | ||
| 23 | |||
| 24 | Signed-off-by: Paul Moore <pmoore@redhat.com> | ||
| 25 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
| 26 | Signed-off-by: Ben Hutchings <ben@decadent.org.uk> | ||
| 27 | --- | ||
| 28 | include/net/cipso_ipv4.h | 29 ++++++++++++++++++++++++++++- | ||
| 29 | 1 file changed, 28 insertions(+), 1 deletion(-) | ||
| 30 | |||
| 31 | diff --git a/include/net/cipso_ipv4.h b/include/net/cipso_ipv4.h | ||
| 32 | index 9808877..a7a683e 100644 | ||
| 33 | --- a/include/net/cipso_ipv4.h | ||
| 34 | +++ b/include/net/cipso_ipv4.h | ||
| 35 | @@ -42,6 +42,7 @@ | ||
| 36 | #include <net/netlabel.h> | ||
| 37 | #include <net/request_sock.h> | ||
| 38 | #include <linux/atomic.h> | ||
| 39 | +#include <asm/unaligned.h> | ||
| 40 | |||
| 41 | /* known doi values */ | ||
| 42 | #define CIPSO_V4_DOI_UNKNOWN 0x00000000 | ||
| 43 | @@ -285,7 +286,33 @@ static inline int cipso_v4_skbuff_getattr(const struct sk_buff *skb, | ||
| 44 | static inline int cipso_v4_validate(const struct sk_buff *skb, | ||
| 45 | unsigned char **option) | ||
| 46 | { | ||
| 47 | - return -ENOSYS; | ||
| 48 | + unsigned char *opt = *option; | ||
| 49 | + unsigned char err_offset = 0; | ||
| 50 | + u8 opt_len = opt[1]; | ||
| 51 | + u8 opt_iter; | ||
| 52 | + | ||
| 53 | + if (opt_len < 8) { | ||
| 54 | + err_offset = 1; | ||
| 55 | + goto out; | ||
| 56 | + } | ||
| 57 | + | ||
| 58 | + if (get_unaligned_be32(&opt[2]) == 0) { | ||
| 59 | + err_offset = 2; | ||
| 60 | + goto out; | ||
| 61 | + } | ||
| 62 | + | ||
| 63 | + for (opt_iter = 6; opt_iter < opt_len;) { | ||
| 64 | + if (opt[opt_iter + 1] > (opt_len - opt_iter)) { | ||
| 65 | + err_offset = opt_iter + 1; | ||
| 66 | + goto out; | ||
| 67 | + } | ||
| 68 | + opt_iter += opt[opt_iter + 1]; | ||
| 69 | + } | ||
| 70 | + | ||
| 71 | +out: | ||
| 72 | + *option = opt + err_offset; | ||
| 73 | + return err_offset; | ||
| 74 | + | ||
| 75 | } | ||
| 76 | #endif /* CONFIG_NETLABEL */ | ||
| 77 | |||
| 78 | -- | ||
| 79 | 1.7.10 | ||
| 80 | |||