diff options
Diffstat (limited to 'recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.23/0030-cipso-handle-CIPSO-options-correctly-when-NetLabel-i.patch')
-rw-r--r-- | recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.23/0030-cipso-handle-CIPSO-options-correctly-when-NetLabel-i.patch | 80 |
1 files changed, 80 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.23/0030-cipso-handle-CIPSO-options-correctly-when-NetLabel-i.patch b/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.23/0030-cipso-handle-CIPSO-options-correctly-when-NetLabel-i.patch new file mode 100644 index 00000000..8310ad90 --- /dev/null +++ b/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.23/0030-cipso-handle-CIPSO-options-correctly-when-NetLabel-i.patch | |||
@@ -0,0 +1,80 @@ | |||
1 | From e3e2beb00731e994722f01a1c284e3bcc69264ba Mon Sep 17 00:00:00 2001 | ||
2 | From: Paul Moore <pmoore@redhat.com> | ||
3 | Date: Fri, 1 Jun 2012 05:54:56 +0000 | ||
4 | Subject: [PATCH 30/49] cipso: handle CIPSO options correctly when NetLabel is | ||
5 | disabled | ||
6 | |||
7 | [ Upstream commit 20e2a86485967c385d7c7befc1646e4d1d39362e ] | ||
8 | |||
9 | When NetLabel is not enabled, e.g. CONFIG_NETLABEL=n, and the system | ||
10 | receives a CIPSO tagged packet it is dropped (cipso_v4_validate() | ||
11 | returns non-zero). In most cases this is the correct and desired | ||
12 | behavior, however, in the case where we are simply forwarding the | ||
13 | traffic, e.g. acting as a network bridge, this becomes a problem. | ||
14 | |||
15 | This patch fixes the forwarding problem by providing the basic CIPSO | ||
16 | validation code directly in ip_options_compile() without the need for | ||
17 | the NetLabel or CIPSO code. The new validation code can not perform | ||
18 | any of the CIPSO option label/value verification that | ||
19 | cipso_v4_validate() does, but it can verify the basic CIPSO option | ||
20 | format. | ||
21 | |||
22 | The behavior when NetLabel is enabled is unchanged. | ||
23 | |||
24 | Signed-off-by: Paul Moore <pmoore@redhat.com> | ||
25 | Signed-off-by: David S. Miller <davem@davemloft.net> | ||
26 | Signed-off-by: Ben Hutchings <ben@decadent.org.uk> | ||
27 | --- | ||
28 | include/net/cipso_ipv4.h | 29 ++++++++++++++++++++++++++++- | ||
29 | 1 file changed, 28 insertions(+), 1 deletion(-) | ||
30 | |||
31 | diff --git a/include/net/cipso_ipv4.h b/include/net/cipso_ipv4.h | ||
32 | index 9808877..a7a683e 100644 | ||
33 | --- a/include/net/cipso_ipv4.h | ||
34 | +++ b/include/net/cipso_ipv4.h | ||
35 | @@ -42,6 +42,7 @@ | ||
36 | #include <net/netlabel.h> | ||
37 | #include <net/request_sock.h> | ||
38 | #include <linux/atomic.h> | ||
39 | +#include <asm/unaligned.h> | ||
40 | |||
41 | /* known doi values */ | ||
42 | #define CIPSO_V4_DOI_UNKNOWN 0x00000000 | ||
43 | @@ -285,7 +286,33 @@ static inline int cipso_v4_skbuff_getattr(const struct sk_buff *skb, | ||
44 | static inline int cipso_v4_validate(const struct sk_buff *skb, | ||
45 | unsigned char **option) | ||
46 | { | ||
47 | - return -ENOSYS; | ||
48 | + unsigned char *opt = *option; | ||
49 | + unsigned char err_offset = 0; | ||
50 | + u8 opt_len = opt[1]; | ||
51 | + u8 opt_iter; | ||
52 | + | ||
53 | + if (opt_len < 8) { | ||
54 | + err_offset = 1; | ||
55 | + goto out; | ||
56 | + } | ||
57 | + | ||
58 | + if (get_unaligned_be32(&opt[2]) == 0) { | ||
59 | + err_offset = 2; | ||
60 | + goto out; | ||
61 | + } | ||
62 | + | ||
63 | + for (opt_iter = 6; opt_iter < opt_len;) { | ||
64 | + if (opt[opt_iter + 1] > (opt_len - opt_iter)) { | ||
65 | + err_offset = opt_iter + 1; | ||
66 | + goto out; | ||
67 | + } | ||
68 | + opt_iter += opt[opt_iter + 1]; | ||
69 | + } | ||
70 | + | ||
71 | +out: | ||
72 | + *option = opt + err_offset; | ||
73 | + return err_offset; | ||
74 | + | ||
75 | } | ||
76 | #endif /* CONFIG_NETLABEL */ | ||
77 | |||
78 | -- | ||
79 | 1.7.10 | ||
80 | |||