lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <Line.LNX.4.64.0702281544350.9150@d.namei>
Date:	Wed, 28 Feb 2007 15:45:07 -0500 (EST)
From:	James Morris <jmorris@...ei.org>
To:	Paul Moore <paul.moore@...com>
cc:	netdev@...r.kernel.org
Subject: Re: [PATCH] NetLabel: Verify sensitivity level has a valid CIPSO
 mapping

On Wed, 28 Feb 2007, Paul Moore wrote:

> The current CIPSO engine has a problem where it does not verify that the given
> sensitivity level has a valid CIPSO mapping when the "std" CIPSO DOI type is
> used.  The end result is that bad packets are sent on the wire which should
> have never been sent in the first place.  This patch corrects this problem by
> verifying the sensitivity level mapping similar to what is done with the
> category mapping.  This patch also changes the returned error code in this case
> to -EPERM to better match what the category mapping verification code returns.
> 
> Signed-off-by: Paul Moore <paul.moore@...com>

[removed redhat-lspp, which is subscriber only]

Acked-by: James Morris <jmorris@...ei.org>


> ---
>  net/ipv4/cipso_ipv4.c |    7 ++++---
>  1 file changed, 4 insertions(+), 3 deletions(-)
> 
> Index: net-2.6_bugfix/net/ipv4/cipso_ipv4.c
> ===================================================================
> --- net-2.6_bugfix.orig/net/ipv4/cipso_ipv4.c
> +++ net-2.6_bugfix/net/ipv4/cipso_ipv4.c
> @@ -732,11 +732,12 @@ static int cipso_v4_map_lvl_hton(const s
>  		*net_lvl = host_lvl;
>  		return 0;
>  	case CIPSO_V4_MAP_STD:
> -		if (host_lvl < doi_def->map.std->lvl.local_size) {
> +		if (host_lvl < doi_def->map.std->lvl.local_size &&
> +		    doi_def->map.std->lvl.local[host_lvl] < CIPSO_V4_INV_LVL) {
>  			*net_lvl = doi_def->map.std->lvl.local[host_lvl];
>  			return 0;
>  		}
> -		break;
> +		return -EPERM;
>  	}
>  
>  	return -EINVAL;
> @@ -771,7 +772,7 @@ static int cipso_v4_map_lvl_ntoh(const s
>  			*host_lvl = doi_def->map.std->lvl.cipso[net_lvl];
>  			return 0;
>  		}
> -		break;
> +		return -EPERM;
>  	}
>  
>  	return -EINVAL;
> 
> --
> paul moore
> linux security @ hp
> 
> -
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@...r.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

-- 
James Morris
<jmorris@...ei.org>
-
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ