diff options
Diffstat (limited to 'security/selinux/hooks.c')
| -rw-r--r-- | security/selinux/hooks.c | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index c61787b15f27..3ec702cf46ca 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -4637,6 +4637,14 @@ static int selinux_socket_connect_helper(struct socket *sock, | |||
| 4637 | err = sock_has_perm(sk, SOCKET__CONNECT); | 4637 | err = sock_has_perm(sk, SOCKET__CONNECT); |
| 4638 | if (err) | 4638 | if (err) |
| 4639 | return err; | 4639 | return err; |
| 4640 | if (addrlen < offsetofend(struct sockaddr, sa_family)) | ||
| 4641 | return -EINVAL; | ||
| 4642 | |||
| 4643 | /* connect(AF_UNSPEC) has special handling, as it is a documented | ||
| 4644 | * way to disconnect the socket | ||
| 4645 | */ | ||
| 4646 | if (address->sa_family == AF_UNSPEC) | ||
| 4647 | return 0; | ||
| 4640 | 4648 | ||
| 4641 | /* | 4649 | /* |
| 4642 | * If a TCP, DCCP or SCTP socket, check name_connect permission | 4650 | * If a TCP, DCCP or SCTP socket, check name_connect permission |
| @@ -4657,8 +4665,6 @@ static int selinux_socket_connect_helper(struct socket *sock, | |||
| 4657 | * need to check address->sa_family as it is possible to have | 4665 | * need to check address->sa_family as it is possible to have |
| 4658 | * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. | 4666 | * sk->sk_family = PF_INET6 with addr->sa_family = AF_INET. |
| 4659 | */ | 4667 | */ |
| 4660 | if (addrlen < offsetofend(struct sockaddr, sa_family)) | ||
| 4661 | return -EINVAL; | ||
| 4662 | switch (address->sa_family) { | 4668 | switch (address->sa_family) { |
| 4663 | case AF_INET: | 4669 | case AF_INET: |
| 4664 | addr4 = (struct sockaddr_in *)address; | 4670 | addr4 = (struct sockaddr_in *)address; |