aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorVenkat Yekkirala <vyekkirala@trustedcs.com>2006-10-05 16:42:35 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2006-10-12 02:59:39 -0400
commit3bccfbc7a7ba4085817deae6e7c67daf0cbd045a (patch)
tree3dc11929f87eccaecf00c8e253fd0c834f3953d8
parent5b368e61c2bcb2666bb66e2acf1d6d85ba6f474d (diff)
IPsec: fix handling of errors for socket policies
This treats the security errors encountered in the case of socket policy matching, the same as how these are treated in the case of main/sub policies, which is to return a full lookup failure. Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com> Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r--net/xfrm/xfrm_policy.c26
1 files changed, 18 insertions, 8 deletions
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 695761ff1321..7736b23c3f03 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1016,12 +1016,16 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir, struc
1016 sk->sk_family); 1016 sk->sk_family);
1017 int err = 0; 1017 int err = 0;
1018 1018
1019 if (match) 1019 if (match) {
1020 err = security_xfrm_policy_lookup(pol, fl->secid, policy_to_flow_dir(dir)); 1020 err = security_xfrm_policy_lookup(pol, fl->secid,
1021 1021 policy_to_flow_dir(dir));
1022 if (match && !err) 1022 if (!err)
1023 xfrm_pol_hold(pol); 1023 xfrm_pol_hold(pol);
1024 else 1024 else if (err == -ESRCH)
1025 pol = NULL;
1026 else
1027 pol = ERR_PTR(err);
1028 } else
1025 pol = NULL; 1029 pol = NULL;
1026 } 1030 }
1027 read_unlock_bh(&xfrm_policy_lock); 1031 read_unlock_bh(&xfrm_policy_lock);
@@ -1313,8 +1317,11 @@ restart:
1313 pol_dead = 0; 1317 pol_dead = 0;
1314 xfrm_nr = 0; 1318 xfrm_nr = 0;
1315 1319
1316 if (sk && sk->sk_policy[1]) 1320 if (sk && sk->sk_policy[1]) {
1317 policy = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl); 1321 policy = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl);
1322 if (IS_ERR(policy))
1323 return PTR_ERR(policy);
1324 }
1318 1325
1319 if (!policy) { 1326 if (!policy) {
1320 /* To accelerate a bit... */ 1327 /* To accelerate a bit... */
@@ -1607,8 +1614,11 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
1607 } 1614 }
1608 1615
1609 pol = NULL; 1616 pol = NULL;
1610 if (sk && sk->sk_policy[dir]) 1617 if (sk && sk->sk_policy[dir]) {
1611 pol = xfrm_sk_policy_lookup(sk, dir, &fl); 1618 pol = xfrm_sk_policy_lookup(sk, dir, &fl);
1619 if (IS_ERR(pol))
1620 return 0;
1621 }
1612 1622
1613 if (!pol) 1623 if (!pol)
1614 pol = flow_cache_lookup(&fl, family, fl_dir, 1624 pol = flow_cache_lookup(&fl, family, fl_dir,