diff options
author | Venkat Yekkirala <vyekkirala@trustedcs.com> | 2006-10-05 16:42:35 -0400 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2006-10-12 02:59:39 -0400 |
commit | 3bccfbc7a7ba4085817deae6e7c67daf0cbd045a (patch) | |
tree | 3dc11929f87eccaecf00c8e253fd0c834f3953d8 | |
parent | 5b368e61c2bcb2666bb66e2acf1d6d85ba6f474d (diff) |
IPsec: fix handling of errors for socket policies
This treats the security errors encountered in the case of
socket policy matching, the same as how these are treated in
the case of main/sub policies, which is to return a full lookup
failure.
Signed-off-by: Venkat Yekkirala <vyekkirala@TrustedCS.com>
Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r-- | net/xfrm/xfrm_policy.c | 26 |
1 files changed, 18 insertions, 8 deletions
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c index 695761ff1321..7736b23c3f03 100644 --- a/net/xfrm/xfrm_policy.c +++ b/net/xfrm/xfrm_policy.c | |||
@@ -1016,12 +1016,16 @@ static struct xfrm_policy *xfrm_sk_policy_lookup(struct sock *sk, int dir, struc | |||
1016 | sk->sk_family); | 1016 | sk->sk_family); |
1017 | int err = 0; | 1017 | int err = 0; |
1018 | 1018 | ||
1019 | if (match) | 1019 | if (match) { |
1020 | err = security_xfrm_policy_lookup(pol, fl->secid, policy_to_flow_dir(dir)); | 1020 | err = security_xfrm_policy_lookup(pol, fl->secid, |
1021 | 1021 | policy_to_flow_dir(dir)); | |
1022 | if (match && !err) | 1022 | if (!err) |
1023 | xfrm_pol_hold(pol); | 1023 | xfrm_pol_hold(pol); |
1024 | else | 1024 | else if (err == -ESRCH) |
1025 | pol = NULL; | ||
1026 | else | ||
1027 | pol = ERR_PTR(err); | ||
1028 | } else | ||
1025 | pol = NULL; | 1029 | pol = NULL; |
1026 | } | 1030 | } |
1027 | read_unlock_bh(&xfrm_policy_lock); | 1031 | read_unlock_bh(&xfrm_policy_lock); |
@@ -1313,8 +1317,11 @@ restart: | |||
1313 | pol_dead = 0; | 1317 | pol_dead = 0; |
1314 | xfrm_nr = 0; | 1318 | xfrm_nr = 0; |
1315 | 1319 | ||
1316 | if (sk && sk->sk_policy[1]) | 1320 | if (sk && sk->sk_policy[1]) { |
1317 | policy = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl); | 1321 | policy = xfrm_sk_policy_lookup(sk, XFRM_POLICY_OUT, fl); |
1322 | if (IS_ERR(policy)) | ||
1323 | return PTR_ERR(policy); | ||
1324 | } | ||
1318 | 1325 | ||
1319 | if (!policy) { | 1326 | if (!policy) { |
1320 | /* To accelerate a bit... */ | 1327 | /* To accelerate a bit... */ |
@@ -1607,8 +1614,11 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb, | |||
1607 | } | 1614 | } |
1608 | 1615 | ||
1609 | pol = NULL; | 1616 | pol = NULL; |
1610 | if (sk && sk->sk_policy[dir]) | 1617 | if (sk && sk->sk_policy[dir]) { |
1611 | pol = xfrm_sk_policy_lookup(sk, dir, &fl); | 1618 | pol = xfrm_sk_policy_lookup(sk, dir, &fl); |
1619 | if (IS_ERR(pol)) | ||
1620 | return 0; | ||
1621 | } | ||
1612 | 1622 | ||
1613 | if (!pol) | 1623 | if (!pol) |
1614 | pol = flow_cache_lookup(&fl, family, fl_dir, | 1624 | pol = flow_cache_lookup(&fl, family, fl_dir, |