aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv4/cipso_ipv4.c
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@woody.linux-foundation.org>2007-04-27 13:47:29 -0400
committerLinus Torvalds <torvalds@woody.linux-foundation.org>2007-04-27 13:47:29 -0400
commita205752d1ad2d37d6597aaae5a56fc396a770868 (patch)
tree1def76b02da90b98cefd66c4ba3904697963c358 /net/ipv4/cipso_ipv4.c
parent39bc89fd4019b164002adaacef92c4140e37955a (diff)
parente900a7d90ae1486ac95c10e0b7337fc2c2eda529 (diff)
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6
* 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/selinux-2.6: selinux: preserve boolean values across policy reloads selinux: change numbering of boolean directory inodes in selinuxfs selinux: remove unused enumeration constant from selinuxfs selinux: explicitly number all selinuxfs inodes selinux: export initial SID contexts via selinuxfs selinux: remove userland security class and permission definitions SELinux: move security_skb_extlbl_sid() out of the security server MAINTAINERS: update selinux entry SELinux: rename selinux_netlabel.h to netlabel.h SELinux: extract the NetLabel SELinux support from the security server NetLabel: convert a BUG_ON in the CIPSO code to a runtime check NetLabel: cleanup and document CIPSO constants
Diffstat (limited to 'net/ipv4/cipso_ipv4.c')
-rw-r--r--net/ipv4/cipso_ipv4.c41
1 files changed, 32 insertions, 9 deletions
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index 11a3404d65af..e1f18489db1d 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -92,6 +92,33 @@ int cipso_v4_rbm_optfmt = 0;
92int cipso_v4_rbm_strictvalid = 1; 92int cipso_v4_rbm_strictvalid = 1;
93 93
94/* 94/*
95 * Protocol Constants
96 */
97
98/* Maximum size of the CIPSO IP option, derived from the fact that the maximum
99 * IPv4 header size is 60 bytes and the base IPv4 header is 20 bytes long. */
100#define CIPSO_V4_OPT_LEN_MAX 40
101
102/* Length of the base CIPSO option, this includes the option type (1 byte), the
103 * option length (1 byte), and the DOI (4 bytes). */
104#define CIPSO_V4_HDR_LEN 6
105
106/* Base length of the restrictive category bitmap tag (tag #1). */
107#define CIPSO_V4_TAG_RBM_BLEN 4
108
109/* Base length of the enumerated category tag (tag #2). */
110#define CIPSO_V4_TAG_ENUM_BLEN 4
111
112/* Base length of the ranged categories bitmap tag (tag #5). */
113#define CIPSO_V4_TAG_RNG_BLEN 4
114/* The maximum number of category ranges permitted in the ranged category tag
115 * (tag #5). You may note that the IETF draft states that the maximum number
116 * of category ranges is 7, but if the low end of the last category range is
117 * zero then it is possibile to fit 8 category ranges because the zero should
118 * be omitted. */
119#define CIPSO_V4_TAG_RNG_CAT_MAX 8
120
121/*
95 * Helper Functions 122 * Helper Functions
96 */ 123 */
97 124
@@ -1109,16 +1136,15 @@ static int cipso_v4_map_cat_rng_hton(const struct cipso_v4_doi *doi_def,
1109 unsigned char *net_cat, 1136 unsigned char *net_cat,
1110 u32 net_cat_len) 1137 u32 net_cat_len)
1111{ 1138{
1112 /* The constant '16' is not random, it is the maximum number of
1113 * high/low category range pairs as permitted by the CIPSO draft based
1114 * on a maximum IPv4 header length of 60 bytes - the BUG_ON() assertion
1115 * does a sanity check to make sure we don't overflow the array. */
1116 int iter = -1; 1139 int iter = -1;
1117 u16 array[16]; 1140 u16 array[CIPSO_V4_TAG_RNG_CAT_MAX * 2];
1118 u32 array_cnt = 0; 1141 u32 array_cnt = 0;
1119 u32 cat_size = 0; 1142 u32 cat_size = 0;
1120 1143
1121 BUG_ON(net_cat_len > 30); 1144 /* make sure we don't overflow the 'array[]' variable */
1145 if (net_cat_len >
1146 (CIPSO_V4_OPT_LEN_MAX - CIPSO_V4_HDR_LEN - CIPSO_V4_TAG_RNG_BLEN))
1147 return -ENOSPC;
1122 1148
1123 for (;;) { 1149 for (;;) {
1124 iter = netlbl_secattr_catmap_walk(secattr->mls_cat, iter + 1); 1150 iter = netlbl_secattr_catmap_walk(secattr->mls_cat, iter + 1);
@@ -1196,9 +1222,6 @@ static int cipso_v4_map_cat_rng_ntoh(const struct cipso_v4_doi *doi_def,
1196 * Protocol Handling Functions 1222 * Protocol Handling Functions
1197 */ 1223 */
1198 1224
1199#define CIPSO_V4_OPT_LEN_MAX 40
1200#define CIPSO_V4_HDR_LEN 6
1201
1202/** 1225/**
1203 * cipso_v4_gentag_hdr - Generate a CIPSO option header 1226 * cipso_v4_gentag_hdr - Generate a CIPSO option header
1204 * @doi_def: the DOI definition 1227 * @doi_def: the DOI definition