NetLabel: add tag verification when adding new CIPSOv4 DOI definitions

Currently the CIPSOv4 engine does not do any sort of checking when a new DOI definition is added. The tags are still verified but only as a side effect of normal NetLabel operation (packet processing, socket labeling, etc.) which would cause application errors due to the faulty configuration. This patch adds tag checking when new DOI definition are added allowing us to catch these configuration problems when they happen. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
author: Paul Moore <paul.moore@hp.com> 2006-11-17 17:38:48 -0500
committer: David S. Miller <davem@sunset.davemloft.net> 2006-12-03 00:24:09 -0500
commit: 6ce61a7c2678800cfe59a5f4a41ce8f785b9d355 (patch)
tree: ab15a8da36aba770616b43b536efb881d9b48988 /net/ipv4
parent: 05e00cbf5036929355020dab4837b637203a0742 (diff)
1 files changed, 14 insertions, 0 deletions
diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c
index fb5d913f5815..23a968f754be 100644
--- a/net/ipv4/cipso_ipv4.c
+++ b/net/ipv4/cipso_ipv4.c
@@ -447,8 +447,22 @@ static struct cipso_v4_doi *cipso_v4_doi_search(u32 doi)
 */
 int cipso_v4_doi_add(struct cipso_v4_doi *doi_def)
 {
+        u32 iter;
        if (doi_def == NULL || doi_def->doi == CIPSO_V4_DOI_UNKNOWN)
                return -EINVAL;
+        for (iter = 0; iter < CIPSO_V4_TAG_MAXCNT; iter++) {
+                switch (doi_def->tags[iter]) {
+                case CIPSO_V4_TAG_RBITMAP:
+                        break;
+                case CIPSO_V4_TAG_INVALID:
+                        if (iter == 0)
+                                return -EINVAL;
+                        break;
+                default:
+                        return -EINVAL;
+                }
+        }
        doi_def->valid = 1;
        INIT_RCU_HEAD(&doi_def->rcu);
author	Paul Moore <paul.moore@hp.com>	2006-11-17 17:38:48 -0500
committer	David S. Miller <davem@sunset.davemloft.net>	2006-12-03 00:24:09 -0500
commit	6ce61a7c2678800cfe59a5f4a41ce8f785b9d355 (patch)
tree	ab15a8da36aba770616b43b536efb881d9b48988 /net/ipv4
parent	05e00cbf5036929355020dab4837b637203a0742 (diff)

diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c index fb5d913f5815..23a968f754be 100644 --- a/net/ipv4/cipso_ipv4.c +++ b/net/ipv4/cipso_ipv4.c
@@ -447,8 +447,22 @@ static struct cipso_v4_doi *cipso_v4_doi_search(u32 doi)
447	*/	447	*/
448	int cipso_v4_doi_add(struct cipso_v4_doi *doi_def)	448	int cipso_v4_doi_add(struct cipso_v4_doi *doi_def)
449	{	449	{
		450	u32 iter;
		451
450	if (doi_def == NULL \|\| doi_def->doi == CIPSO_V4_DOI_UNKNOWN)	452	if (doi_def == NULL \|\| doi_def->doi == CIPSO_V4_DOI_UNKNOWN)
451	return -EINVAL;	453	return -EINVAL;
		454	for (iter = 0; iter < CIPSO_V4_TAG_MAXCNT; iter++) {
		455	switch (doi_def->tags[iter]) {
		456	case CIPSO_V4_TAG_RBITMAP:
		457	break;
		458	case CIPSO_V4_TAG_INVALID:
		459	if (iter == 0)
		460	return -EINVAL;
		461	break;
		462	default:
		463	return -EINVAL;
		464	}
		465	}
452		466
453	doi_def->valid = 1;	467	doi_def->valid = 1;
454	INIT_RCU_HEAD(&doi_def->rcu);	468	INIT_RCU_HEAD(&doi_def->rcu);