diff options
Diffstat (limited to 'security')
| -rw-r--r-- | security/lsm_audit.c | 7 | ||||
| -rw-r--r-- | security/selinux/hooks.c | 11 | ||||
| -rw-r--r-- | security/selinux/netnode.c | 2 |
3 files changed, 11 insertions, 9 deletions
diff --git a/security/lsm_audit.c b/security/lsm_audit.c index 893af8a2fa1e..7bd6f138236b 100644 --- a/security/lsm_audit.c +++ b/security/lsm_audit.c | |||
| @@ -114,19 +114,20 @@ int ipv6_skb_to_auditdata(struct sk_buff *skb, | |||
| 114 | int offset, ret = 0; | 114 | int offset, ret = 0; |
| 115 | struct ipv6hdr *ip6; | 115 | struct ipv6hdr *ip6; |
| 116 | u8 nexthdr; | 116 | u8 nexthdr; |
| 117 | __be16 frag_off; | ||
| 117 | 118 | ||
| 118 | ip6 = ipv6_hdr(skb); | 119 | ip6 = ipv6_hdr(skb); |
| 119 | if (ip6 == NULL) | 120 | if (ip6 == NULL) |
| 120 | return -EINVAL; | 121 | return -EINVAL; |
| 121 | ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr); | 122 | ad->u.net.v6info.saddr = ip6->saddr; |
| 122 | ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr); | 123 | ad->u.net.v6info.daddr = ip6->daddr; |
| 123 | ret = 0; | 124 | ret = 0; |
| 124 | /* IPv6 can have several extension header before the Transport header | 125 | /* IPv6 can have several extension header before the Transport header |
| 125 | * skip them */ | 126 | * skip them */ |
| 126 | offset = skb_network_offset(skb); | 127 | offset = skb_network_offset(skb); |
| 127 | offset += sizeof(*ip6); | 128 | offset += sizeof(*ip6); |
| 128 | nexthdr = ip6->nexthdr; | 129 | nexthdr = ip6->nexthdr; |
| 129 | offset = ipv6_skip_exthdr(skb, offset, &nexthdr); | 130 | offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); |
| 130 | if (offset < 0) | 131 | if (offset < 0) |
| 131 | return 0; | 132 | return 0; |
| 132 | if (proto) | 133 | if (proto) |
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 1126c10a5e82..86305c2f555a 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
| @@ -1090,7 +1090,7 @@ static inline u16 socket_type_to_security_class(int family, int type, int protoc | |||
| 1090 | return SECCLASS_NETLINK_ROUTE_SOCKET; | 1090 | return SECCLASS_NETLINK_ROUTE_SOCKET; |
| 1091 | case NETLINK_FIREWALL: | 1091 | case NETLINK_FIREWALL: |
| 1092 | return SECCLASS_NETLINK_FIREWALL_SOCKET; | 1092 | return SECCLASS_NETLINK_FIREWALL_SOCKET; |
| 1093 | case NETLINK_INET_DIAG: | 1093 | case NETLINK_SOCK_DIAG: |
| 1094 | return SECCLASS_NETLINK_TCPDIAG_SOCKET; | 1094 | return SECCLASS_NETLINK_TCPDIAG_SOCKET; |
| 1095 | case NETLINK_NFLOG: | 1095 | case NETLINK_NFLOG: |
| 1096 | return SECCLASS_NETLINK_NFLOG_SOCKET; | 1096 | return SECCLASS_NETLINK_NFLOG_SOCKET; |
| @@ -3561,19 +3561,20 @@ static int selinux_parse_skb_ipv6(struct sk_buff *skb, | |||
| 3561 | u8 nexthdr; | 3561 | u8 nexthdr; |
| 3562 | int ret = -EINVAL, offset; | 3562 | int ret = -EINVAL, offset; |
| 3563 | struct ipv6hdr _ipv6h, *ip6; | 3563 | struct ipv6hdr _ipv6h, *ip6; |
| 3564 | __be16 frag_off; | ||
| 3564 | 3565 | ||
| 3565 | offset = skb_network_offset(skb); | 3566 | offset = skb_network_offset(skb); |
| 3566 | ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); | 3567 | ip6 = skb_header_pointer(skb, offset, sizeof(_ipv6h), &_ipv6h); |
| 3567 | if (ip6 == NULL) | 3568 | if (ip6 == NULL) |
| 3568 | goto out; | 3569 | goto out; |
| 3569 | 3570 | ||
| 3570 | ipv6_addr_copy(&ad->u.net.v6info.saddr, &ip6->saddr); | 3571 | ad->u.net.v6info.saddr = ip6->saddr; |
| 3571 | ipv6_addr_copy(&ad->u.net.v6info.daddr, &ip6->daddr); | 3572 | ad->u.net.v6info.daddr = ip6->daddr; |
| 3572 | ret = 0; | 3573 | ret = 0; |
| 3573 | 3574 | ||
| 3574 | nexthdr = ip6->nexthdr; | 3575 | nexthdr = ip6->nexthdr; |
| 3575 | offset += sizeof(_ipv6h); | 3576 | offset += sizeof(_ipv6h); |
| 3576 | offset = ipv6_skip_exthdr(skb, offset, &nexthdr); | 3577 | offset = ipv6_skip_exthdr(skb, offset, &nexthdr, &frag_off); |
| 3577 | if (offset < 0) | 3578 | if (offset < 0) |
| 3578 | goto out; | 3579 | goto out; |
| 3579 | 3580 | ||
| @@ -3871,7 +3872,7 @@ static int selinux_socket_bind(struct socket *sock, struct sockaddr *address, in | |||
| 3871 | if (family == PF_INET) | 3872 | if (family == PF_INET) |
| 3872 | ad.u.net.v4info.saddr = addr4->sin_addr.s_addr; | 3873 | ad.u.net.v4info.saddr = addr4->sin_addr.s_addr; |
| 3873 | else | 3874 | else |
| 3874 | ipv6_addr_copy(&ad.u.net.v6info.saddr, &addr6->sin6_addr); | 3875 | ad.u.net.v6info.saddr = addr6->sin6_addr; |
| 3875 | 3876 | ||
| 3876 | err = avc_has_perm(sksec->sid, sid, | 3877 | err = avc_has_perm(sksec->sid, sid, |
| 3877 | sksec->sclass, node_perm, &ad); | 3878 | sksec->sclass, node_perm, &ad); |
diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c index 3bf46abaa688..86365857c088 100644 --- a/security/selinux/netnode.c +++ b/security/selinux/netnode.c | |||
| @@ -220,7 +220,7 @@ static int sel_netnode_sid_slow(void *addr, u16 family, u32 *sid) | |||
| 220 | case PF_INET6: | 220 | case PF_INET6: |
| 221 | ret = security_node_sid(PF_INET6, | 221 | ret = security_node_sid(PF_INET6, |
| 222 | addr, sizeof(struct in6_addr), sid); | 222 | addr, sizeof(struct in6_addr), sid); |
| 223 | ipv6_addr_copy(&new->nsec.addr.ipv6, addr); | 223 | new->nsec.addr.ipv6 = *(struct in6_addr *)addr; |
| 224 | break; | 224 | break; |
| 225 | default: | 225 | default: |
| 226 | BUG(); | 226 | BUG(); |