提交 c6387a86 编写于 作者: P Paul Moore 提交者: David S. Miller

[NetLabel]: Verify sensitivity level has a valid CIPSO mapping

The current CIPSO engine has a problem where it does not verify that
the given sensitivity level has a valid CIPSO mapping when the "std"
CIPSO DOI type is used.  The end result is that bad packets are sent
on the wire which should have never been sent in the first place.
This patch corrects this problem by verifying the sensitivity level
mapping similar to what is done with the category mapping.  This patch
also changes the returned error code in this case to -EPERM to better
match what the category mapping verification code returns.
Signed-off-by: NPaul Moore <paul.moore@hp.com>
Acked-by: NJames Morris <jmorris@namei.org>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 90719dbe
...@@ -732,11 +732,12 @@ static int cipso_v4_map_lvl_hton(const struct cipso_v4_doi *doi_def, ...@@ -732,11 +732,12 @@ static int cipso_v4_map_lvl_hton(const struct cipso_v4_doi *doi_def,
*net_lvl = host_lvl; *net_lvl = host_lvl;
return 0; return 0;
case CIPSO_V4_MAP_STD: case CIPSO_V4_MAP_STD:
if (host_lvl < doi_def->map.std->lvl.local_size) { if (host_lvl < doi_def->map.std->lvl.local_size &&
doi_def->map.std->lvl.local[host_lvl] < CIPSO_V4_INV_LVL) {
*net_lvl = doi_def->map.std->lvl.local[host_lvl]; *net_lvl = doi_def->map.std->lvl.local[host_lvl];
return 0; return 0;
} }
break; return -EPERM;
} }
return -EINVAL; return -EINVAL;
...@@ -771,7 +772,7 @@ static int cipso_v4_map_lvl_ntoh(const struct cipso_v4_doi *doi_def, ...@@ -771,7 +772,7 @@ static int cipso_v4_map_lvl_ntoh(const struct cipso_v4_doi *doi_def,
*host_lvl = doi_def->map.std->lvl.cipso[net_lvl]; *host_lvl = doi_def->map.std->lvl.cipso[net_lvl];
return 0; return 0;
} }
break; return -EPERM;
} }
return -EINVAL; return -EINVAL;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册