diff options
author | Eugene Teo <eteo@redhat.com> | 2009-04-13 10:04:41 +0800 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2009-05-02 10:25:09 -0700 |
commit | 910c9e41186762de3717baaf392ab5ff0c454496 (patch) | |
tree | 4825f4f0133111f3d7c117e513d75ec3e5bef050 | |
parent | f685eb05970821bc79ff0cba4e8f6d35cf8a5862 (diff) | |
download | lwn-910c9e41186762de3717baaf392ab5ff0c454496.tar.gz lwn-910c9e41186762de3717baaf392ab5ff0c454496.zip |
unreached code in selinux_ip_postroute_iptables_compat() (CVE-2009-1184)
Not upstream in 2.6.30, as the function was removed there, making this a
non-issue.
Node and port send checks can skip in the compat_net=1 case. This bug
was introduced in commit effad8d.
Signed-off-by: Eugene Teo <eugeneteo@kernel.sg>
Reported-by: Dan Carpenter <error27@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Acked-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
-rw-r--r-- | security/selinux/hooks.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 03fc6a81ae32..f028f704225f 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4467,6 +4467,7 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk, if (err) return err; err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); + if (err) return err; err = sel_netnode_sid(addrp, family, &node_sid); |