From 910c9e41186762de3717baaf392ab5ff0c454496 Mon Sep 17 00:00:00 2001 From: Eugene Teo Date: Mon, 13 Apr 2009 10:04:41 +0800 Subject: unreached code in selinux_ip_postroute_iptables_compat() (CVE-2009-1184) Not upstream in 2.6.30, as the function was removed there, making this a non-issue. Node and port send checks can skip in the compat_net=1 case. This bug was introduced in commit effad8d. Signed-off-by: Eugene Teo Reported-by: Dan Carpenter Acked-by: James Morris Acked-by: Paul Moore Signed-off-by: Greg Kroah-Hartman --- security/selinux/hooks.c | 1 + 1 file changed, 1 insertion(+) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 03fc6a81ae32..f028f704225f 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -4467,6 +4467,7 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk, if (err) return err; err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad); + if (err) return err; err = sel_netnode_sid(addrp, family, &node_sid); -- cgit v1.2.3