From c6387a8694506841389a6ac55175a8a984ae34e4 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Fri, 2 Mar 2007 13:19:02 -0800 Subject: [NetLabel]: Verify sensitivity level has a valid CIPSO mapping The current CIPSO engine has a problem where it does not verify that the given sensitivity level has a valid CIPSO mapping when the "std" CIPSO DOI type is used. The end result is that bad packets are sent on the wire which should have never been sent in the first place. This patch corrects this problem by verifying the sensitivity level mapping similar to what is done with the category mapping. This patch also changes the returned error code in this case to -EPERM to better match what the category mapping verification code returns. Signed-off-by: Paul Moore Acked-by: James Morris Signed-off-by: David S. Miller --- net/ipv4/cipso_ipv4.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) (limited to 'net/ipv4/cipso_ipv4.c') diff --git a/net/ipv4/cipso_ipv4.c b/net/ipv4/cipso_ipv4.c index 60aafb4a8ad..c976dd7e975 100644 --- a/net/ipv4/cipso_ipv4.c +++ b/net/ipv4/cipso_ipv4.c @@ -732,11 +732,12 @@ static int cipso_v4_map_lvl_hton(const struct cipso_v4_doi *doi_def, *net_lvl = host_lvl; return 0; case CIPSO_V4_MAP_STD: - if (host_lvl < doi_def->map.std->lvl.local_size) { + if (host_lvl < doi_def->map.std->lvl.local_size && + doi_def->map.std->lvl.local[host_lvl] < CIPSO_V4_INV_LVL) { *net_lvl = doi_def->map.std->lvl.local[host_lvl]; return 0; } - break; + return -EPERM; } return -EINVAL; @@ -771,7 +772,7 @@ static int cipso_v4_map_lvl_ntoh(const struct cipso_v4_doi *doi_def, *host_lvl = doi_def->map.std->lvl.cipso[net_lvl]; return 0; } - break; + return -EPERM; } return -EINVAL; -- cgit v1.2.3