[patch] selinux: Fix address length checks in connect hook

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This patch fixes the address length checks in the selinux_socket_connect
hook to be no more restrictive than the underlying ipv4 and ipv6 code;
otherwise, this hook can reject valid connect calls.  This patch is in
response to a bug report where an application was calling connect on an
INET6 socket with an address that didn't include the optional scope id
and failing due to these checks.  Please apply.  To 2.6.13, if possible.

Signed-off-by:  Stephen Smalley <[email protected]>
Signed-off-by:  James Morris <[email protected]>

---

 security/selinux/hooks.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff -rup linux-2.6.13-rc3-mm3/security/selinux/hooks.c linux-2.6.13-rc3-mm3-fix/security/selinux/hooks.c
--- linux-2.6.13-rc3-mm3/security/selinux/hooks.c	2005-07-28 14:59:58.000000000 -0400
+++ linux-2.6.13-rc3-mm3-fix/security/selinux/hooks.c	2005-07-28 14:56:58.000000000 -0400
@@ -3073,12 +3073,12 @@ static int selinux_socket_connect(struct
 
 		if (sk->sk_family == PF_INET) {
 			addr4 = (struct sockaddr_in *)address;
-			if (addrlen != sizeof(struct sockaddr_in))
+			if (addrlen < sizeof(struct sockaddr_in))
 				return -EINVAL;
 			snum = ntohs(addr4->sin_port);
 		} else {
 			addr6 = (struct sockaddr_in6 *)address;
-			if (addrlen != sizeof(struct sockaddr_in6))
+			if (addrlen < SIN6_LEN_RFC2133)
 				return -EINVAL;
 			snum = ntohs(addr6->sin6_port);
 		}
  
-- 
Stephen Smalley
National Security Agency

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

[Index of Archives]     [Kernel Newbies]     [Netfilter]     [Bugtraq]     [Photo]     [Gimp]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Video 4 Linux]     [Linux for the blind]
  Powered by Linux