]> err.no Git - linux-2.6/commitdiff
NetLabel: add tag verification when adding new CIPSOv4 DOI definitions
authorPaul Moore <paul.moore@hp.com>
Fri, 17 Nov 2006 22:38:48 +0000 (17:38 -0500)
committerDavid S. Miller <davem@sunset.davemloft.net>
Sun, 3 Dec 2006 05:24:09 +0000 (21:24 -0800)
Currently the CIPSOv4 engine does not do any sort of checking when a new DOI
definition is added.  The tags are still verified but only as a side effect of
normal NetLabel operation (packet processing, socket labeling, etc.) which
would cause application errors due to the faulty configuration.  This patch
adds tag checking when new DOI definition are added allowing us to catch these
configuration problems when they happen.

Signed-off-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: James Morris <jmorris@namei.org>
net/ipv4/cipso_ipv4.c

index fb5d913f5815dd8462a3c9bb69787b3ac963454c..23a968f754be8b57762ea54adf6fd48a2e05fc8e 100644 (file)
@@ -447,8 +447,22 @@ static struct cipso_v4_doi *cipso_v4_doi_search(u32 doi)
  */
 int cipso_v4_doi_add(struct cipso_v4_doi *doi_def)
 {
+       u32 iter;
+
        if (doi_def == NULL || doi_def->doi == CIPSO_V4_DOI_UNKNOWN)
                return -EINVAL;
+       for (iter = 0; iter < CIPSO_V4_TAG_MAXCNT; iter++) {
+               switch (doi_def->tags[iter]) {
+               case CIPSO_V4_TAG_RBITMAP:
+                       break;
+               case CIPSO_V4_TAG_INVALID:
+                       if (iter == 0)
+                               return -EINVAL;
+                       break;
+               default:
+                       return -EINVAL;
+               }
+       }
 
        doi_def->valid = 1;
        INIT_RCU_HEAD(&doi_def->rcu);