Re: [PATCH] libsepol: fix endianity in ibpkey range checks

Wed, 17 Oct 2018 08:39:02 -0700 

On Wed, Oct 17, 2018 at 8:30 AM Stephen Smalley <s...@tycho.nsa.gov> wrote:
>
> On 10/17/2018 10:46 AM, Ondrej Mosnacek wrote:
> > We need to convert from little-endian before dong range checks on the
> > ibpkey port numbers, otherwise we would be checking a wrong value.
> >
> > Fixes: 9fbb3112769a ("libsepol: Add ibpkey ocontext handling")
> > Signed-off-by: Ondrej Mosnacek <omosn...@redhat.com>
>
> Acked-by: Stephen Smalley <s...@tycho.nsa.gov>

Stephen,
Ill stage this as a PR. Do you want to wait until the kernel changes
are in or just
the normal 24 hours?

Bill

>
> > ---
> >   libsepol/src/policydb.c | 14 ++++++++++----
> >   1 file changed, 10 insertions(+), 4 deletions(-)
> >
> > diff --git a/libsepol/src/policydb.c b/libsepol/src/policydb.c
> > index a6d76ca3..dc201e2f 100644
> > --- a/libsepol/src/policydb.c
> > +++ b/libsepol/src/policydb.c
> > @@ -2830,15 +2830,21 @@ static int ocontext_read_selinux(struct 
> > policydb_compat_info *info,
> >                               break;
> >                       case OCON_IBPKEY:
> >                               rc = next_entry(buf, fp, sizeof(uint32_t) * 
> > 4);
> > -                             if (rc < 0 || buf[2] > 0xffff || buf[3] > 
> > 0xffff)
> > +                             if (rc < 0)
> >                                       return -1;
> >
> > +                             c->u.ibpkey.low_pkey  = le32_to_cpu(buf[2]);
> > +                             c->u.ibpkey.high_pkey = le32_to_cpu(buf[3]);
> > +
> > +                             if (c->u.ibpkey.low_pkey  > 0xffff ||
> > +                                 c->u.ibpkey.high_pkey > 0xffff)
> > +                                     return -1;
> > +
> > +                             /* we want c->u.ibpkey.subnet_prefix in 
> > network
> > +                              * (big-endian) order, just memcpy it */
> >                               memcpy(&c->u.ibpkey.subnet_prefix, buf,
> >                                      sizeof(c->u.ibpkey.subnet_prefix)); >
> > -                             c->u.ibpkey.low_pkey = le32_to_cpu(buf[2]);
> > -                             c->u.ibpkey.high_pkey = le32_to_cpu(buf[3]);
> > -
> >                               if (context_read_and_validate
> >                                   (&c->context[0], p, fp))
> >                                       return -1;
> >
>
> _______________________________________________
> Selinux mailing list
> Selinux@tycho.nsa.gov
> To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
> To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.
_______________________________________________
Selinux mailing list
Selinux@tycho.nsa.gov
To unsubscribe, send email to selinux-le...@tycho.nsa.gov.
To get help, send an email containing "help" to selinux-requ...@tycho.nsa.gov.

Reply via email to