• Paolo Abeni's avatar
    netlabel: cope with NULL catmap · eead1c2e
    Paolo Abeni authored
    The cipso and calipso code can set the MLS_CAT attribute on
    successful parsing, even if the corresponding catmap has
    not been allocated, as per current configuration and external
    input.
    
    Later, selinux code tries to access the catmap if the MLS_CAT flag
    is present via netlbl_catmap_getlong(). That may cause null ptr
    dereference while processing incoming network traffic.
    
    Address the issue setting the MLS_CAT flag only if the catmap is
    really allocated. Additionally let netlbl_catmap_getlong() cope
    with NULL catmap.
    Reported-by: default avatarMatthew Sheets <matthew.sheets@gd-ms.com>
    Fixes: 4b8feff2 ("netlabel: fix the horribly broken catmap functions")
    Fixes: ceba1832 ("calipso: Set the calipso socket label to match the secattr.")
    Signed-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
    Acked-by: default avatarPaul Moore <paul@paul-moore.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    eead1c2e
netlabel_kapi.c 37.4 KB