git://ftp.safe.ca / safe / jmp / linux-2.6 / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9121c77)
[XFRM]: Fix OOPSes in xfrm_audit_log().
authorDavid S. Miller <davem@sunset.davemloft.net>
Mon, 12 Feb 2007 21:53:54 +0000 (13:53 -0800)
committerDavid S. Miller <davem@sunset.davemloft.net>
Mon, 12 Feb 2007 21:53:54 +0000 (13:53 -0800)
Make sure that this function is called correctly, and
add BUG() checking to ensure the arguments are sane.

Based upon a patch by Joy Latten.

Signed-off-by: David S. Miller <davem@davemloft.net>
net/key/af_key.c patch | blob | history
net/xfrm/xfrm_policy.c patch | blob | history
net/xfrm/xfrm_user.c patch | blob | history

diff --git a/net/key/af_key.c b/net/key/af_key.c
index f3a026f..1c58204 100644 (file)
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -2297,16 +2297,17 @@ static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, struct sadb_msg
                                   &sel, tmp.security, 1);
        security_xfrm_policy_free(&tmp);
 
-       xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
-                      AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
-
        if (xp == NULL)
                return -ENOENT;
 
-       err = 0;
+       err = security_xfrm_policy_delete(xp);
 
-       if ((err = security_xfrm_policy_delete(xp)))
+       xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
+                      AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+
+       if (err)
                goto out;
+
        c.seq = hdr->sadb_msg_seq;
        c.pid = hdr->sadb_msg_pid;
        c.event = XFRM_MSG_DELPOLICY;
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index a24f385..c394b41 100644 (file)
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1997,9 +1997,14 @@ void xfrm_audit_log(uid_t auid, u32 sid, int type, int result,
        if (audit_enabled == 0)
                return;
 
+       BUG_ON((type == AUDIT_MAC_IPSEC_ADDSA ||
+               type == AUDIT_MAC_IPSEC_DELSA) && !x);
+       BUG_ON((type == AUDIT_MAC_IPSEC_ADDSPD ||
+               type == AUDIT_MAC_IPSEC_DELSPD) && !xp);
+
        audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type);
        if (audit_buf == NULL)
-       return;
+               return;
 
        switch(type) {
        case AUDIT_MAC_IPSEC_ADDSA:
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index d55436d..2567453 100644 (file)
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -1273,10 +1273,6 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
                xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security, delete);
                security_xfrm_policy_free(&tmp);
        }
-       if (delete)
-               xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
-                              AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
-
        if (xp == NULL)
                return -ENOENT;
 
@@ -1292,8 +1288,14 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
                                              MSG_DONTWAIT);
                }
        } else {
-               if ((err = security_xfrm_policy_delete(xp)) != 0)
+               err = security_xfrm_policy_delete(xp);
+
+               xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
+                              AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
+
+               if (err != 0)
                        goto out;
+
                c.data.byid = p->index;
                c.event = nlh->nlmsg_type;
                c.seq = nlh->nlmsg_seq;
Full containers within linux kernel