37 lines
1.2 KiB
Diff
37 lines
1.2 KiB
Diff
|
From 84a33fb96b4876a49bfb739b9a2160d88e015209 Mon Sep 17 00:00:00 2001
|
||
|
|
From: James Carter <jwcart2@gmail.com>
|
||
|
|
Date: Mon, 8 Jul 2024 12:50:32 -0400
|
||
|
|
Subject: [PATCH] checkpolicy: Check the right bits of an ibpkeycon rule subnet
|
||
|
|
prefix
|
||
|
|
|
||
|
|
The lower 64 bits of the subnet prefix for an ibpkeycon rule should
|
||
|
|
all be 0's. Unfortunately the check uses the s6_addr macro which refers
|
||
|
|
to the 16 entry array of 8-bit values in the union and does not refer
|
||
|
|
to the correct bits.
|
||
|
|
|
||
|
|
Use the s6_addr32 macro instead which refers to the 4 entry array of
|
||
|
|
32-bit values in the union and refers to the lower 64 bits.
|
||
|
|
|
||
|
|
Signed-off-by: James Carter <jwcart2@gmail.com>
|
||
|
|
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
|
||
|
|
---
|
||
|
|
policy_define.c | 2 +-
|
||
|
|
1 file changed, 1 insertion(+), 1 deletion(-)
|
||
|
|
|
||
|
|
diff --git a/policy_define.c b/policy_define.c
|
||
|
|
index 4931f23d..bfeda86b 100644
|
||
|
|
--- a/policy_define.c
|
||
|
|
+++ b/policy_define.c
|
||
|
|
@@ -5148,7 +5148,7 @@ int define_ibpkey_context(unsigned int low, unsigned int high)
|
||
|
|
goto out;
|
||
|
|
}
|
||
|
|
|
||
|
|
- if (subnet_prefix.s6_addr[2] || subnet_prefix.s6_addr[3]) {
|
||
|
|
+ if (subnet_prefix.s6_addr32[2] || subnet_prefix.s6_addr32[3]) {
|
||
|
|
yyerror("subnet prefix should be 0's in the low order 64 bits.");
|
||
|
|
rc = -1;
|
||
|
|
goto out;
|
||
|
|
--
|
||
|
|
2.33.0
|
||
|
|
|