Commit 13fcfbb0 authored by David S. Miller's avatar David S. Miller

[XFRM]: Fix OOPSes in xfrm_audit_log().

Make sure that this function is called correctly, and
add BUG() checking to ensure the arguments are sane.

Based upon a patch by Joy Latten.
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 9121c777
...@@ -2297,16 +2297,17 @@ static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, struct sadb_msg ...@@ -2297,16 +2297,17 @@ static int pfkey_spddelete(struct sock *sk, struct sk_buff *skb, struct sadb_msg
&sel, tmp.security, 1); &sel, tmp.security, 1);
security_xfrm_policy_free(&tmp); security_xfrm_policy_free(&tmp);
xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
if (xp == NULL) if (xp == NULL)
return -ENOENT; return -ENOENT;
err = 0; err = security_xfrm_policy_delete(xp);
if ((err = security_xfrm_policy_delete(xp))) xfrm_audit_log(audit_get_loginuid(current->audit_context), 0,
AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
if (err)
goto out; goto out;
c.seq = hdr->sadb_msg_seq; c.seq = hdr->sadb_msg_seq;
c.pid = hdr->sadb_msg_pid; c.pid = hdr->sadb_msg_pid;
c.event = XFRM_MSG_DELPOLICY; c.event = XFRM_MSG_DELPOLICY;
......
...@@ -1997,6 +1997,11 @@ void xfrm_audit_log(uid_t auid, u32 sid, int type, int result, ...@@ -1997,6 +1997,11 @@ void xfrm_audit_log(uid_t auid, u32 sid, int type, int result,
if (audit_enabled == 0) if (audit_enabled == 0)
return; return;
BUG_ON((type == AUDIT_MAC_IPSEC_ADDSA ||
type == AUDIT_MAC_IPSEC_DELSA) && !x);
BUG_ON((type == AUDIT_MAC_IPSEC_ADDSPD ||
type == AUDIT_MAC_IPSEC_DELSPD) && !xp);
audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type); audit_buf = audit_log_start(current->audit_context, GFP_ATOMIC, type);
if (audit_buf == NULL) if (audit_buf == NULL)
return; return;
......
...@@ -1273,10 +1273,6 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, ...@@ -1273,10 +1273,6 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security, delete); xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security, delete);
security_xfrm_policy_free(&tmp); security_xfrm_policy_free(&tmp);
} }
if (delete)
xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
AUDIT_MAC_IPSEC_DELSPD, (xp) ? 1 : 0, xp, NULL);
if (xp == NULL) if (xp == NULL)
return -ENOENT; return -ENOENT;
...@@ -1292,8 +1288,14 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh, ...@@ -1292,8 +1288,14 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
MSG_DONTWAIT); MSG_DONTWAIT);
} }
} else { } else {
if ((err = security_xfrm_policy_delete(xp)) != 0) err = security_xfrm_policy_delete(xp);
xfrm_audit_log(NETLINK_CB(skb).loginuid, NETLINK_CB(skb).sid,
AUDIT_MAC_IPSEC_DELSPD, err ? 0 : 1, xp, NULL);
if (err != 0)
goto out; goto out;
c.data.byid = p->index; c.data.byid = p->index;
c.event = nlh->nlmsg_type; c.event = nlh->nlmsg_type;
c.seq = nlh->nlmsg_seq; c.seq = nlh->nlmsg_seq;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment