This patch against 2.6.7-rc2 changes security_context_to_sid to check the length of the
processed security context against the full length of the provided
context, rejecting any further data. Please apply.
security/selinux/ss/mls.c | 2 +-
security/selinux/ss/services.c | 5 +++++
2 files changed, 6 insertions(+), 1 deletion(-)
Signed-off-by: Stephen Smalley <[email protected]>
Index: linux-2.6/security/selinux/ss/services.c
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/ss/services.c,v
retrieving revision 1.42
diff -u -p -r1.42 services.c
--- linux-2.6/security/selinux/ss/services.c 10 May 2004 13:01:09 -0000 1.42
+++ linux-2.6/security/selinux/ss/services.c 28 May 2004 12:10:33 -0000
@@ -532,6 +532,11 @@ int security_context_to_sid(char *sconte
if (rc)
goto out_unlock;
+ if ((p - scontext2) < scontext_len) {
+ rc = -EINVAL;
+ goto out_unlock;
+ }
+
/* Check the validity of the new context. */
if (!policydb_context_isvalid(&policydb, &context)) {
rc = -EINVAL;
Index: linux-2.6/security/selinux/ss/mls.c
===================================================================
RCS file: /nfshome/pal/CVS/linux-2.6/security/selinux/ss/mls.c,v
retrieving revision 1.18
diff -u -p -r1.18 mls.c
--- linux-2.6/security/selinux/ss/mls.c 28 Oct 2003 14:08:27 -0000 1.18
+++ linux-2.6/security/selinux/ss/mls.c 28 May 2004 18:36:51 -0000
@@ -290,7 +290,7 @@ int mls_context_to_sid(char oldc,
if (rc)
goto out;
}
- *scontext = p;
+ *scontext = ++p;
rc = 0;
out:
return rc;
--
Stephen Smalley <[email protected]>
National Security Agency