aboutsummaryrefslogtreecommitdiffstats
path: root/net/xfrm/xfrm_user.c
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2008-04-12 19:07:52 -0700
committerDavid S. Miller <davem@davemloft.net>2008-04-12 19:07:52 -0700
commit03e1ad7b5d871d4189b1da3125c2f12d1b5f7d0b (patch)
tree1e7f291ac6bd0c1f3a95e8252c32fcce7ff47ea7 /net/xfrm/xfrm_user.c
parent00447872a643787411c2c0cb1df6169dda8b0c47 (diff)
downloadkernel_samsung_aries-03e1ad7b5d871d4189b1da3125c2f12d1b5f7d0b.zip
kernel_samsung_aries-03e1ad7b5d871d4189b1da3125c2f12d1b5f7d0b.tar.gz
kernel_samsung_aries-03e1ad7b5d871d4189b1da3125c2f12d1b5f7d0b.tar.bz2
LSM: Make the Labeled IPsec hooks more stack friendly
The xfrm_get_policy() and xfrm_add_pol_expire() put some rather large structs on the stack to work around the LSM API. This patch attempts to fix that problem by changing the LSM API to require only the relevant "security" pointers instead of the entire SPD entry; we do this for all of the security_xfrm_policy*() functions to keep things consistent. Signed-off-by: Paul Moore <paul.moore@hp.com> Acked-by: James Morris <jmorris@namei.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/xfrm/xfrm_user.c')
-rw-r--r--net/xfrm/xfrm_user.c33
1 files changed, 17 insertions, 16 deletions
diff --git a/net/xfrm/xfrm_user.c b/net/xfrm/xfrm_user.c
index 5578c90..ecf9d67 100644
--- a/net/xfrm/xfrm_user.c
+++ b/net/xfrm/xfrm_user.c
@@ -959,7 +959,7 @@ static int copy_from_user_sec_ctx(struct xfrm_policy *pol, struct nlattr **attrs
return 0;
uctx = nla_data(rt);
- return security_xfrm_policy_alloc(pol, uctx);
+ return security_xfrm_policy_alloc(&pol->security, uctx);
}
static void copy_templates(struct xfrm_policy *xp, struct xfrm_user_tmpl *ut,
@@ -1143,7 +1143,7 @@ static int xfrm_add_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
NETLINK_CB(skb).sid);
if (err) {
- security_xfrm_policy_free(xp);
+ security_xfrm_policy_free(xp->security);
kfree(xp);
return err;
}
@@ -1337,22 +1337,23 @@ static int xfrm_get_policy(struct sk_buff *skb, struct nlmsghdr *nlh,
xp = xfrm_policy_byid(type, p->dir, p->index, delete, &err);
else {
struct nlattr *rt = attrs[XFRMA_SEC_CTX];
- struct xfrm_policy tmp;
+ struct xfrm_sec_ctx *ctx;
err = verify_sec_ctx_len(attrs);
if (err)
return err;
- memset(&tmp, 0, sizeof(struct xfrm_policy));
if (rt) {
struct xfrm_user_sec_ctx *uctx = nla_data(rt);
- if ((err = security_xfrm_policy_alloc(&tmp, uctx)))
+ err = security_xfrm_policy_alloc(&ctx, uctx);
+ if (err)
return err;
- }
- xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security,
+ } else
+ ctx = NULL;
+ xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, ctx,
delete, &err);
- security_xfrm_policy_free(&tmp);
+ security_xfrm_policy_free(ctx);
}
if (xp == NULL)
return -ENOENT;
@@ -1572,26 +1573,26 @@ static int xfrm_add_pol_expire(struct sk_buff *skb, struct nlmsghdr *nlh,
xp = xfrm_policy_byid(type, p->dir, p->index, 0, &err);
else {
struct nlattr *rt = attrs[XFRMA_SEC_CTX];
- struct xfrm_policy tmp;
+ struct xfrm_sec_ctx *ctx;
err = verify_sec_ctx_len(attrs);
if (err)
return err;
- memset(&tmp, 0, sizeof(struct xfrm_policy));
if (rt) {
struct xfrm_user_sec_ctx *uctx = nla_data(rt);
- if ((err = security_xfrm_policy_alloc(&tmp, uctx)))
+ err = security_xfrm_policy_alloc(&ctx, uctx);
+ if (err)
return err;
- }
- xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, tmp.security,
- 0, &err);
- security_xfrm_policy_free(&tmp);
+ } else
+ ctx = NULL;
+ xp = xfrm_policy_bysel_ctx(type, p->dir, &p->sel, ctx, 0, &err);
+ security_xfrm_policy_free(ctx);
}
-
if (xp == NULL)
return -ENOENT;
+
read_lock(&xp->lock);
if (xp->dead) {
read_unlock(&xp->lock);