[PATCH] SELinux: Fix error handling bug.

From: James Morris <jmorris@redhat.com> The patch below fixes an error handling flaw, where we need to return a Netfilter verdict from the function rather than a standard error code.
author: Andrew Morton <akpm@osdl.org> 2004-02-15 18:06:53 -0800
committer: Linus Torvalds <torvalds@home.osdl.org> 2004-02-15 18:06:53 -0800
commit: b01d7ca34aa35fa2b1b57693cc13ab7ba7bd5b3f (patch)
tree: 213eb03a7bfcbebe144e2668771ce7b865609597 /security
parent: e76445c88353f558aa49c4f52b4d0a713959eef8 (diff)
download: history-b01d7ca34aa35fa2b1b57693cc13ab7ba7bd5b3f.tar.gz
1 files changed, 3 insertions, 2 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index aa07acdf37a213..8c0ea6a4ee3fb7 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3179,8 +3179,9 @@ static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
 		
 	/* Fixme: this lookup is inefficient */
 	iph = skb->nh.iph;
-	err = security_node_sid(PF_INET, &iph->daddr, sizeof(iph->daddr), &node_sid);
-	if (err)
+	err = security_node_sid(PF_INET, &iph->daddr, sizeof(iph->daddr),
+				&node_sid) ? NF_DROP : NF_ACCEPT;
+	if (err != NF_ACCEPT)
 		goto out;
 	
 	err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,
author	Andrew Morton <akpm@osdl.org>	2004-02-15 18:06:53 -0800
committer	Linus Torvalds <torvalds@home.osdl.org>	2004-02-15 18:06:53 -0800
commit	b01d7ca34aa35fa2b1b57693cc13ab7ba7bd5b3f (patch)
tree	213eb03a7bfcbebe144e2668771ce7b865609597 /security
parent	e76445c88353f558aa49c4f52b4d0a713959eef8 (diff)
download	history-b01d7ca34aa35fa2b1b57693cc13ab7ba7bd5b3f.tar.gz