[PATCH] SELinux: Fix error handling bug.

From: James Morris <jmorris@redhat.com> The patch below fixes an error handling flaw, where we need to return a Netfilter verdict from the function rather than a standard error code.

[PATCH] SELinux: Fix error handling bug.
From: James Morris <jmorris@redhat.com> The patch below fixes an error handling flaw, where we need to return a Netfilter verdict from the function rather than a standard error code.
b01d7ca3 · Andrew Morton · Linus Torvalds · e76445c8 · b01d7ca3
Commit b01d7ca3 authored Feb 15, 2004 by Andrew Morton Committed by Linus Torvalds Feb 15, 2004
Hide whitespace changes
Inline Side-by-side

Showing with 3 additions and 2 deletions

security/selinux/hooks.c security/selinux/hooks.c +3 -2

No files found.
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3179,8 +3179,9 @@ static unsigned int selinux_ip_postroute_last(unsigned int hooknum,
 		
 	/* Fixme: this lookup is inefficient */
 	iph = skb->nh.iph;
-	err = security_node_sid(PF_INET, &iph->daddr, sizeof(iph->daddr), &node_sid);
-	if (err)
+	err = security_node_sid(PF_INET, &iph->daddr, sizeof(iph->daddr),
+				&node_sid) ? NF_DROP : NF_ACCEPT;
+	if (err != NF_ACCEPT)
 		goto out;
 	
 	err = avc_has_perm(isec->sid, node_sid, SECCLASS_NODE,