unreached code in selinux_ip_postroute_iptables_compat() (CVE-2009-1184)

Not upstream in 2.6.30, as the function was removed there, making this a
non-issue.

Node and port send checks can skip in the compat_net=1 case. This bug
was introduced in commit effad8d.

Signed-off-by: Eugene Teo <eugeneteo@kernel.sg>
Reported-by: Dan Carpenter <error27@gmail.com>
Acked-by: James Morris <jmorris@namei.org>
Acked-by: Paul Moore <paul.moore@hp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>

diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 03fc6a81ae32bd783ddd96eca85f118a2ba79bd8..f028f704225fcef839c48cd87a5c2e29e6425ebd 100644 (file)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4467,6 +4467,7 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk,
        if (err)
                return err;
        err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
+       if (err)
                return err;
 
        err = sel_netnode_sid(addrp, family, &node_sid);