unreached code in selinux_ip_postroute_iptables_compat() (CVE-2009-1184)

Not upstream in 2.6.30, as the function was removed there, making this a non-issue. Node and port send checks can skip in the compat_net=1 case. This bug was introduced in commit effad8d. Signed-off-by: Eugene Teo <eugeneteo@kernel.sg> Reported-by: Dan Carpenter <error27@gmail.com> Acked-by: James Morris <jmorris@namei.org> Acked-by: Paul Moore <paul.moore@hp.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
author: Eugene Teo <eteo@redhat.com> 2009-04-13 10:04:41 +0800
committer: Greg Kroah-Hartman <gregkh@suse.de> 2009-05-08 15:45:02 -0700
commit: 841825d424ea902c3e960db0d061586d769a7fce (patch)
tree: c09306e50d9ce6661eea2042091f8bf3feabb7c3
parent: 1ce131dbbedc4b9491737c2e4adb863baa5800b6 (diff)
1 files changed, 1 insertions, 0 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index 00815973d412..e210b212da7f 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -4661,6 +4661,7 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk,
 	if (err)
 		return err;
 	err = avc_has_perm(sk_sid, if_sid, SECCLASS_NETIF, netif_perm, ad);
+	if (err)
 		return err;
 
 	err = sel_netnode_sid(addrp, family, &node_sid);
author	Eugene Teo <eteo@redhat.com>	2009-04-13 10:04:41 +0800
committer	Greg Kroah-Hartman <gregkh@suse.de>	2009-05-08 15:45:02 -0700
commit	841825d424ea902c3e960db0d061586d769a7fce (patch)
tree	c09306e50d9ce6661eea2042091f8bf3feabb7c3
parent	1ce131dbbedc4b9491737c2e4adb863baa5800b6 (diff)