Skip to content

Commit

Permalink
smack: use skb_to_full_sk() helper
Browse files Browse the repository at this point in the history 
This module wants to access sk->sk_security, which is not
available for request sockets.

Fixes: ca6fb06 ("tcp: attach SYNACK messages to request sockets instead of listener")
Signed-off-by: Eric Dumazet <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
  • Loading branch information
@davem330
Eric Dumazet authored and davem330 committed Nov 9, 2015
1 parent 54abc68 commit 8827d90
Showing 1 changed file with 7 additions and 4 deletions.
11 changes: 7 additions & 4 deletions security/smack/smack_netfilter.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter_ipv6.h>
#include <linux/netdevice.h>
#include <net/inet_sock.h>
#include "smack.h"

#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
Expand All @@ -25,11 +26,12 @@ static unsigned int smack_ipv6_output(void *priv,
struct sk_buff *skb,
const struct nf_hook_state *state)
{
struct sock *sk = skb_to_full_sk(skb);
struct socket_smack *ssp;
struct smack_known *skp;

if (skb && skb->sk && skb->sk->sk_security) {
ssp = skb->sk->sk_security;
if (sk && sk->sk_security) {
ssp = sk->sk_security;
skp = ssp->smk_out;
skb->secmark = skp->smk_secid;
}
Expand All @@ -42,11 +44,12 @@ static unsigned int smack_ipv4_output(void *priv,
struct sk_buff *skb,
const struct nf_hook_state *state)
{
struct sock *sk = skb_to_full_sk(skb);
struct socket_smack *ssp;
struct smack_known *skp;

if (skb && skb->sk && skb->sk->sk_security) {
ssp = skb->sk->sk_security;
if (sk && sk->sk_security) {
ssp = sk->sk_security;
skp = ssp->smk_out;
skb->secmark = skp->smk_secid;
}
Expand Down

0 comments on commit 8827d90

Please sign in to comment.