[1/2] checkpolicy: perform contiguous check in host byte order

Commit Message

Christian Göttsche May 8, 2024, 5:04 p.m. UTC

From: Christian Göttsche <cgzones@googlemail.com>

The contiguous check for network masks requires host byte order on the
underlying integers.
Convert from network byte order to avoid wrong warnings.

Fixes: 01b88ac3 ("checkpolicy: warn on bogus IP address or netmask in nodecon statement")
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 checkpolicy/policy_define.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

James Carter May 15, 2024, 8:16 p.m. UTC | #1

On Wed, May 8, 2024 at 1:04 PM Christian Göttsche
<cgoettsche@seltendoof.de> wrote:
>
> From: Christian Göttsche <cgzones@googlemail.com>
>
> The contiguous check for network masks requires host byte order on the
> underlying integers.
> Convert from network byte order to avoid wrong warnings.
>
> Fixes: 01b88ac3 ("checkpolicy: warn on bogus IP address or netmask in nodecon statement")
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

For these two patches:
Acked-by: James Carter <jwcart2@gmail.com>

> ---
>  checkpolicy/policy_define.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
> index aa2ac2e6..9671906f 100644
> --- a/checkpolicy/policy_define.c
> +++ b/checkpolicy/policy_define.c
> @@ -5292,7 +5292,7 @@ int define_ipv4_node_context(void)
>
>         free(id);
>
> -       if (mask.s_addr != 0 && ((~mask.s_addr + 1) & ~mask.s_addr) != 0) {
> +       if (mask.s_addr != 0 && ((~be32toh(mask.s_addr) + 1) & ~be32toh(mask.s_addr)) != 0) {
>                 yywarn("ipv4 mask is not contiguous");
>         }
>
> --
> 2.43.0
>
>

James Carter May 24, 2024, 1:49 p.m. UTC | #2

On Wed, May 15, 2024 at 4:16 PM James Carter <jwcart2@gmail.com> wrote:
>
> On Wed, May 8, 2024 at 1:04 PM Christian Göttsche
> <cgoettsche@seltendoof.de> wrote:
> >
> > From: Christian Göttsche <cgzones@googlemail.com>
> >
> > The contiguous check for network masks requires host byte order on the
> > underlying integers.
> > Convert from network byte order to avoid wrong warnings.
> >
> > Fixes: 01b88ac3 ("checkpolicy: warn on bogus IP address or netmask in nodecon statement")
> > Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
>
> For these two patches:
> Acked-by: James Carter <jwcart2@gmail.com>
>

These two patches have been merged.
Thanks,
Jim

> > ---
> >  checkpolicy/policy_define.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
> > index aa2ac2e6..9671906f 100644
> > --- a/checkpolicy/policy_define.c
> > +++ b/checkpolicy/policy_define.c
> > @@ -5292,7 +5292,7 @@ int define_ipv4_node_context(void)
> >
> >         free(id);
> >
> > -       if (mask.s_addr != 0 && ((~mask.s_addr + 1) & ~mask.s_addr) != 0) {
> > +       if (mask.s_addr != 0 && ((~be32toh(mask.s_addr) + 1) & ~be32toh(mask.s_addr)) != 0) {
> >                 yywarn("ipv4 mask is not contiguous");
> >         }
> >
> > --
> > 2.43.0
> >
> >

Patch

diff --git a/checkpolicy/policy_define.c b/checkpolicy/policy_define.c
index aa2ac2e6..9671906f 100644
--- a/checkpolicy/policy_define.c
+++ b/checkpolicy/policy_define.c
@@ -5292,7 +5292,7 @@  int define_ipv4_node_context(void)
 
 	free(id);
 
-	if (mask.s_addr != 0 && ((~mask.s_addr + 1) & ~mask.s_addr) != 0) {
+	if (mask.s_addr != 0 && ((~be32toh(mask.s_addr) + 1) & ~be32toh(mask.s_addr)) != 0) {
 		yywarn("ipv4 mask is not contiguous");
 	}