• Paul Moore's avatar
    cipso: don't use IPCB() to locate the CIPSO IP option · 04f81f01
    Paul Moore authored
    Using the IPCB() macro to get the IPv4 options is convenient, but
    unfortunately NetLabel often needs to examine the CIPSO option outside
    of the scope of the IP layer in the stack.  While historically IPCB()
    worked above the IP layer, due to the inclusion of the inet_skb_param
    struct at the head of the {tcp,udp}_skb_cb structs, recent commit
    971f10ec ("tcp: better TCP_SKB_CB layout to reduce cache line misses")
    reordered the tcp_skb_cb struct and invalidated this IPCB() trick.
    This patch fixes the problem by creating a new function,
    cipso_v4_optptr(), which locates the CIPSO option inside the IP header
    without calling IPCB().  Unfortunately, this isn't as fast as a simple
    lookup so some additional tweaks were made to limit the use of this
    new function.
    Cc: <stable@vger.kernel.org> # 3.18
    Reported-by: 's avatarCasey Schaufler <casey@schaufler-ca.com>
    Signed-off-by: 's avatarPaul Moore <pmoore@redhat.com>
    Tested-by: 's avatarCasey Schaufler <casey@schaufler-ca.com>
cipso_ipv4.h 8.1 KB