[PATCH net 3/4] netlabel: validate CALIPSO option against skb tail in netlbl_skbuff_getattr

[Qi Tang]

Agreed, -EINVAL is right.  The bytes passed parse-time
validation, so hitting either bounds check at consume time means
they were mutated after parse.  Treating such a packet as "no
label" via netlbl_unlabel_getattr() drops it into the wrong
default.  v2 returns -EINVAL on both checks.

Will also drop the Smack mention from the commit message (Casey
flagged that separately).

Qi