From patchwork Fri Feb 8 21:28:03 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chuck Lever X-Patchwork-Id: 2118761 Return-Path: X-Original-To: patchwork-linux-nfs@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork2.kernel.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by patchwork2.kernel.org (Postfix) with ESMTP id B01E1DFE75 for ; Fri, 8 Feb 2013 21:28:09 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1947110Ab3BHV2I (ORCPT ); Fri, 8 Feb 2013 16:28:08 -0500 Received: from mail-ia0-f169.google.com ([209.85.210.169]:36822 "EHLO mail-ia0-f169.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1947086Ab3BHV2I (ORCPT ); Fri, 8 Feb 2013 16:28:08 -0500 Received: by mail-ia0-f169.google.com with SMTP id j5so4822169iaf.0 for ; Fri, 08 Feb 2013 13:28:05 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=x-received:sender:from:subject:to:date:message-id:in-reply-to :references:user-agent:mime-version:content-type :content-transfer-encoding; bh=JO0tTxbSZux3QVavOtYO6Wy8ehOBVUzARYdGBk9/4gA=; b=OeL0dSHmJDLgruiVY0QYMP71f5wlgNhlfySufjZ6pldW+9DfnOzoho/muaVnOV8I4n kJJujb4nu71MpOmcJ/LQtr68lMgU9wdM7nkJbw1O6Bb0oWRK2xoLWqZx6IiFZc/Di85K Y69fo1UEzTvvw5tmgVjIuxUmHs3FV0OLcRHGBZt8m4eXkRFJj4PtJX5iJBeMdrNc0rr0 +UqI/dypvJ9UCA2Y6d9hxxQ7TimO2n8oz1yUoA2EU1TpBfb+sLLkeQgBljBxa8dWHQD9 FmDePqJ4TVJhtzQYlrbrha71Q/X68lu22/V7CoGL7dlXKCcBcliXxHy59qoYwoAbZ2Ku N8VQ== X-Received: by 10.50.185.229 with SMTP id ff5mr5504114igc.82.1360358885506; Fri, 08 Feb 2013 13:28:05 -0800 (PST) Received: from seurat.1015granger.net (adsl-99-26-161-222.dsl.sfldmi.sbcglobal.net. [99.26.161.222]) by mx.google.com with ESMTPS id br7sm15839357igb.0.2013.02.08.13.28.04 (version=TLSv1 cipher=RC4-SHA bits=128/128); Fri, 08 Feb 2013 13:28:04 -0800 (PST) From: Chuck Lever Subject: [PATCH v1 2/3] NFSD: SECINFO doesn't handle unsupported pseudoflavors correctly To: linux-nfs@vger.kernel.org Date: Fri, 08 Feb 2013 16:28:03 -0500 Message-ID: <20130208212803.2234.60073.stgit@seurat.1015granger.net> In-Reply-To: <20130208212007.2234.35721.stgit@seurat.1015granger.net> References: <20130208212007.2234.35721.stgit@seurat.1015granger.net> User-Agent: StGIT/0.14.3 MIME-Version: 1.0 Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org If nfsd4_do_encode_secinfo() can't find GSS info that matches an export security flavor, it assumes the flavor is not a GSS pseudoflavor, and simply puts it on the wire. However, if this XDR encoding logic is given a legitimate GSS pseudoflavor but the RPC layer says it does not support that pseudoflavor for some reason, then the server leaks GSS pseudoflavor numbers onto the wire. I confirmed this happens by blacklisting rpcsec_gss_krb5, then attempted a client transition from the pseudo-fs to a Kerberos-only share. The client received a flavor list containing the Kerberos pseudoflavor numbers, rather than GSS tuples. The encoder logic can check that each pseudoflavor in flavs[] is less than MAXFLAVOR before writing it into the buffer, to prevent this. But after "nflavs" is written into the XDR buffer, the encoder can't skip writing flavor information into the buffer when it discovers the RPC layer doesn't support that flavor. So count the number of valid flavors as they are written into the XDR buffer, then write that count into the XDR buffer when all recognized flavors have been encoded. --- fs/nfsd/nfs4xdr.c | 26 ++++++++++++++++++++------ 1 files changed, 20 insertions(+), 6 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/fs/nfsd/nfs4xdr.c b/fs/nfsd/nfs4xdr.c index 0c1ae2c..4e9f0b5 100644 --- a/fs/nfsd/nfs4xdr.c +++ b/fs/nfsd/nfs4xdr.c @@ -3129,10 +3129,11 @@ static __be32 nfsd4_do_encode_secinfo(struct nfsd4_compoundres *resp, __be32 nfserr, struct svc_export *exp) { - u32 i, nflavs; + u32 i, nflavs, supported; struct exp_flavor_info *flavs; struct exp_flavor_info def_flavs[2]; - __be32 *p; + __be32 *p, *flavorsp; + static bool report = true; if (nfserr) goto out; @@ -3156,13 +3157,17 @@ nfsd4_do_encode_secinfo(struct nfsd4_compoundres *resp, } } + supported = 0; RESERVE_SPACE(4); - WRITE32(nflavs); + flavorsp = p++; /* to be backfilled later */ ADJUST_ARGS(); + for (i = 0; i < nflavs; i++) { + rpc_authflavor_t pf = flavs[i].pseudoflavor; struct rpcsec_gss_info info; - if (rpcauth_get_gssinfo(flavs[i].pseudoflavor, &info) == 0) { + if (rpcauth_get_gssinfo(pf, &info) == 0) { + supported++; RESERVE_SPACE(4 + 4 + info.oid.len + 4 + 4); WRITE32(RPC_AUTH_GSS); WRITE32(info.oid.len); @@ -3170,13 +3175,22 @@ nfsd4_do_encode_secinfo(struct nfsd4_compoundres *resp, WRITE32(info.qop); WRITE32(info.service); ADJUST_ARGS(); - } else { + } else if (pf < RPC_AUTH_MAXFLAVOR) { + supported++; RESERVE_SPACE(4); - WRITE32(flavs[i].pseudoflavor); + WRITE32(pf); ADJUST_ARGS(); + } else { + if (report) + pr_warn("NFS: SECINFO: security flavor %u " + "is not supported\n", pf); } } + if (nflavs != supported) + report = false; + *flavorsp = htonl(supported); + out: if (exp) exp_put(exp);