提交 676e4ebd 编写于 作者: C Chuck Lever 提交者: J. Bruce Fields

NFSD: SECINFO doesn't handle unsupported pseudoflavors correctly

If nfsd4_do_encode_secinfo() can't find GSS info that matches an
export security flavor, it assumes the flavor is not a GSS
pseudoflavor, and simply puts it on the wire.

However, if this XDR encoding logic is given a legitimate GSS
pseudoflavor but the RPC layer says it does not support that
pseudoflavor for some reason, then the server leaks GSS pseudoflavor
numbers onto the wire.

I confirmed this happens by blacklisting rpcsec_gss_krb5, then
attempted a client transition from the pseudo-fs to a Kerberos-only
share.  The client received a flavor list containing the Kerberos
pseudoflavor numbers, rather than GSS tuples.

The encoder logic can check that each pseudoflavor in flavs[] is
less than MAXFLAVOR before writing it into the buffer, to prevent
this.  But after "nflavs" is written into the XDR buffer, the
encoder can't skip writing flavor information into the buffer when
it discovers the RPC layer doesn't support that flavor.

So count the number of valid flavors as they are written into the
XDR buffer, then write that count into a placeholder in the XDR
buffer when all recognized flavors have been encoded.
Signed-off-by: NChuck Lever <chuck.lever@oracle.com>
Signed-off-by: NJ. Bruce Fields <bfields@redhat.com>
上级 ed9411a0
...@@ -3085,10 +3085,11 @@ static __be32 ...@@ -3085,10 +3085,11 @@ static __be32
nfsd4_do_encode_secinfo(struct nfsd4_compoundres *resp, nfsd4_do_encode_secinfo(struct nfsd4_compoundres *resp,
__be32 nfserr, struct svc_export *exp) __be32 nfserr, struct svc_export *exp)
{ {
u32 i, nflavs; u32 i, nflavs, supported;
struct exp_flavor_info *flavs; struct exp_flavor_info *flavs;
struct exp_flavor_info def_flavs[2]; struct exp_flavor_info def_flavs[2];
__be32 *p; __be32 *p, *flavorsp;
static bool report = true;
if (nfserr) if (nfserr)
goto out; goto out;
...@@ -3112,13 +3113,17 @@ nfsd4_do_encode_secinfo(struct nfsd4_compoundres *resp, ...@@ -3112,13 +3113,17 @@ nfsd4_do_encode_secinfo(struct nfsd4_compoundres *resp,
} }
} }
supported = 0;
RESERVE_SPACE(4); RESERVE_SPACE(4);
WRITE32(nflavs); flavorsp = p++; /* to be backfilled later */
ADJUST_ARGS(); ADJUST_ARGS();
for (i = 0; i < nflavs; i++) { for (i = 0; i < nflavs; i++) {
rpc_authflavor_t pf = flavs[i].pseudoflavor;
struct rpcsec_gss_info info; struct rpcsec_gss_info info;
if (rpcauth_get_gssinfo(flavs[i].pseudoflavor, &info) == 0) { if (rpcauth_get_gssinfo(pf, &info) == 0) {
supported++;
RESERVE_SPACE(4 + 4 + info.oid.len + 4 + 4); RESERVE_SPACE(4 + 4 + info.oid.len + 4 + 4);
WRITE32(RPC_AUTH_GSS); WRITE32(RPC_AUTH_GSS);
WRITE32(info.oid.len); WRITE32(info.oid.len);
...@@ -3126,13 +3131,22 @@ nfsd4_do_encode_secinfo(struct nfsd4_compoundres *resp, ...@@ -3126,13 +3131,22 @@ nfsd4_do_encode_secinfo(struct nfsd4_compoundres *resp,
WRITE32(info.qop); WRITE32(info.qop);
WRITE32(info.service); WRITE32(info.service);
ADJUST_ARGS(); ADJUST_ARGS();
} else { } else if (pf < RPC_AUTH_MAXFLAVOR) {
supported++;
RESERVE_SPACE(4); RESERVE_SPACE(4);
WRITE32(flavs[i].pseudoflavor); WRITE32(pf);
ADJUST_ARGS(); ADJUST_ARGS();
} else {
if (report)
pr_warn("NFS: SECINFO: security flavor %u "
"is not supported\n", pf);
} }
} }
if (nflavs != supported)
report = false;
*flavorsp = htonl(supported);
out: out:
if (exp) if (exp)
exp_put(exp); exp_put(exp);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册