Commit 72a1e53a authored by Chuck Lever's avatar Chuck Lever

SUNRPC: Use xdr_stream for encoding GSS reply verifiers

Done as part of hardening the server-side RPC header encoding path.
Reviewed-by: default avatarJeff Layton <jlayton@kernel.org>
Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
parent b2f42f1d
...@@ -693,28 +693,6 @@ static bool gss_check_seq_num(const struct svc_rqst *rqstp, struct rsc *rsci, ...@@ -693,28 +693,6 @@ static bool gss_check_seq_num(const struct svc_rqst *rqstp, struct rsc *rsci,
goto out; goto out;
} }
static inline u32 round_up_to_quad(u32 i)
{
return (i + 3 ) & ~3;
}
static inline int
svc_safe_putnetobj(struct kvec *resv, struct xdr_netobj *o)
{
u8 *p;
if (resv->iov_len + 4 > PAGE_SIZE)
return -1;
svc_putnl(resv, o->len);
p = resv->iov_base + resv->iov_len;
resv->iov_len += round_up_to_quad(o->len);
if (resv->iov_len > PAGE_SIZE)
return -1;
memcpy(p, o->data, o->len);
memset(p + o->len, 0, round_up_to_quad(o->len) - o->len);
return 0;
}
/* /*
* Decode and verify a Call's verifier field. For RPC_AUTH_GSS Calls, * Decode and verify a Call's verifier field. For RPC_AUTH_GSS Calls,
* the body of this field contains a variable length checksum. * the body of this field contains a variable length checksum.
...@@ -772,42 +750,6 @@ svcauth_gss_verify_header(struct svc_rqst *rqstp, struct rsc *rsci, ...@@ -772,42 +750,6 @@ svcauth_gss_verify_header(struct svc_rqst *rqstp, struct rsc *rsci,
return SVC_OK; return SVC_OK;
} }
static int
gss_write_verf(struct svc_rqst *rqstp, struct gss_ctx *ctx_id, u32 seq)
{
__be32 *xdr_seq;
u32 maj_stat;
struct xdr_buf verf_data;
struct xdr_netobj mic;
__be32 *p;
struct kvec iov;
int err = -1;
svc_putnl(rqstp->rq_res.head, RPC_AUTH_GSS);
xdr_seq = kmalloc(4, GFP_KERNEL);
if (!xdr_seq)
return -ENOMEM;
*xdr_seq = htonl(seq);
iov.iov_base = xdr_seq;
iov.iov_len = 4;
xdr_buf_from_iov(&iov, &verf_data);
p = rqstp->rq_res.head->iov_base + rqstp->rq_res.head->iov_len;
mic.data = (u8 *)(p + 1);
maj_stat = gss_get_mic(ctx_id, &verf_data, &mic);
if (maj_stat != GSS_S_COMPLETE)
goto out;
*p++ = htonl(mic.len);
memset((u8 *)p + mic.len, 0, round_up_to_quad(mic.len) - mic.len);
p += XDR_QUADLEN(mic.len);
if (!xdr_ressize_check(rqstp, p))
goto out;
err = 0;
out:
kfree(xdr_seq);
return err;
}
/* /*
* Construct and encode a Reply's verifier field. The verifier's body * Construct and encode a Reply's verifier field. The verifier's body
* field contains a variable-length checksum of the GSS sequence * field contains a variable-length checksum of the GSS sequence
...@@ -1454,8 +1396,6 @@ svcauth_gss_proc_init(struct svc_rqst *rqstp, struct rpc_gss_wire_cred *gc) ...@@ -1454,8 +1396,6 @@ svcauth_gss_proc_init(struct svc_rqst *rqstp, struct rpc_gss_wire_cred *gc)
u32 flavor, len; u32 flavor, len;
void *body; void *body;
svcxdr_init_encode(rqstp);
/* Call's verf field: */ /* Call's verf field: */
if (xdr_stream_decode_opaque_auth(xdr, &flavor, &body, &len) < 0) if (xdr_stream_decode_opaque_auth(xdr, &flavor, &body, &len) < 0)
return SVC_GARBAGE; return SVC_GARBAGE;
...@@ -1642,15 +1582,15 @@ svcauth_gss_decode_credbody(struct xdr_stream *xdr, ...@@ -1642,15 +1582,15 @@ svcauth_gss_decode_credbody(struct xdr_stream *xdr,
static int static int
svcauth_gss_accept(struct svc_rqst *rqstp) svcauth_gss_accept(struct svc_rqst *rqstp)
{ {
struct kvec *resv = &rqstp->rq_res.head[0];
struct gss_svc_data *svcdata = rqstp->rq_auth_data; struct gss_svc_data *svcdata = rqstp->rq_auth_data;
__be32 *rpcstart; __be32 *rpcstart;
struct rpc_gss_wire_cred *gc; struct rpc_gss_wire_cred *gc;
struct rsc *rsci = NULL; struct rsc *rsci = NULL;
__be32 *reject_stat = resv->iov_base + resv->iov_len;
int ret; int ret;
struct sunrpc_net *sn = net_generic(SVC_NET(rqstp), sunrpc_net_id); struct sunrpc_net *sn = net_generic(SVC_NET(rqstp), sunrpc_net_id);
svcxdr_init_encode(rqstp);
rqstp->rq_auth_stat = rpc_autherr_badcred; rqstp->rq_auth_stat = rpc_autherr_badcred;
if (!svcdata) if (!svcdata)
svcdata = kmalloc(sizeof(*svcdata), GFP_KERNEL); svcdata = kmalloc(sizeof(*svcdata), GFP_KERNEL);
...@@ -1700,28 +1640,25 @@ svcauth_gss_accept(struct svc_rqst *rqstp) ...@@ -1700,28 +1640,25 @@ svcauth_gss_accept(struct svc_rqst *rqstp)
/* now act upon the command: */ /* now act upon the command: */
switch (gc->gc_proc) { switch (gc->gc_proc) {
case RPC_GSS_PROC_DESTROY: case RPC_GSS_PROC_DESTROY:
if (gss_write_verf(rqstp, rsci->mechctx, gc->gc_seq)) if (!svcauth_gss_encode_verf(rqstp, rsci->mechctx, gc->gc_seq))
goto auth_err; goto auth_err;
/* Delete the entry from the cache_list and call cache_put */ /* Delete the entry from the cache_list and call cache_put */
sunrpc_cache_unhash(sn->rsc_cache, &rsci->h); sunrpc_cache_unhash(sn->rsc_cache, &rsci->h);
if (resv->iov_len + 4 > PAGE_SIZE) if (xdr_stream_encode_u32(&rqstp->rq_res_stream, RPC_SUCCESS) < 0)
goto drop; goto auth_err;
svc_putnl(resv, RPC_SUCCESS);
goto complete; goto complete;
case RPC_GSS_PROC_DATA: case RPC_GSS_PROC_DATA:
rqstp->rq_auth_stat = rpcsec_gsserr_ctxproblem; rqstp->rq_auth_stat = rpcsec_gsserr_ctxproblem;
svcdata->verf_start = resv->iov_base + resv->iov_len; svcdata->verf_start = xdr_reserve_space(&rqstp->rq_res_stream, 0);
if (gss_write_verf(rqstp, rsci->mechctx, gc->gc_seq)) if (!svcauth_gss_encode_verf(rqstp, rsci->mechctx, gc->gc_seq))
goto auth_err; goto auth_err;
rqstp->rq_cred = rsci->cred; rqstp->rq_cred = rsci->cred;
get_group_info(rsci->cred.cr_group_info); get_group_info(rsci->cred.cr_group_info);
rqstp->rq_auth_stat = rpc_autherr_badcred; rqstp->rq_auth_stat = rpc_autherr_badcred;
switch (gc->gc_svc) { switch (gc->gc_svc) {
case RPC_GSS_SVC_NONE: case RPC_GSS_SVC_NONE:
svcxdr_init_encode(rqstp);
break; break;
case RPC_GSS_SVC_INTEGRITY: case RPC_GSS_SVC_INTEGRITY:
svcxdr_init_encode(rqstp);
/* placeholders for body length and seq. number: */ /* placeholders for body length and seq. number: */
xdr_reserve_space(&rqstp->rq_res_stream, XDR_UNIT * 2); xdr_reserve_space(&rqstp->rq_res_stream, XDR_UNIT * 2);
if (svcauth_gss_unwrap_integ(rqstp, gc->gc_seq, if (svcauth_gss_unwrap_integ(rqstp, gc->gc_seq,
...@@ -1730,7 +1667,6 @@ svcauth_gss_accept(struct svc_rqst *rqstp) ...@@ -1730,7 +1667,6 @@ svcauth_gss_accept(struct svc_rqst *rqstp)
svcxdr_set_auth_slack(rqstp, RPC_MAX_AUTH_SIZE); svcxdr_set_auth_slack(rqstp, RPC_MAX_AUTH_SIZE);
break; break;
case RPC_GSS_SVC_PRIVACY: case RPC_GSS_SVC_PRIVACY:
svcxdr_init_encode(rqstp);
/* placeholders for body length and seq. number: */ /* placeholders for body length and seq. number: */
xdr_reserve_space(&rqstp->rq_res_stream, XDR_UNIT * 2); xdr_reserve_space(&rqstp->rq_res_stream, XDR_UNIT * 2);
if (svcauth_gss_unwrap_priv(rqstp, gc->gc_seq, if (svcauth_gss_unwrap_priv(rqstp, gc->gc_seq,
...@@ -1755,8 +1691,7 @@ svcauth_gss_accept(struct svc_rqst *rqstp) ...@@ -1755,8 +1691,7 @@ svcauth_gss_accept(struct svc_rqst *rqstp)
ret = SVC_GARBAGE; ret = SVC_GARBAGE;
goto out; goto out;
auth_err: auth_err:
/* Restore write pointer to its original value: */ xdr_truncate_encode(&rqstp->rq_res_stream, XDR_UNIT * 2);
xdr_ressize_check(rqstp, reject_stat);
ret = SVC_DENIED; ret = SVC_DENIED;
goto out; goto out;
complete: complete:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment