Commit d0743871 authored by Scott Mayhew's avatar Scott Mayhew Committed by Jiri Slaby

svcrpc: fix potential GSSX_ACCEPT_SEC_CONTEXT decoding failures

commit 9507271d upstream.

In an environment where the KDC is running Active Directory, the
exported composite name field returned in the context could be large
enough to span a page boundary.  Attaching a scratch buffer to the
decoding xdr_stream helps deal with those cases.

The case where we saw this was actually due to behavior that's been
fixed in newer gss-proxy versions, but we're fixing it here too.
Signed-off-by: default avatarScott Mayhew <smayhew@redhat.com>
Reviewed-by: default avatarSimo Sorce <simo@redhat.com>
Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
Signed-off-by: default avatarJiri Slaby <jslaby@suse.cz>
parent caf4b0e7
...@@ -794,20 +794,26 @@ int gssx_dec_accept_sec_context(struct rpc_rqst *rqstp, ...@@ -794,20 +794,26 @@ int gssx_dec_accept_sec_context(struct rpc_rqst *rqstp,
{ {
u32 value_follows; u32 value_follows;
int err; int err;
struct page *scratch;
scratch = alloc_page(GFP_KERNEL);
if (!scratch)
return -ENOMEM;
xdr_set_scratch_buffer(xdr, page_address(scratch), PAGE_SIZE);
/* res->status */ /* res->status */
err = gssx_dec_status(xdr, &res->status); err = gssx_dec_status(xdr, &res->status);
if (err) if (err)
return err; goto out_free;
/* res->context_handle */ /* res->context_handle */
err = gssx_dec_bool(xdr, &value_follows); err = gssx_dec_bool(xdr, &value_follows);
if (err) if (err)
return err; goto out_free;
if (value_follows) { if (value_follows) {
err = gssx_dec_ctx(xdr, res->context_handle); err = gssx_dec_ctx(xdr, res->context_handle);
if (err) if (err)
return err; goto out_free;
} else { } else {
res->context_handle = NULL; res->context_handle = NULL;
} }
...@@ -815,11 +821,11 @@ int gssx_dec_accept_sec_context(struct rpc_rqst *rqstp, ...@@ -815,11 +821,11 @@ int gssx_dec_accept_sec_context(struct rpc_rqst *rqstp,
/* res->output_token */ /* res->output_token */
err = gssx_dec_bool(xdr, &value_follows); err = gssx_dec_bool(xdr, &value_follows);
if (err) if (err)
return err; goto out_free;
if (value_follows) { if (value_follows) {
err = gssx_dec_buffer(xdr, res->output_token); err = gssx_dec_buffer(xdr, res->output_token);
if (err) if (err)
return err; goto out_free;
} else { } else {
res->output_token = NULL; res->output_token = NULL;
} }
...@@ -827,14 +833,17 @@ int gssx_dec_accept_sec_context(struct rpc_rqst *rqstp, ...@@ -827,14 +833,17 @@ int gssx_dec_accept_sec_context(struct rpc_rqst *rqstp,
/* res->delegated_cred_handle */ /* res->delegated_cred_handle */
err = gssx_dec_bool(xdr, &value_follows); err = gssx_dec_bool(xdr, &value_follows);
if (err) if (err)
return err; goto out_free;
if (value_follows) { if (value_follows) {
/* we do not support upcall servers sending this data. */ /* we do not support upcall servers sending this data. */
return -EINVAL; err = -EINVAL;
goto out_free;
} }
/* res->options */ /* res->options */
err = gssx_dec_option_array(xdr, &res->options); err = gssx_dec_option_array(xdr, &res->options);
out_free:
__free_page(scratch);
return err; return err;
} }
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment