[PATCH] svcauth_gss oops fix

From: "J. Bruce Fields" <bfields@fieldses.org> I've done some testing with 2.6.4-rc1. It looks fine, except that one critical patch got dropped somewhere along the way, without which rpcsec_gss will oops. We've changed gss_get_mic to write mic in place instead of kmalloc'ing new memory for it; change must also be reflected in server side code.

[PATCH] svcauth_gss oops fix
From: "J. Bruce Fields" <bfields@fieldses.org> I've done some testing with 2.6.4-rc1. It looks fine, except that one critical patch got dropped somewhere along the way, without which rpcsec_gss will oops. We've changed gss_get_mic to write mic in place instead of kmalloc'ing new memory for it; change must also be reflected in server side code.
6089e858 · Andrew Morton · Jaroslav Kysela · 643ac501 · 6089e858
Commit 6089e858 authored Mar 06, 2004 by Andrew Morton Committed by Jaroslav Kysela Mar 06, 2004
Show whitespace changes
Inline Side-by-side

Showing with 4 additions and 3 deletions

net/sunrpc/auth_gss/svcauth_gss.c net/sunrpc/auth_gss/svcauth_gss.c +4 -3

No files found.
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -594,12 +594,13 @@ gss_write_verf(struct svc_rqst *rqstp, struct gss_ctx *ctx_id, u32 seq)
 	iov.iov_len = sizeof(xdr_seq);
 	xdr_buf_from_iov(&iov, &verf_data);
 	p = rqstp->rq_res.head->iov_base + rqstp->rq_res.head->iov_len;
+	mic.data = (u8 *)(p + 1);
 	maj_stat = gss_get_mic(ctx_id, 0, &verf_data, &mic);
 	if (maj_stat != GSS_S_COMPLETE)
 		return -1;
-	p = xdr_encode_netobj(rqstp->rq_res.head->iov_base
+	*p++ = htonl(mic.len);
-				+ rqstp->rq_res.head->iov_len, &mic);
+	memset((u8 *)p + mic.len, 0, round_up_to_quad(mic.len) - mic.len);
-	kfree(mic.data);
+	p += XDR_QUADLEN(mic.len);
 	if (!xdr_ressize_check(rqstp, p))
 		return -1;
 	return 0;