tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

svcrpc: fix handling of garbage args

To return garbage_args, the accept_stat must be 0, and we must have a
verifier. So we shouldn't be resetting the write pointer as we reject
the call.

Also, we must add the two placeholder words here regardless of success
of the unwrap, to ensure the output buffer is left in a consistent state
for svcauth_gss_release().

This fixes a BUG() in svcauth_gss.c:svcauth_gss_release().

Thanks to Aime Le Rouzic for bug report, debugging help, and testing.

Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Tested-by: Aime Le Rouzic <aime.le-rouzic@bull.net>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

J. Bruce Fields and committed by
Linus Torvalds b620754b 97055a91

+5 -7
+5 -7
net/sunrpc/auth_gss/svcauth_gss.c
··· 1144 1144 case RPC_GSS_SVC_NONE: 1145 1145 break; 1146 1146 case RPC_GSS_SVC_INTEGRITY: 1147 + /* placeholders for length and seq. number: */ 1148 + svc_putnl(resv, 0); 1149 + svc_putnl(resv, 0); 1147 1150 if (unwrap_integ_data(&rqstp->rq_arg, 1148 1151 gc->gc_seq, rsci->mechctx)) 1149 1152 goto garbage_args; 1153 + break; 1154 + case RPC_GSS_SVC_PRIVACY: 1150 1155 /* placeholders for length and seq. number: */ 1151 1156 svc_putnl(resv, 0); 1152 1157 svc_putnl(resv, 0); 1153 - break; 1154 - case RPC_GSS_SVC_PRIVACY: 1155 1158 if (unwrap_priv_data(rqstp, &rqstp->rq_arg, 1156 1159 gc->gc_seq, rsci->mechctx)) 1157 1160 goto garbage_args; 1158 - /* placeholders for length and seq. number: */ 1159 - svc_putnl(resv, 0); 1160 - svc_putnl(resv, 0); 1161 1161 break; 1162 1162 default: 1163 1163 goto auth_err; ··· 1170 1170 goto out; 1171 1171 } 1172 1172 garbage_args: 1173 - /* Restore write pointer to its original value: */ 1174 - xdr_ressize_check(rqstp, reject_stat); 1175 1173 ret = SVC_GARBAGE; 1176 1174 goto out; 1177 1175 auth_err: