tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

SUNRPC: Convert svcauth_null_accept() to use xdr_stream

Done as part of hardening the server-side RPC header decoding path.

Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

Chuck Lever bee13639 846b5756

+25 -8
+25 -8
net/sunrpc/svcauth_unix.c
··· 729 729 730 730 EXPORT_SYMBOL_GPL(svcauth_unix_set_client); 731 731 732 + /** 733 + * svcauth_null_accept - Decode and validate incoming RPC_AUTH_NULL credential 734 + * @rqstp: RPC transaction 735 + * 736 + * Return values: 737 + * %SVC_OK: Both credential and verifier are valid 738 + * %SVC_DENIED: Credential or verifier is not valid 739 + * %SVC_GARBAGE: Failed to decode credential or verifier 740 + * %SVC_CLOSE: Temporary failure 741 + * 742 + * rqstp->rq_auth_stat is set as mandated by RFC 5531. 743 + */ 732 744 static int 733 745 svcauth_null_accept(struct svc_rqst *rqstp) 734 746 { 735 - struct kvec *argv = &rqstp->rq_arg.head[0]; 736 747 struct kvec *resv = &rqstp->rq_res.head[0]; 748 + struct xdr_stream *xdr = &rqstp->rq_arg_stream; 737 749 struct svc_cred *cred = &rqstp->rq_cred; 750 + u32 flavor, len; 751 + void *body; 738 752 739 - if (argv->iov_len < 3*4) 753 + svcxdr_init_decode(rqstp); 754 + 755 + /* Length of Call's credential body field: */ 756 + if (xdr_stream_decode_u32(xdr, &len) < 0) 740 757 return SVC_GARBAGE; 741 - 742 - if (svc_getu32(argv) != 0) { 743 - dprintk("svc: bad null cred\n"); 758 + if (len != 0) { 744 759 rqstp->rq_auth_stat = rpc_autherr_badcred; 745 760 return SVC_DENIED; 746 761 } 747 - if (svc_getu32(argv) != htonl(RPC_AUTH_NULL) || svc_getu32(argv) != 0) { 748 - dprintk("svc: bad null verf\n"); 762 + 763 + /* Call's verf field: */ 764 + if (xdr_stream_decode_opaque_auth(xdr, &flavor, &body, &len) < 0) 765 + return SVC_GARBAGE; 766 + if (flavor != RPC_AUTH_NULL || len != 0) { 749 767 rqstp->rq_auth_stat = rpc_autherr_badverf; 750 768 return SVC_DENIED; 751 769 } ··· 780 762 svc_putnl(resv, 0); 781 763 782 764 rqstp->rq_cred.cr_flavor = RPC_AUTH_NULL; 783 - svcxdr_init_decode(rqstp); 784 765 return SVC_OK; 785 766 } 786 767