nfs-utils-1.2.0: insecure option and port range checking.

nfs-utils-1.2.0: insecure option and port range checking.

[Robert Gordon]

I noticed that the insecure option validates that the client port is a  
subset of IPPORT_RESERVED as opposed to just validating it is a valid  
reserved port. The following proposed patch would correct that issue.  
Would anyone care to comment ? ..

# diff utils/mountd/auth.c utils/mountd/auth.c.orig
171a172
 > 		    (ntohs(caller->sin_port) <  IPPORT_RESERVED/2 ||

--
Robert. 

Re: nfs-utils-1.2.0: insecure option and port range checking.

[Jeff Layton]

On Tue, 13 Oct 2009 12:56:29 -0500
Robert Gordon <rbg-dkEPNP4dzOJBDgjK7y7TUQ@public.gmane.org> wrote:

> 
> I noticed that the insecure option validates that the client port is a  
> subset of IPPORT_RESERVED as opposed to just validating it is a valid  
> reserved port. The following proposed patch would correct that issue.  
> Would anyone care to comment ? ..
> 
> # diff utils/mountd/auth.c utils/mountd/auth.c.orig
> 171a172
>  > 		    (ntohs(caller->sin_port) <  IPPORT_RESERVED/2 ||
> 

Ack on the idea, but you should probably send that patch as a unified
diff...

The only thing I can figure is that someone wanted to verify that the
call came from the ephemeral port range. But that's somewhat of a
nebulous concept when you mix in clients from other OS's...

I don't see any reason why we'd care that the calling port is "too"
low.

-- 
Jeff Layton <jlayton@redhat.com>

Re: nfs-utils-1.2.0: insecure option and port range checking.

[Steve Dickson]

On 10/13/2009 01:56 PM, Robert Gordon wrote:
> 
> I noticed that the insecure option validates that the client port is a
> subset of IPPORT_RESERVED as opposed to just validating it is a valid
> reserved port. The following proposed patch would correct that issue.
> Would anyone care to comment ? ..
> 
> # diff utils/mountd/auth.c utils/mountd/auth.c.orig
> 171a172
>>             (ntohs(caller->sin_port) <  IPPORT_RESERVED/2 ||
> 
What version of nfs-utils are you using and please generate a proper
patch (via gendiff) with a proper 'Signed-off-by:' label...

tia,

steved.

Re: nfs-utils-1.2.0: insecure option and port range checking.

[Robert Gordon]

On Oct 13, 2009, at 1:09 PM, Steve Dickson wrote:

>
>
> On 10/13/2009 01:56 PM, Robert Gordon wrote:
>>
>> I noticed that the insecure option validates that the client port  
>> is a
>> subset of IPPORT_RESERVED as opposed to just validating it is a valid
>> reserved port. The following proposed patch would correct that issue.
>> Would anyone care to comment ? ..
>>
>> # diff utils/mountd/auth.c utils/mountd/auth.c.orig
>> 171a172
>>>            (ntohs(caller->sin_port) <  IPPORT_RESERVED/2 ||
>>
> What version of nfs-utils are you using and please generate a proper
> patch (via gendiff) with a proper 'Signed-off-by:' label...

Per the subject: it's 1.2.0 and here (hopefully) is the correct format  
(my first venture in generating a patch for linux, so it's a little  
new to me..)

Robert
-- 

Signed-off-by: Robert Gordon <rbg-dkEPNP4dzOJBDgjK7y7TUQ@public.gmane.org>

diff -up utils/mountd/auth.c.orig utils/mountd/auth.c
--- utils/mountd/auth.c.orig    2009-10-13 12:49:03.000000000 -0500
+++ utils/mountd/auth.c 2009-10-13 12:49:32.000000000 -0500
@@ -169,7 +169,6 @@ auth_authenticate_internal(char *what, s
                 }
         }
         if (!(exp->m_export.e_flags & NFSEXP_INSECURE_PORT) &&
-                   (ntohs(caller->sin_port) <  IPPORT_RESERVED/2 ||
                      ntohs(caller->sin_port) >= IPPORT_RESERVED)) {
                 *error = illegal_port;
                 return NULL;