* nfs-utils-1.2.0: insecure option and port range checking.
@ 2009-10-13 17:56 Robert Gordon
[not found] ` <ADD0E404-49A2-49AA-A3A1-A7065243E14E-dkEPNP4dzOJBDgjK7y7TUQ@public.gmane.org>
0 siblings, 1 reply; 4+ messages in thread
From: Robert Gordon @ 2009-10-13 17:56 UTC (permalink / raw)
To: linux-nfs
I noticed that the insecure option validates that the client port is a
subset of IPPORT_RESERVED as opposed to just validating it is a valid
reserved port. The following proposed patch would correct that issue.
Would anyone care to comment ? ..
# diff utils/mountd/auth.c utils/mountd/auth.c.orig
171a172
> (ntohs(caller->sin_port) < IPPORT_RESERVED/2 ||
--
Robert.
^ permalink raw reply [flat|nested] 4+ messages in thread[parent not found: <ADD0E404-49A2-49AA-A3A1-A7065243E14E-dkEPNP4dzOJBDgjK7y7TUQ@public.gmane.org>]
* Re: nfs-utils-1.2.0: insecure option and port range checking. [not found] ` <ADD0E404-49A2-49AA-A3A1-A7065243E14E-dkEPNP4dzOJBDgjK7y7TUQ@public.gmane.org> @ 2009-10-13 18:07 ` Jeff Layton 2009-10-13 18:09 ` Steve Dickson 1 sibling, 0 replies; 4+ messages in thread From: Jeff Layton @ 2009-10-13 18:07 UTC (permalink / raw) To: Robert Gordon; +Cc: linux-nfs On Tue, 13 Oct 2009 12:56:29 -0500 Robert Gordon <rbg-dkEPNP4dzOJBDgjK7y7TUQ@public.gmane.org> wrote: > > I noticed that the insecure option validates that the client port is a > subset of IPPORT_RESERVED as opposed to just validating it is a valid > reserved port. The following proposed patch would correct that issue. > Would anyone care to comment ? .. > > # diff utils/mountd/auth.c utils/mountd/auth.c.orig > 171a172 > > (ntohs(caller->sin_port) < IPPORT_RESERVED/2 || > Ack on the idea, but you should probably send that patch as a unified diff... The only thing I can figure is that someone wanted to verify that the call came from the ephemeral port range. But that's somewhat of a nebulous concept when you mix in clients from other OS's... I don't see any reason why we'd care that the calling port is "too" low. -- Jeff Layton <jlayton@redhat.com> ^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: nfs-utils-1.2.0: insecure option and port range checking. [not found] ` <ADD0E404-49A2-49AA-A3A1-A7065243E14E-dkEPNP4dzOJBDgjK7y7TUQ@public.gmane.org> 2009-10-13 18:07 ` Jeff Layton @ 2009-10-13 18:09 ` Steve Dickson [not found] ` <4AD4C26C.2030002-AfCzQyP5zfLQT0dZR+AlfA@public.gmane.org> 1 sibling, 1 reply; 4+ messages in thread From: Steve Dickson @ 2009-10-13 18:09 UTC (permalink / raw) To: Robert Gordon; +Cc: linux-nfs On 10/13/2009 01:56 PM, Robert Gordon wrote: > > I noticed that the insecure option validates that the client port is a > subset of IPPORT_RESERVED as opposed to just validating it is a valid > reserved port. The following proposed patch would correct that issue. > Would anyone care to comment ? .. > > # diff utils/mountd/auth.c utils/mountd/auth.c.orig > 171a172 >> (ntohs(caller->sin_port) < IPPORT_RESERVED/2 || > What version of nfs-utils are you using and please generate a proper patch (via gendiff) with a proper 'Signed-off-by:' label... tia, steved. ^ permalink raw reply [flat|nested] 4+ messages in thread
[parent not found: <4AD4C26C.2030002-AfCzQyP5zfLQT0dZR+AlfA@public.gmane.org>]
* Re: nfs-utils-1.2.0: insecure option and port range checking. [not found] ` <4AD4C26C.2030002-AfCzQyP5zfLQT0dZR+AlfA@public.gmane.org> @ 2009-10-13 23:46 ` Robert Gordon 0 siblings, 0 replies; 4+ messages in thread From: Robert Gordon @ 2009-10-13 23:46 UTC (permalink / raw) To: linux-nfs On Oct 13, 2009, at 1:09 PM, Steve Dickson wrote: > > > On 10/13/2009 01:56 PM, Robert Gordon wrote: >> >> I noticed that the insecure option validates that the client port >> is a >> subset of IPPORT_RESERVED as opposed to just validating it is a valid >> reserved port. The following proposed patch would correct that issue. >> Would anyone care to comment ? .. >> >> # diff utils/mountd/auth.c utils/mountd/auth.c.orig >> 171a172 >>> (ntohs(caller->sin_port) < IPPORT_RESERVED/2 || >> > What version of nfs-utils are you using and please generate a proper > patch (via gendiff) with a proper 'Signed-off-by:' label... Per the subject: it's 1.2.0 and here (hopefully) is the correct format (my first venture in generating a patch for linux, so it's a little new to me..) Robert -- Signed-off-by: Robert Gordon <rbg-dkEPNP4dzOJBDgjK7y7TUQ@public.gmane.org> diff -up utils/mountd/auth.c.orig utils/mountd/auth.c --- utils/mountd/auth.c.orig 2009-10-13 12:49:03.000000000 -0500 +++ utils/mountd/auth.c 2009-10-13 12:49:32.000000000 -0500 @@ -169,7 +169,6 @@ auth_authenticate_internal(char *what, s } } if (!(exp->m_export.e_flags & NFSEXP_INSECURE_PORT) && - (ntohs(caller->sin_port) < IPPORT_RESERVED/2 || ntohs(caller->sin_port) >= IPPORT_RESERVED)) { *error = illegal_port; return NULL; ^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2009-10-13 23:47 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-10-13 17:56 nfs-utils-1.2.0: insecure option and port range checking Robert Gordon
[not found] ` <ADD0E404-49A2-49AA-A3A1-A7065243E14E-dkEPNP4dzOJBDgjK7y7TUQ@public.gmane.org>
2009-10-13 18:07 ` Jeff Layton
2009-10-13 18:09 ` Steve Dickson
[not found] ` <4AD4C26C.2030002-AfCzQyP5zfLQT0dZR+AlfA@public.gmane.org>
2009-10-13 23:46 ` Robert Gordon
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.