From: Trond Myklebust <trond.myklebust@fys.uio.no>
To: Bian Naimeng <biannm@cn.fujitsu.com>
Cc: linux-nfs@vger.kernel.org
Subject: Re: [PATCH 1/2]gss:krb5 miss returning error to caller when import security context
Date: Tue, 07 Sep 2010 14:35:02 -0400 [thread overview]
Message-ID: <1283884502.2788.60.camel@heimdal.trondhjem.org> (raw)
In-Reply-To: <4C8461BA.5050208@cn.fujitsu.com>
On Mon, 2010-09-06 at 11:36 +0800, Bian Naimeng wrote:
> krb5 miss returning error to up layer when import security context,
> it may be return ok though it has failed to import security context.
>
> Signed-off-by: Bian Naimeng <biannm@cn.fujitsu.com>
>
> ----
>
> diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c
> index 0326446..778e5df 100644
> --- a/net/sunrpc/auth_gss/gss_krb5_mech.c
> +++ b/net/sunrpc/auth_gss/gss_krb5_mech.c
> @@ -237,6 +237,7 @@ get_key(const void *p, const void *end,
> if (!supported_gss_krb5_enctype(alg)) {
> printk(KERN_WARNING "gss_kerberos_mech: unsupported "
> "encryption key algorithm %d\n", alg);
> + p = ERR_PTR(-EINVAL);
> goto out_err;
> }
> p = simple_get_netobj(p, end, &key);
> @@ -282,15 +283,19 @@ gss_import_v1_context(const void *p, const void *end, struct krb5_ctx *ctx)
> ctx->enctype = ENCTYPE_DES_CBC_RAW;
>
> ctx->gk5e = get_gss_krb5_enctype(ctx->enctype);
> - if (ctx->gk5e == NULL)
> + if (ctx->gk5e == NULL) {
> + p = ERR_PTR(-EINVAL);
> goto out_err;
> + }
>
> /* The downcall format was designed before we completely understood
> * the uses of the context fields; so it includes some stuff we
> * just give some minimal sanity-checking, and some we ignore
> * completely (like the next twenty bytes): */
> - if (unlikely(p + 20 > end || p + 20 < p))
> + if (unlikely(p + 20 > end || p + 20 < p)) {
> + p = ERR_PTR(-EFAULT);
> goto out_err;
> + }
> p += 20;
> p = simple_get_bytes(p, end, &tmp, sizeof(tmp));
> if (IS_ERR(p))
> @@ -619,6 +624,7 @@ gss_import_v2_context(const void *p, const void *end, struct krb5_ctx *ctx,
> if (ctx->seq_send64 != ctx->seq_send) {
> dprintk("%s: seq_send64 %lx, seq_send %x overflow?\n", __func__,
> (long unsigned)ctx->seq_send64, ctx->seq_send);
> + p = ERR_PTR(-EINVAL);
> goto out_err;
> }
> p = simple_get_bytes(p, end, &ctx->enctype, sizeof(ctx->enctype));
>
Those all look good. Applied!
Thanks for spotting them!
Trond
next prev parent reply other threads:[~2010-09-07 18:35 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-06 3:34 [PATCH 0/2]gss:gss miss returning error to caller when import security context Bian Naimeng
2010-09-06 3:36 ` [PATCH 1/2]gss:krb5 " Bian Naimeng
2010-09-07 18:35 ` Trond Myklebust [this message]
2010-09-06 3:38 ` [PATCH 2/2]gss:spkm3 " Bian Naimeng
2010-09-07 18:36 ` Trond Myklebust
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1283884502.2788.60.camel@heimdal.trondhjem.org \
--to=trond.myklebust@fys.uio.no \
--cc=biannm@cn.fujitsu.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox