[PATCH v3] Avoid buffer overruns by allocating buffer in svcauth_gss

linux-nfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH v3] Avoid buffer overruns by allocating buffer in svcauth_gss_validate()
@ 2014-05-28 19:09 Steve Dickson
  2014-05-28 19:11 ` Chuck Lever
  2014-05-29 13:43 ` [Libtirpc-devel] " Steve Dickson
  0 siblings, 2 replies; 4+ messages in thread
From: Steve Dickson @ 2014-05-28 19:09 UTC (permalink / raw)
  To: Libtirpc-devel Mailing List; +Cc: Linux NFS Mailing list

Signed-off-by: Steve Dickson <steved@redhat.com>
---
 src/svc_auth_gss.c |   14 +++++++-------
 1 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/svc_auth_gss.c b/src/svc_auth_gss.c
index 601a691..26c1065 100644
--- a/src/svc_auth_gss.c
+++ b/src/svc_auth_gss.c
@@ -286,21 +286,19 @@ svcauth_gss_validate(struct svc_rpc_gss_data *gd, struct rpc_msg *msg)
 	struct opaque_auth	*oa;
 	gss_buffer_desc		 rpcbuf, checksum;
 	OM_uint32		 maj_stat, min_stat, qop_state;
-	u_char			 rpchdr[128];
+	u_char			 *rpchdr;
 	int32_t			*buf;
 
 	gss_log_debug("in svcauth_gss_validate()");
 
-	memset(rpchdr, 0, sizeof(rpchdr));
-
 	/* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */
 	oa = &msg->rm_call.cb_cred;
 	if (oa->oa_length > MAX_AUTH_BYTES)
 		return (FALSE);
-	
-	/* 8 XDR units from the IXDR macro calls. */
-	if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT +
-			RNDUP(oa->oa_length)))
+
+	rpchdr = (u_char *)calloc(((8 * BYTES_PER_XDR_UNIT) + 
+			RNDUP(oa->oa_length)), 1);
+	if (rpchdr == NULL)
 		return (FALSE);
 
 	buf = (int32_t *)rpchdr;
@@ -325,6 +323,8 @@ svcauth_gss_validate(struct svc_rpc_gss_data *gd, struct rpc_msg *msg)
 	maj_stat = gss_verify_mic(&min_stat, gd->ctx, &rpcbuf, &checksum,
 				  &qop_state);
 
+	free(rpchdr);
+
 	if (maj_stat != GSS_S_COMPLETE) {
 		gss_log_status("gss_verify_mic", maj_stat, min_stat);
 		return (FALSE);
-- 
1.7.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH v3] Avoid buffer overruns by allocating buffer in svcauth_gss_validate()
  2014-05-28 19:09 [PATCH v3] Avoid buffer overruns by allocating buffer in svcauth_gss_validate() Steve Dickson
@ 2014-05-28 19:11 ` Chuck Lever
  2014-05-28 21:24   ` Steve Dickson
  2014-05-29 13:43 ` [Libtirpc-devel] " Steve Dickson
  1 sibling, 1 reply; 4+ messages in thread
From: Chuck Lever @ 2014-05-28 19:11 UTC (permalink / raw)
  To: Steve Dickson; +Cc: libtirpc List, Linux NFS Mailing List


On May 28, 2014, at 3:09 PM, Steve Dickson <steved@redhat.com> wrote:

> Signed-off-by: Steve Dickson <steved@redhat.com>

Reviewed-by: Chuck Lever <chuck.lever@oracle.com>

> ---
> src/svc_auth_gss.c |   14 +++++++-------
> 1 files changed, 7 insertions(+), 7 deletions(-)
> 
> diff --git a/src/svc_auth_gss.c b/src/svc_auth_gss.c
> index 601a691..26c1065 100644
> --- a/src/svc_auth_gss.c
> +++ b/src/svc_auth_gss.c
> @@ -286,21 +286,19 @@ svcauth_gss_validate(struct svc_rpc_gss_data *gd, struct rpc_msg *msg)
> 	struct opaque_auth	*oa;
> 	gss_buffer_desc		 rpcbuf, checksum;
> 	OM_uint32		 maj_stat, min_stat, qop_state;
> -	u_char			 rpchdr[128];
> +	u_char			 *rpchdr;
> 	int32_t			*buf;
> 
> 	gss_log_debug("in svcauth_gss_validate()");
> 
> -	memset(rpchdr, 0, sizeof(rpchdr));
> -
> 	/* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */
> 	oa = &msg->rm_call.cb_cred;
> 	if (oa->oa_length > MAX_AUTH_BYTES)
> 		return (FALSE);
> -	
> -	/* 8 XDR units from the IXDR macro calls. */
> -	if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT +
> -			RNDUP(oa->oa_length)))
> +
> +	rpchdr = (u_char *)calloc(((8 * BYTES_PER_XDR_UNIT) + 
> +			RNDUP(oa->oa_length)), 1);
> +	if (rpchdr == NULL)
> 		return (FALSE);
> 
> 	buf = (int32_t *)rpchdr;
> @@ -325,6 +323,8 @@ svcauth_gss_validate(struct svc_rpc_gss_data *gd, struct rpc_msg *msg)
> 	maj_stat = gss_verify_mic(&min_stat, gd->ctx, &rpcbuf, &checksum,
> 				  &qop_state);
> 
> +	free(rpchdr);
> +
> 	if (maj_stat != GSS_S_COMPLETE) {
> 		gss_log_status("gss_verify_mic", maj_stat, min_stat);
> 		return (FALSE);
> -- 
> 1.7.1
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

--
Chuck Lever
chuck[dot]lever[at]oracle[dot]com




^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH v3] Avoid buffer overruns by allocating buffer in svcauth_gss_validate()
  2014-05-28 19:11 ` Chuck Lever
@ 2014-05-28 21:24   ` Steve Dickson
  0 siblings, 0 replies; 4+ messages in thread
From: Steve Dickson @ 2014-05-28 21:24 UTC (permalink / raw)
  To: Chuck Lever; +Cc: libtirpc List, Linux NFS Mailing List



On 05/28/2014 03:11 PM, Chuck Lever wrote:
> 
> On May 28, 2014, at 3:09 PM, Steve Dickson <steved@redhat.com> wrote:
> 
>> Signed-off-by: Steve Dickson <steved@redhat.com>
> 
> Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
Thank you... For your time! 

steved.

> 
>> ---
>> src/svc_auth_gss.c |   14 +++++++-------
>> 1 files changed, 7 insertions(+), 7 deletions(-)
>>
>> diff --git a/src/svc_auth_gss.c b/src/svc_auth_gss.c
>> index 601a691..26c1065 100644
>> --- a/src/svc_auth_gss.c
>> +++ b/src/svc_auth_gss.c
>> @@ -286,21 +286,19 @@ svcauth_gss_validate(struct svc_rpc_gss_data *gd, struct rpc_msg *msg)
>> 	struct opaque_auth	*oa;
>> 	gss_buffer_desc		 rpcbuf, checksum;
>> 	OM_uint32		 maj_stat, min_stat, qop_state;
>> -	u_char			 rpchdr[128];
>> +	u_char			 *rpchdr;
>> 	int32_t			*buf;
>>
>> 	gss_log_debug("in svcauth_gss_validate()");
>>
>> -	memset(rpchdr, 0, sizeof(rpchdr));
>> -
>> 	/* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */
>> 	oa = &msg->rm_call.cb_cred;
>> 	if (oa->oa_length > MAX_AUTH_BYTES)
>> 		return (FALSE);
>> -	
>> -	/* 8 XDR units from the IXDR macro calls. */
>> -	if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT +
>> -			RNDUP(oa->oa_length)))
>> +
>> +	rpchdr = (u_char *)calloc(((8 * BYTES_PER_XDR_UNIT) + 
>> +			RNDUP(oa->oa_length)), 1);
>> +	if (rpchdr == NULL)
>> 		return (FALSE);
>>
>> 	buf = (int32_t *)rpchdr;
>> @@ -325,6 +323,8 @@ svcauth_gss_validate(struct svc_rpc_gss_data *gd, struct rpc_msg *msg)
>> 	maj_stat = gss_verify_mic(&min_stat, gd->ctx, &rpcbuf, &checksum,
>> 				  &qop_state);
>>
>> +	free(rpchdr);
>> +
>> 	if (maj_stat != GSS_S_COMPLETE) {
>> 		gss_log_status("gss_verify_mic", maj_stat, min_stat);
>> 		return (FALSE);
>> -- 
>> 1.7.1
>>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 
> --
> Chuck Lever
> chuck[dot]lever[at]oracle[dot]com
> 
> 
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [Libtirpc-devel] [PATCH v3] Avoid buffer overruns by allocating buffer in svcauth_gss_validate()
  2014-05-28 19:09 [PATCH v3] Avoid buffer overruns by allocating buffer in svcauth_gss_validate() Steve Dickson
  2014-05-28 19:11 ` Chuck Lever
@ 2014-05-29 13:43 ` Steve Dickson
  1 sibling, 0 replies; 4+ messages in thread
From: Steve Dickson @ 2014-05-29 13:43 UTC (permalink / raw)
  To: Libtirpc-devel Mailing List; +Cc: Linux NFS Mailing list



On 05/28/2014 03:09 PM, Steve Dickson wrote:
> Signed-off-by: Steve Dickson <steved@redhat.com>
Committed... 

steved.

> ---
>  src/svc_auth_gss.c |   14 +++++++-------
>  1 files changed, 7 insertions(+), 7 deletions(-)
> 
> diff --git a/src/svc_auth_gss.c b/src/svc_auth_gss.c
> index 601a691..26c1065 100644
> --- a/src/svc_auth_gss.c
> +++ b/src/svc_auth_gss.c
> @@ -286,21 +286,19 @@ svcauth_gss_validate(struct svc_rpc_gss_data *gd, struct rpc_msg *msg)
>  	struct opaque_auth	*oa;
>  	gss_buffer_desc		 rpcbuf, checksum;
>  	OM_uint32		 maj_stat, min_stat, qop_state;
> -	u_char			 rpchdr[128];
> +	u_char			 *rpchdr;
>  	int32_t			*buf;
>  
>  	gss_log_debug("in svcauth_gss_validate()");
>  
> -	memset(rpchdr, 0, sizeof(rpchdr));
> -
>  	/* XXX - Reconstruct RPC header for signing (from xdr_callmsg). */
>  	oa = &msg->rm_call.cb_cred;
>  	if (oa->oa_length > MAX_AUTH_BYTES)
>  		return (FALSE);
> -	
> -	/* 8 XDR units from the IXDR macro calls. */
> -	if (sizeof(rpchdr) < (8 * BYTES_PER_XDR_UNIT +
> -			RNDUP(oa->oa_length)))
> +
> +	rpchdr = (u_char *)calloc(((8 * BYTES_PER_XDR_UNIT) + 
> +			RNDUP(oa->oa_length)), 1);
> +	if (rpchdr == NULL)
>  		return (FALSE);
>  
>  	buf = (int32_t *)rpchdr;
> @@ -325,6 +323,8 @@ svcauth_gss_validate(struct svc_rpc_gss_data *gd, struct rpc_msg *msg)
>  	maj_stat = gss_verify_mic(&min_stat, gd->ctx, &rpcbuf, &checksum,
>  				  &qop_state);
>  
> +	free(rpchdr);
> +
>  	if (maj_stat != GSS_S_COMPLETE) {
>  		gss_log_status("gss_verify_mic", maj_stat, min_stat);
>  		return (FALSE);
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2014-05-29 13:43 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-05-28 19:09 [PATCH v3] Avoid buffer overruns by allocating buffer in svcauth_gss_validate() Steve Dickson
2014-05-28 19:11 ` Chuck Lever
2014-05-28 21:24   ` Steve Dickson
2014-05-29 13:43 ` [Libtirpc-devel] " Steve Dickson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).