From: "J. Bruce Fields" <bfields@fieldses.org>
To: Benny Halevy <bhalevy@panasas.com>
Cc: pnfs@linux-nfs.org, linux-nfs@vger.kernel.org, andros@netapp.com
Subject: Re: [PATCH 07/44] nfsd41: create_session check replay first
Date: Tue, 16 Jun 2009 17:16:33 -0400 [thread overview]
Message-ID: <20090616211633.GF3045@fieldses.org> (raw)
In-Reply-To: <20090616204734.GE3045@fieldses.org>
On Tue, Jun 16, 2009 at 04:47:34PM -0400, bfields wrote:
> On Tue, Jun 16, 2009 at 04:19:32AM +0300, Benny Halevy wrote:
> > From: Andy Adamson <andros@netapp.com>
> >
> > Replay processing needs to preceed other error processing.
>
> Why?
Note: there's a slight leak of information here, which I don't think is
really important, but still by default would rather avoid: if a replay
is sent by someone other than the sender of the original create_session,
then sending back the cached result means they get to see a
create_session result that otherwise would have required them to sniff
the network (or decrypt a packet sent with the original user's creds, if
krb5p was in effect).
I doubt that's a big deal: I don't see anything that looks
security-critical in the create_session results. But absent any real
reason to do otherwise, I'd rather check the creds before checking for
replay.
(Note: this is more critical in the case of the sessions DRC: e.g. if
the cached result includes read data, then we could end up exposing
filesystem data to someone who wouldn't otherwise be able to see it.)
--b.
>
> --b.
>
> >
> > Signed-off-by: Andy Adamson <andros@netapp.com>
> > Signed-off-by: Benny Halevy <bhalevy@panasas.com>
> > ---
> > fs/nfsd/nfs4state.c | 12 ++++++------
> > 1 files changed, 6 insertions(+), 6 deletions(-)
> >
> > diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
> > index bfc808b..5aef525 100644
> > --- a/fs/nfsd/nfs4state.c
> > +++ b/fs/nfsd/nfs4state.c
> > @@ -1378,12 +1378,6 @@ nfsd4_create_session(struct svc_rqst *rqstp,
> > }
> > conf->cl_slot.sl_seqid++;
> > } else if (unconf) {
> > - if (!same_creds(&unconf->cl_cred, &rqstp->rq_cred) ||
> > - (ip_addr != unconf->cl_addr)) {
> > - status = nfserr_clid_inuse;
> > - goto out_cache;
> > - }
> > -
> > slot = &unconf->cl_slot;
> > status = check_slot_seqid(cr_ses->seqid, slot->sl_seqid, 0);
> > if (status) {
> > @@ -1392,6 +1386,12 @@ nfsd4_create_session(struct svc_rqst *rqstp,
> > goto out;
> > }
> >
> > + if (!same_creds(&unconf->cl_cred, &rqstp->rq_cred) ||
> > + (ip_addr != unconf->cl_addr)) {
> > + status = nfserr_clid_inuse;
> > + goto out_cache;
> > + }
> > +
> > slot->sl_seqid++; /* from 0 to 1 */
> > move_to_confirmed(unconf);
> >
> > --
> > 1.6.3
> >
next prev parent reply other threads:[~2009-06-16 21:16 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-06-16 1:19 [PATCH 07/44] nfsd41: create_session check replay first Benny Halevy
2009-06-16 20:47 ` J. Bruce Fields
2009-06-16 21:16 ` J. Bruce Fields [this message]
2009-06-17 1:22 ` [pnfs] " William A. (Andy) Adamson
2009-06-17 1:15 ` William A. (Andy) Adamson
[not found] ` <89c397150906161815v6136e000t338f4fce10ceff23-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2009-06-17 1:25 ` J. Bruce Fields
2009-06-17 1:39 ` William A. (Andy) Adamson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090616211633.GF3045@fieldses.org \
--to=bfields@fieldses.org \
--cc=andros@netapp.com \
--cc=bhalevy@panasas.com \
--cc=linux-nfs@vger.kernel.org \
--cc=pnfs@linux-nfs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox