From: "J. Bruce Fields" <bfields@fieldses.org>
To: Jeff Layton <jlayton@redhat.com>
Cc: linux-nfs@vger.kernel.org
Subject: Re: [PATCH v2 8/8] nfsd: keep a checksum of the first 256 bytes of request
Date: Tue, 5 Feb 2013 09:55:47 -0500 [thread overview]
Message-ID: <20130205145547.GD9886@fieldses.org> (raw)
In-Reply-To: <20130204202046.GB8709@fieldses.org>
On Mon, Feb 04, 2013 at 03:20:46PM -0500, J. Bruce Fields wrote:
> On Mon, Feb 04, 2013 at 08:18:07AM -0500, Jeff Layton wrote:
> > @@ -238,12 +243,37 @@ nfsd_reply_cache_shrink(struct shrinker *shrink, struct shrink_control *sc)
> > }
> >
> > /*
> > + * Walk an xdr_buf and get a CRC for at most the first RC_CSUMLEN bytes
> > + */
> > +static u32
> > +nfsd_cache_crc(struct xdr_buf *buf)
> > +{
> > + u32 crc;
> > + const unsigned char *p = buf->head[0].iov_base;
> > + size_t csum_len = min_t(size_t, buf->head[0].iov_len + buf->page_len,
> > + RC_CSUMLEN);
> > + size_t len = min(buf->head[0].iov_len, csum_len);
> > +
> > + /* rq_arg.head first */
> > + crc = crc32(crc_seed, p, len);
> > + csum_len -= len;
>
> I'm getting a RPLY14 failure from pynfs --security=krb5i.
>
> I suspect what's happening here is that the data you're checksumming
> over includes the gss sequence number and the krbi integrity checksum.
> Both those change, even on resends, to prevent an attacker from doing
> something nefarious by resending an old rpc.
>
> I think we really want to checksum just over the nfs-level data. Our
> checks for xid, program number, etc., already cover most of the rpc
> header anyway.
I've dropped this for now, but applied the previous patches.
--b.
next prev parent reply other threads:[~2013-02-05 14:55 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-02-04 13:17 [PATCH v2 0/8] nfsd: duplicate reply cache overhaul Jeff Layton
2013-02-04 13:18 ` [PATCH v2 1/8] nfsd: always move DRC entries to the end of LRU list when updating timestamp Jeff Layton
2013-02-04 13:18 ` [PATCH v2 2/8] nfsd: track the number of DRC entries in the cache Jeff Layton
2013-02-04 13:18 ` [PATCH v2 3/8] nfsd: dynamically allocate DRC entries Jeff Layton
2013-02-04 13:18 ` [PATCH v2 4/8] nfsd: remove the cache_disabled flag Jeff Layton
2013-02-04 13:18 ` [PATCH v2 5/8] nfsd: when updating an entry with RC_NOCACHE, just free it Jeff Layton
2013-02-04 13:18 ` [PATCH v2 6/8] nfsd: add recurring workqueue job to clean the cache Jeff Layton
2013-02-04 13:18 ` [PATCH v2 7/8] nfsd: register a shrinker for DRC cache entries Jeff Layton
2013-02-04 13:18 ` [PATCH v2 8/8] nfsd: keep a checksum of the first 256 bytes of request Jeff Layton
2013-02-04 15:54 ` J. Bruce Fields
2013-02-04 16:16 ` Jeff Layton
2013-02-04 20:20 ` J. Bruce Fields
2013-02-05 14:55 ` J. Bruce Fields [this message]
2013-02-05 15:51 ` Jeff Layton
2013-02-04 15:56 ` [PATCH v2 0/8] nfsd: duplicate reply cache overhaul J. Bruce Fields
2013-02-04 18:07 ` [PATCH 9/8] nfsd: handle arbitrary page array layouts in nfsd_cache_crc Jeff Layton
2013-02-04 18:18 ` J. Bruce Fields
2013-02-05 15:15 ` [PATCH v2 0/8] nfsd: duplicate reply cache overhaul J. Bruce Fields
2013-02-05 15:58 ` Jeff Layton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130205145547.GD9886@fieldses.org \
--to=bfields@fieldses.org \
--cc=jlayton@redhat.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox