• Chuck Lever's avatar
    NFSD: SECINFO doesn't handle unsupported pseudoflavors correctly · 676e4ebd
    Chuck Lever authored
    If nfsd4_do_encode_secinfo() can't find GSS info that matches an
    export security flavor, it assumes the flavor is not a GSS
    pseudoflavor, and simply puts it on the wire.
    
    However, if this XDR encoding logic is given a legitimate GSS
    pseudoflavor but the RPC layer says it does not support that
    pseudoflavor for some reason, then the server leaks GSS pseudoflavor
    numbers onto the wire.
    
    I confirmed this happens by blacklisting rpcsec_gss_krb5, then
    attempted a client transition from the pseudo-fs to a Kerberos-only
    share.  The client received a flavor list containing the Kerberos
    pseudoflavor numbers, rather than GSS tuples.
    
    The encoder logic can check that each pseudoflavor in flavs[] is
    less than MAXFLAVOR before writing it into the buffer, to prevent
    this.  But after "nflavs" is written into the XDR buffer, the
    encoder can't skip writing flavor information into the buffer when
    it discovers the RPC layer doesn't support that flavor.
    
    So count the number of valid flavors as they are written into the
    XDR buffer, then write that count into a placeholder in the XDR
    buffer when all recognized flavors have been encoded.
    Signed-off-by: default avatarChuck Lever <chuck.lever@oracle.com>
    Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
    676e4ebd
nfs4xdr.c 89 KB