git.openpandora.org / pandora-kernel.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
svcrpc: fix handling of garbage args
[pandora-kernel.git] / net / sunrpc / auth_gss / svcauth_gss.c
diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index 688cc31..81ae3d6 100644 (file)
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -224,38 +224,34 @@ static int rsi_parse(struct cache_detail *cd,
 
        /* major/minor */
        len = qword_get(&mesg, buf, mlen);
-       if (len < 0)
+       if (len <= 0)
                goto out;
-       if (len == 0) {
+       rsii.major_status = simple_strtoul(buf, &ep, 10);
+       if (*ep)
+               goto out;
+       len = qword_get(&mesg, buf, mlen);
+       if (len <= 0)
+               goto out;
+       rsii.minor_status = simple_strtoul(buf, &ep, 10);
+       if (*ep)
                goto out;
-       } else {
-               rsii.major_status = simple_strtoul(buf, &ep, 10);
-               if (*ep)
-                       goto out;
-               len = qword_get(&mesg, buf, mlen);
-               if (len <= 0)
-                       goto out;
-               rsii.minor_status = simple_strtoul(buf, &ep, 10);
-               if (*ep)
-                       goto out;
 
-               /* out_handle */
-               len = qword_get(&mesg, buf, mlen);
-               if (len < 0)
-                       goto out;
-               status = -ENOMEM;
-               if (dup_to_netobj(&rsii.out_handle, buf, len))
-                       goto out;
+       /* out_handle */
+       len = qword_get(&mesg, buf, mlen);
+       if (len < 0)
+               goto out;
+       status = -ENOMEM;
+       if (dup_to_netobj(&rsii.out_handle, buf, len))
+               goto out;
 
-               /* out_token */
-               len = qword_get(&mesg, buf, mlen);
-               status = -EINVAL;
-               if (len < 0)
-                       goto out;
-               status = -ENOMEM;
-               if (dup_to_netobj(&rsii.out_token, buf, len))
-                       goto out;
-       }
+       /* out_token */
+       len = qword_get(&mesg, buf, mlen);
+       status = -EINVAL;
+       if (len < 0)
+               goto out;
+       status = -ENOMEM;
+       if (dup_to_netobj(&rsii.out_token, buf, len))
+               goto out;
        rsii.h.expiry_time = expiry;
        rsip = rsi_update(&rsii, rsip);
        status = 0;
@@ -1130,6 +1126,7 @@ svcauth_gss_accept(struct svc_rqst *rqstp, __be32 *authp)
        case RPC_GSS_PROC_DESTROY:
                if (gss_write_verf(rqstp, rsci->mechctx, gc->gc_seq))
                        goto auth_err;
+               rsci->h.expiry_time = get_seconds();
                set_bit(CACHE_NEGATIVE, &rsci->h.flags);
                if (resv->iov_len + 4 > PAGE_SIZE)
                        goto drop;
@@ -1147,20 +1144,20 @@ svcauth_gss_accept(struct svc_rqst *rqstp, __be32 *authp)
                case RPC_GSS_SVC_NONE:
                        break;
                case RPC_GSS_SVC_INTEGRITY:
-                       if (unwrap_integ_data(&rqstp->rq_arg,
-                                       gc->gc_seq, rsci->mechctx))
-                               goto auth_err;
                        /* placeholders for length and seq. number: */
                        svc_putnl(resv, 0);
                        svc_putnl(resv, 0);
+                       if (unwrap_integ_data(&rqstp->rq_arg,
+                                       gc->gc_seq, rsci->mechctx))
+                               goto garbage_args;
                        break;
                case RPC_GSS_SVC_PRIVACY:
-                       if (unwrap_priv_data(rqstp, &rqstp->rq_arg,
-                                       gc->gc_seq, rsci->mechctx))
-                               goto auth_err;
                        /* placeholders for length and seq. number: */
                        svc_putnl(resv, 0);
                        svc_putnl(resv, 0);
+                       if (unwrap_priv_data(rqstp, &rqstp->rq_arg,
+                                       gc->gc_seq, rsci->mechctx))
+                               goto garbage_args;
                        break;
                default:
                        goto auth_err;
@@ -1172,6 +1169,9 @@ svcauth_gss_accept(struct svc_rqst *rqstp, __be32 *authp)
                ret = SVC_OK;
                goto out;
        }
+garbage_args:
+       ret = SVC_GARBAGE;
+       goto out;
 auth_err:
        /* Restore write pointer to its original value: */
        xdr_ressize_check(rqstp, reject_stat);
Pandora Kernel Repository