From: Andy Adamson <[email protected]>
Replay processing needs to preceed other error processing.
Signed-off-by: Andy Adamson <[email protected]>
Signed-off-by: Benny Halevy <[email protected]>
---
fs/nfsd/nfs4state.c | 12 ++++++------
1 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index bfc808b..5aef525 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -1378,12 +1378,6 @@ nfsd4_create_session(struct svc_rqst *rqstp,
}
conf->cl_slot.sl_seqid++;
} else if (unconf) {
- if (!same_creds(&unconf->cl_cred, &rqstp->rq_cred) ||
- (ip_addr != unconf->cl_addr)) {
- status = nfserr_clid_inuse;
- goto out_cache;
- }
-
slot = &unconf->cl_slot;
status = check_slot_seqid(cr_ses->seqid, slot->sl_seqid, 0);
if (status) {
@@ -1392,6 +1386,12 @@ nfsd4_create_session(struct svc_rqst *rqstp,
goto out;
}
+ if (!same_creds(&unconf->cl_cred, &rqstp->rq_cred) ||
+ (ip_addr != unconf->cl_addr)) {
+ status = nfserr_clid_inuse;
+ goto out_cache;
+ }
+
slot->sl_seqid++; /* from 0 to 1 */
move_to_confirmed(unconf);
--
1.6.3
On Tue, Jun 16, 2009 at 04:19:32AM +0300, Benny Halevy wrote:
> From: Andy Adamson <[email protected]>
>
> Replay processing needs to preceed other error processing.
Why?
--b.
>
> Signed-off-by: Andy Adamson <[email protected]>
> Signed-off-by: Benny Halevy <[email protected]>
> ---
> fs/nfsd/nfs4state.c | 12 ++++++------
> 1 files changed, 6 insertions(+), 6 deletions(-)
>
> diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
> index bfc808b..5aef525 100644
> --- a/fs/nfsd/nfs4state.c
> +++ b/fs/nfsd/nfs4state.c
> @@ -1378,12 +1378,6 @@ nfsd4_create_session(struct svc_rqst *rqstp,
> }
> conf->cl_slot.sl_seqid++;
> } else if (unconf) {
> - if (!same_creds(&unconf->cl_cred, &rqstp->rq_cred) ||
> - (ip_addr != unconf->cl_addr)) {
> - status = nfserr_clid_inuse;
> - goto out_cache;
> - }
> -
> slot = &unconf->cl_slot;
> status = check_slot_seqid(cr_ses->seqid, slot->sl_seqid, 0);
> if (status) {
> @@ -1392,6 +1386,12 @@ nfsd4_create_session(struct svc_rqst *rqstp,
> goto out;
> }
>
> + if (!same_creds(&unconf->cl_cred, &rqstp->rq_cred) ||
> + (ip_addr != unconf->cl_addr)) {
> + status = nfserr_clid_inuse;
> + goto out_cache;
> + }
> +
> slot->sl_seqid++; /* from 0 to 1 */
> move_to_confirmed(unconf);
>
> --
> 1.6.3
>
On Tue, Jun 16, 2009 at 04:47:34PM -0400, bfields wrote:
> On Tue, Jun 16, 2009 at 04:19:32AM +0300, Benny Halevy wrote:
> > From: Andy Adamson <[email protected]>
> >
> > Replay processing needs to preceed other error processing.
>
> Why?
Note: there's a slight leak of information here, which I don't think is
really important, but still by default would rather avoid: if a replay
is sent by someone other than the sender of the original create_session,
then sending back the cached result means they get to see a
create_session result that otherwise would have required them to sniff
the network (or decrypt a packet sent with the original user's creds, if
krb5p was in effect).
I doubt that's a big deal: I don't see anything that looks
security-critical in the create_session results. But absent any real
reason to do otherwise, I'd rather check the creds before checking for
replay.
(Note: this is more critical in the case of the sessions DRC: e.g. if
the cached result includes read data, then we could end up exposing
filesystem data to someone who wouldn't otherwise be able to see it.)
--b.
>
> --b.
>
> >
> > Signed-off-by: Andy Adamson <[email protected]>
> > Signed-off-by: Benny Halevy <[email protected]>
> > ---
> > fs/nfsd/nfs4state.c | 12 ++++++------
> > 1 files changed, 6 insertions(+), 6 deletions(-)
> >
> > diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
> > index bfc808b..5aef525 100644
> > --- a/fs/nfsd/nfs4state.c
> > +++ b/fs/nfsd/nfs4state.c
> > @@ -1378,12 +1378,6 @@ nfsd4_create_session(struct svc_rqst *rqstp,
> > }
> > conf->cl_slot.sl_seqid++;
> > } else if (unconf) {
> > - if (!same_creds(&unconf->cl_cred, &rqstp->rq_cred) ||
> > - (ip_addr != unconf->cl_addr)) {
> > - status = nfserr_clid_inuse;
> > - goto out_cache;
> > - }
> > -
> > slot = &unconf->cl_slot;
> > status = check_slot_seqid(cr_ses->seqid, slot->sl_seqid, 0);
> > if (status) {
> > @@ -1392,6 +1386,12 @@ nfsd4_create_session(struct svc_rqst *rqstp,
> > goto out;
> > }
> >
> > + if (!same_creds(&unconf->cl_cred, &rqstp->rq_cred) ||
> > + (ip_addr != unconf->cl_addr)) {
> > + status = nfserr_clid_inuse;
> > + goto out_cache;
> > + }
> > +
> > slot->sl_seqid++; /* from 0 to 1 */
> > move_to_confirmed(unconf);
> >
> > --
> > 1.6.3
> >
On Tue, Jun 16, 2009 at 5:16 PM, J. Bruce Fields<[email protected]> wrote:
> On Tue, Jun 16, 2009 at 04:47:34PM -0400, bfields wrote:
>> On Tue, Jun 16, 2009 at 04:19:32AM +0300, Benny Halevy wrote:
>> > From: Andy Adamson <[email protected]>
>> >
>> > Replay processing needs to preceed other error processing.
>>
>> Why?
>
> Note: there's a slight leak of information here, which I don't think is
> really important, but still by default would rather avoid: if a replay
> is sent by someone other than the sender of the original create_session,
> then sending back the cached result means they get to see a
> create_session result that otherwise would have required them to sniff
> the network (or decrypt a packet sent with the original user's creds, if
> krb5p was in effect).
>
> I doubt that's a big deal: I don't see anything that looks
> security-critical in the create_session results. But absent any real
> reason to do otherwise, I'd rather check the creds before checking for
> replay.
>
> (Note: this is more critical in the case of the sessions DRC: e.g. if
> the cached result includes read data, then we could end up exposing
> filesystem data to someone who wouldn't otherwise be able to see it.)
We should figure out credential checking for both create session and
sequence drc...
-->Andy
>
> --b.
>
>>
>> --b.
>>
>> >
>> > Signed-off-by: Andy Adamson <[email protected]>
>> > Signed-off-by: Benny Halevy <[email protected]>
>> > ---
>> > fs/nfsd/nfs4state.c | 12 ++++++------
>> > 1 files changed, 6 insertions(+), 6 deletions(-)
>> >
>> > diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
>> > index bfc808b..5aef525 100644
>> > --- a/fs/nfsd/nfs4state.c
>> > +++ b/fs/nfsd/nfs4state.c
>> > @@ -1378,12 +1378,6 @@ nfsd4_create_session(struct svc_rqst *rqstp,
>> > }
>> > conf->cl_slot.sl_seqid++;
>> > } else if (unconf) {
>> > - if (!same_creds(&unconf->cl_cred, &rqstp->rq_cred) ||
>> > - (ip_addr != unconf->cl_addr)) {
>> > - status = nfserr_clid_inuse;
>> > - goto out_cache;
>> > - }
>> > -
>> > slot = &unconf->cl_slot;
>> > status = check_slot_seqid(cr_ses->seqid, slot->sl_seqid, 0);
>> > if (status) {
>> > @@ -1392,6 +1386,12 @@ nfsd4_create_session(struct svc_rqst *rqstp,
>> > goto out;
>> > }
>> >
>> > + if (!same_creds(&unconf->cl_cred, &rqstp->rq_cred) ||
>> > + (ip_addr != unconf->cl_addr)) {
>> > + status = nfserr_clid_inuse;
>> > + goto out_cache;
>> > + }
>> > +
>> > slot->sl_seqid++; /* from 0 to 1 */
>> > move_to_confirmed(unconf);
>> >
>> > --
>> > 1.6.3
>> >
> _______________________________________________
> pNFS mailing list
> [email protected]
> http://linux-nfs.org/cgi-bin/mailman/listinfo/pnfs
>
On Tue, Jun 16, 2009 at 4:47 PM, J. Bruce Fields<[email protected]> wrote:
> On Tue, Jun 16, 2009 at 04:19:32AM +0300, Benny Halevy wrote:
>> From: Andy Adamson <[email protected]>
>>
>> Replay processing needs to preceed other error processing.
>
> Why?
>
Section 18.36.4. (CREATE_SESSION implementation section) states the
ordering of clientid confirmation processing as
1) client id record lookup
2) sequence id processing
3) client id confirmation
rpc cred processing is done in #3.
->Andy
> --b.
>
>>
>> Signed-off-by: Andy Adamson <[email protected]>
>> Signed-off-by: Benny Halevy <[email protected]>
>> ---
>> fs/nfsd/nfs4state.c | 12 ++++++------
>> 1 files changed, 6 insertions(+), 6 deletions(-)
>>
>> diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
>> index bfc808b..5aef525 100644
>> --- a/fs/nfsd/nfs4state.c
>> +++ b/fs/nfsd/nfs4state.c
>> @@ -1378,12 +1378,6 @@ nfsd4_create_session(struct svc_rqst *rqstp,
>> }
>> conf->cl_slot.sl_seqid++;
>> } else if (unconf) {
>> - if (!same_creds(&unconf->cl_cred, &rqstp->rq_cred) ||
>> - (ip_addr != unconf->cl_addr)) {
>> - status = nfserr_clid_inuse;
>> - goto out_cache;
>> - }
>> -
>> slot = &unconf->cl_slot;
>> status = check_slot_seqid(cr_ses->seqid, slot->sl_seqid, 0);
>> if (status) {
>> @@ -1392,6 +1386,12 @@ nfsd4_create_session(struct svc_rqst *rqstp,
>> goto out;
>> }
>>
>> + if (!same_creds(&unconf->cl_cred, &rqstp->rq_cred) ||
>> + (ip_addr != unconf->cl_addr)) {
>> + status = nfserr_clid_inuse;
>> + goto out_cache;
>> + }
>> +
>> slot->sl_seqid++; /* from 0 to 1 */
>> move_to_confirmed(unconf);
>>
>> --
>> 1.6.3
>>
> _______________________________________________
> pNFS mailing list
> [email protected]
> http://linux-nfs.org/cgi-bin/mailman/listinfo/pnfs
>