From: "William A. (Andy) Adamson" Subject: Re: [pnfs] [PATCH 07/44] nfsd41: create_session check replay first Date: Tue, 16 Jun 2009 21:22:22 -0400 Message-ID: <89c397150906161822g7c75509aiffb44faab62728ce@mail.gmail.com> References: <1245115172-7030-1-git-send-email-bhalevy@panasas.com> <20090616204734.GE3045@fieldses.org> <20090616211633.GF3045@fieldses.org> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Cc: Benny Halevy , linux-nfs@vger.kernel.org, pnfs@linux-nfs.org To: "J. Bruce Fields" Return-path: Received: from mail-gx0-f214.google.com ([209.85.217.214]:56662 "EHLO mail-gx0-f214.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751770AbZFQBWU (ORCPT ); Tue, 16 Jun 2009 21:22:20 -0400 Received: by gxk10 with SMTP id 10so17357gxk.13 for ; Tue, 16 Jun 2009 18:22:23 -0700 (PDT) In-Reply-To: <20090616211633.GF3045@fieldses.org> Sender: linux-nfs-owner@vger.kernel.org List-ID: On Tue, Jun 16, 2009 at 5:16 PM, J. Bruce Fields wrote: > On Tue, Jun 16, 2009 at 04:47:34PM -0400, bfields wrote: >> On Tue, Jun 16, 2009 at 04:19:32AM +0300, Benny Halevy wrote: >> > From: Andy Adamson >> > >> > Replay processing needs to preceed other error processing. >> >> Why? > > Note: there's a slight leak of information here, which I don't think is > really important, but still by default would rather avoid: if a replay > is sent by someone other than the sender of the original create_session, > then sending back the cached result means they get to see a > create_session result that otherwise would have required them to sniff > the network (or decrypt a packet sent with the original user's creds, if > krb5p was in effect). > > I doubt that's a big deal: I don't see anything that looks > security-critical in the create_session results. But absent any real > reason to do otherwise, I'd rather check the creds before checking for > replay. > > (Note: this is more critical in the case of the sessions DRC: e.g. if > the cached result includes read data, then we could end up exposing > filesystem data to someone who wouldn't otherwise be able to see it.) We should figure out credential checking for both create session and sequence drc... -->Andy > > --b. > >> >> --b. >> >> > >> > Signed-off-by: Andy Adamson >> > Signed-off-by: Benny Halevy >> > --- >> > fs/nfsd/nfs4state.c | 12 ++++++------ >> > 1 files changed, 6 insertions(+), 6 deletions(-) >> > >> > diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c >> > index bfc808b..5aef525 100644 >> > --- a/fs/nfsd/nfs4state.c >> > +++ b/fs/nfsd/nfs4state.c >> > @@ -1378,12 +1378,6 @@ nfsd4_create_session(struct svc_rqst *rqstp, >> > } >> > conf->cl_slot.sl_seqid++; >> > } else if (unconf) { >> > - if (!same_creds(&unconf->cl_cred, &rqstp->rq_cred) || >> > - (ip_addr != unconf->cl_addr)) { >> > - status = nfserr_clid_inuse; >> > - goto out_cache; >> > - } >> > - >> > slot = &unconf->cl_slot; >> > status = check_slot_seqid(cr_ses->seqid, slot->sl_seqid, 0); >> > if (status) { >> > @@ -1392,6 +1386,12 @@ nfsd4_create_session(struct svc_rqst *rqstp, >> > goto out; >> > } >> > >> > + if (!same_creds(&unconf->cl_cred, &rqstp->rq_cred) || >> > + (ip_addr != unconf->cl_addr)) { >> > + status = nfserr_clid_inuse; >> > + goto out_cache; >> > + } >> > + >> > slot->sl_seqid++; /* from 0 to 1 */ >> > move_to_confirmed(unconf); >> > >> > -- >> > 1.6.3 >> > > _______________________________________________ > pNFS mailing list > pNFS@linux-nfs.org > http://linux-nfs.org/cgi-bin/mailman/listinfo/pnfs >