SUNRPC: Convert unwrap_priv_data() to use xdr_stream

Done as part of hardening the server-side RPC header decoding path.

Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

diff --git a/include/linux/sunrpc/xdr.h b/include/linux/sunrpc/xdr.h
index accfe8d6e28333a531d47fd45574bee119abe85a..884df67009f4e2694d6390f110e32c6e40fb680b 100644 (file)
--- a/include/linux/sunrpc/xdr.h
+++ b/include/linux/sunrpc/xdr.h
@@ -188,7 +188,6 @@ xdr_adjust_iovec(struct kvec *iov, __be32 *p)
 /*
  * XDR buffer helper functions
  */
-extern void xdr_shift_buf(struct xdr_buf *, size_t);
 extern void xdr_buf_from_iov(const struct kvec *, struct xdr_buf *);
 extern int xdr_buf_subsegment(const struct xdr_buf *, struct xdr_buf *, unsigned int, unsigned int);
 extern void xdr_buf_trim(struct xdr_buf *, unsigned int);

diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index 03d9067b4fa99378e8a43dd46b932a1c3abd3050..e204b5b60bf08e8bbd441286e3e11afdf2350bbd 100644 (file)
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -982,17 +982,6 @@ total_buf_len(struct xdr_buf *buf)
        return buf->head[0].iov_len + buf->page_len + buf->tail[0].iov_len;
 }
 
-static void
-fix_priv_head(struct xdr_buf *buf, int pad)
-{
-       if (buf->page_len == 0) {
-               /* We need to adjust head and buf->len in tandem in this
-                * case to make svc_defer() work--it finds the original
-                * buffer start using buf->len - buf->head[0].iov_len. */
-               buf->head[0].iov_len -= pad;
-       }
-}
-
 /*
  * RFC 2203, Section 5.3.2.3
  *
@@ -1005,49 +994,37 @@ fix_priv_head(struct xdr_buf *buf, int pad)
  *             proc_req_arg_t arg;
  *     };
  */
-static int
-svcauth_gss_unwrap_priv(struct svc_rqst *rqstp, struct xdr_buf *buf, u32 seq,
-                       struct gss_ctx *ctx)
+static noinline_for_stack int
+svcauth_gss_unwrap_priv(struct svc_rqst *rqstp, u32 seq, struct gss_ctx *ctx)
 {
-       u32 len, seq_num, maj_stat;
-       int pad, remaining_len, offset;
+       struct xdr_stream *xdr = &rqstp->rq_arg_stream;
+       u32 len, maj_stat, seq_num, offset;
+       struct xdr_buf *buf = xdr->buf;
+       unsigned int saved_len;
 
        clear_bit(RQ_SPLICE_OK, &rqstp->rq_flags);
 
-       len = svc_getnl(&buf->head[0]);
+       if (xdr_stream_decode_u32(xdr, &len) < 0)
+               goto unwrap_failed;
        if (rqstp->rq_deferred) {
                /* Already decrypted last time through! The sequence number
                 * check at out_seq is unnecessary but harmless: */
                goto out_seq;
        }
-       /* buf->len is the number of bytes from the original start of the
-        * request to the end, where head[0].iov_len is just the bytes
-        * not yet read from the head, so these two values are different: */
-       remaining_len = total_buf_len(buf);
-       if (len > remaining_len)
+       if (len > xdr_stream_remaining(xdr))
                goto unwrap_failed;
-       pad = remaining_len - len;
-       buf->len -= pad;
-       fix_priv_head(buf, pad);
-
-       maj_stat = gss_unwrap(ctx, 0, len, buf);
-       pad = len - buf->len;
-       /* The upper layers assume the buffer is aligned on 4-byte boundaries.
-        * In the krb5p case, at least, the data ends up offset, so we need to
-        * move it around. */
-       /* XXX: This is very inefficient.  It would be better to either do
-        * this while we encrypt, or maybe in the receive code, if we can peak
-        * ahead and work out the service and mechanism there. */
-       offset = xdr_pad_size(buf->head[0].iov_len);
-       if (offset) {
-               buf->buflen = RPCSVC_MAXPAYLOAD;
-               xdr_shift_buf(buf, offset);
-               fix_priv_head(buf, pad);
-       }
+       offset = xdr_stream_pos(xdr);
+
+       saved_len = buf->len;
+       maj_stat = gss_unwrap(ctx, offset, offset + len, buf);
        if (maj_stat != GSS_S_COMPLETE)
                goto bad_unwrap;
+       xdr->nwords -= XDR_QUADLEN(saved_len - buf->len);
+
 out_seq:
-       seq_num = svc_getnl(&buf->head[0]);
+       /* gss_unwrap() decrypted the sequence number. */
+       if (xdr_stream_decode_u32(xdr, &seq_num) < 0)
+               goto unwrap_failed;
        if (seq_num != seq)
                goto bad_seqno;
        return 0;
@@ -1689,11 +1666,11 @@ svcauth_gss_accept(struct svc_rqst *rqstp)
                        /* placeholders for length and seq. number: */
                        svc_putnl(resv, 0);
                        svc_putnl(resv, 0);
-                       if (svcauth_gss_unwrap_priv(rqstp, &rqstp->rq_arg,
-                                                   gc->gc_seq, rsci->mechctx))
+                       svcxdr_init_decode(rqstp);
+                       if (svcauth_gss_unwrap_priv(rqstp, gc->gc_seq,
+                                                   rsci->mechctx))
                                goto garbage_args;
                        rqstp->rq_auth_slack = RPC_MAX_AUTH_SIZE * 2;
-                       svcxdr_init_decode(rqstp);
                        break;
                default:
                        goto auth_err;

diff --git a/net/sunrpc/xdr.c b/net/sunrpc/xdr.c
index c7e89921d5110bf999f5b7d7834fa4714ef0b325..56d87c784c9eaa9db60bd21110c4de57dbb9576a 100644 (file)
--- a/net/sunrpc/xdr.c
+++ b/net/sunrpc/xdr.c
@@ -863,13 +863,6 @@ static unsigned int xdr_shrink_pagelen(struct xdr_buf *buf, unsigned int len)
        return shift;
 }
 
-void
-xdr_shift_buf(struct xdr_buf *buf, size_t len)
-{
-       xdr_shrink_bufhead(buf, buf->head->iov_len - len);
-}
-EXPORT_SYMBOL_GPL(xdr_shift_buf);
-
 /**
  * xdr_stream_pos - Return the current offset from the start of the xdr_stream
  * @xdr: pointer to struct xdr_stream