[linux-cifs-client] [PATCH] cifs: sanity check version in spnego
upcall response
Jeff Layton
jlayton at redhat.com
Fri Aug 22 12:03:21 GMT 2008
Currently, we don't check the version in the SPNEGO upcall response
even though one is provided. Do so and bail out with -EKEYREJECTED
if the check fails.
Signed-off-by: Jeff Layton <jlayton at redhat.com>
---
fs/cifs/sess.c | 7 +++++++
1 files changed, 7 insertions(+), 0 deletions(-)
diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
index 3188e4d..4cd2343 100644
--- a/fs/cifs/sess.c
+++ b/fs/cifs/sess.c
@@ -516,6 +516,13 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
}
msg = spnego_key->payload.data;
+ /* sanity check version */
+ if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) {
+ cERROR(1, ("Bad upcall version: expected %d, got %d",
+ CIFS_SPNEGO_UPCALL_VERSION, msg->version));
+ rc = -EKEYREJECTED;
+ goto ssetup_exit;
+ }
/* bail out if key is too long */
if (msg->sesskey_len >
sizeof(ses->server->mac_signing_key.data.krb5)) {
--
1.5.5.1
More information about the linux-cifs-client
mailing list