[linux-cifs-client] Re: [PATCH] cifs: sanity check version in
spnego upcall response
Steve French
smfrench at gmail.com
Fri Aug 22 15:40:16 GMT 2008
The upcall version is '1' in the kernel and cifs.upcall currently. If
you update the cifs.upcall to version 2 as your companion patch does,
won't the kernel now fail. Seems like the cifs.upcall code should
check the version sent to it, and if it is version 1, send a version 1
response back.
On Fri, Aug 22, 2008 at 7:03 AM, Jeff Layton <jlayton at redhat.com> wrote:
> Currently, we don't check the version in the SPNEGO upcall response
> even though one is provided. Do so and bail out with -EKEYREJECTED
> if the check fails.
>
> Signed-off-by: Jeff Layton <jlayton at redhat.com>
> ---
> fs/cifs/sess.c | 7 +++++++
> 1 files changed, 7 insertions(+), 0 deletions(-)
>
> diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c
> index 3188e4d..4cd2343 100644
> --- a/fs/cifs/sess.c
> +++ b/fs/cifs/sess.c
> @@ -516,6 +516,13 @@ CIFS_SessSetup(unsigned int xid, struct cifsSesInfo *ses, int first_time,
> }
>
> msg = spnego_key->payload.data;
> + /* sanity check version */
> + if (msg->version != CIFS_SPNEGO_UPCALL_VERSION) {
> + cERROR(1, ("Bad upcall version: expected %d, got %d",
> + CIFS_SPNEGO_UPCALL_VERSION, msg->version));
> + rc = -EKEYREJECTED;
> + goto ssetup_exit;
> + }
> /* bail out if key is too long */
> if (msg->sesskey_len >
> sizeof(ses->server->mac_signing_key.data.krb5)) {
> --
> 1.5.5.1
>
>
--
Thanks,
Steve
More information about the linux-cifs-client
mailing list