svcrpc: fix handling of garbage args

To return garbage_args, the accept_stat must be 0, and we must have a verifier. So we shouldn't be resetting the write pointer as we reject the call. Also, we must add the two placeholder words here regardless of success of the unwrap, to ensure the output buffer is left in a consistent state for svcauth_gss_release(). This fixes a BUG() in svcauth_gss.c:svcauth_gss_release(). Thanks to Aime Le Rouzic for bug report, debugging help, and testing. Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu> Tested-by: Aime Le Rouzic <aime.le-rouzic@bull.net> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
git-mirror · Jul 3, 2008 · b620754 · b620754
1 parent 97055a9
commit b620754
Showing 1 changed file with 5 additions and 7 deletions.
diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -1144,20 +1144,20 @@ svcauth_gss_accept(struct svc_rqst *rqstp, __be32 *authp)
 		case RPC_GSS_SVC_NONE:
 			break;
 		case RPC_GSS_SVC_INTEGRITY:
+			/* placeholders for length and seq. number: */
+			svc_putnl(resv, 0);
+			svc_putnl(resv, 0);
 			if (unwrap_integ_data(&rqstp->rq_arg,
 					gc->gc_seq, rsci->mechctx))
 				goto garbage_args;
+			break;
+		case RPC_GSS_SVC_PRIVACY:
 			/* placeholders for length and seq. number: */
 			svc_putnl(resv, 0);
 			svc_putnl(resv, 0);
-			break;
-		case RPC_GSS_SVC_PRIVACY:
 			if (unwrap_priv_data(rqstp, &rqstp->rq_arg,
 					gc->gc_seq, rsci->mechctx))
 				goto garbage_args;
-			/* placeholders for length and seq. number: */
-			svc_putnl(resv, 0);
-			svc_putnl(resv, 0);
 			break;
 		default:
 			goto auth_err;
@@ -1170,8 +1170,6 @@ svcauth_gss_accept(struct svc_rqst *rqstp, __be32 *authp)
 		goto out;
 	}
 garbage_args:
-	/* Restore write pointer to its original value: */
-	xdr_ressize_check(rqstp, reject_stat);
 	ret = SVC_GARBAGE;
 	goto out;
 auth_err: