[PATCH]Fix rpcauth in 2.2.18pre (was Re: bug in rpc code)

From: Trond Myklebust (trond.myklebust@fys.uio.no)
Date: Fri Oct 13 2000 - 04:33:26 EST

Next message: mdaljeet@in.ibm.com: "mapping user space buffer to kernel address space"
Previous message: Trond Myklebust: "[PATCH] Fix hashing in 2.4.0 rpcauth code (was Re: bug in rpc code)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>>>>> " " == Hai-Pao Fan <haipao@mvista.com> writes:

> Problem:

> A returned address from kmalloc() can be overwritten to a wrong
> place in rpcauth_lookup_credcache() routine.

Hi Alan,

The following patch fixes the bug in 2.2.18pre. As reported in the
2.4.0 patch on l-k, the problem is to fix both an uninitialized hash
value in auth_null.c, and the use of '%' on signed values in the
rpcauth hashing algorithm.

Cheers,
Trond

diff -u --recursive --new-file linux-2.2.18pre15/include/linux/sunrpc/auth.h linux-2.2.18pre15_fixed/include/linux/sunrpc/auth.h
--- linux-2.2.18pre15/include/linux/sunrpc/auth.h Fri Oct 13 11:00:28 2000
+++ linux-2.2.18pre15_fixed/include/linux/sunrpc/auth.h Fri Oct 13 11:02:32 2000
@@ -38,6 +38,7 @@
  * Client authentication handle
  */
#define RPC_CREDCACHE_NR 8
+#define RPC_CREDCACHE_MASK (RPC_CREDCACHE_NR - 1)
struct rpc_auth {
         struct rpc_cred * au_credcache[RPC_CREDCACHE_NR];
         unsigned long au_expire; /* cache expiry interval */
diff -u --recursive --new-file linux-2.2.18pre15/net/sunrpc/auth.c linux-2.2.18pre15_fixed/net/sunrpc/auth.c
--- linux-2.2.18pre15/net/sunrpc/auth.c Fri Oct 13 11:00:34 2000
+++ linux-2.2.18pre15_fixed/net/sunrpc/auth.c Fri Oct 13 11:04:42 2000
@@ -147,7 +147,7 @@
{
         int nr;

- nr = (cred->cr_uid % RPC_CREDCACHE_NR);
+ nr = (cred->cr_uid & RPC_CREDCACHE_MASK);
         cred->cr_next = auth->au_credcache[nr];
         auth->au_credcache[nr] = cred;
         cred->cr_count++;
@@ -164,7 +164,7 @@
         int nr = 0;

         if (!(taskflags & RPC_TASK_ROOTCREDS))
- nr = current->uid % RPC_CREDCACHE_NR;
+ nr = current->uid & RPC_CREDCACHE_MASK;

         if (time_before(auth->au_nextgc, jiffies))
                 rpcauth_gc_credcache(auth);
@@ -197,7 +197,7 @@
         struct rpc_cred **q, *cr;
         int nr;

- nr = (cred->cr_uid % RPC_CREDCACHE_NR);
+ nr = (cred->cr_uid & RPC_CREDCACHE_MASK);
         q = &auth->au_credcache[nr];
         while ((cr = *q) != NULL) {
                 if (cred == cr) {
diff -u --recursive --new-file linux-2.2.18pre15/net/sunrpc/auth_null.c linux-2.2.18pre15_fixed/net/sunrpc/auth_null.c
--- linux-2.2.18pre15/net/sunrpc/auth_null.c Fri Oct 13 11:00:34 2000
+++ linux-2.2.18pre15_fixed/net/sunrpc/auth_null.c Fri Oct 13 11:02:32 2000
@@ -54,6 +54,7 @@
                 return NULL;
         cred->cr_count = 0;
         cred->cr_flags = RPCAUTH_CRED_UPTODATE;
+ cred->cr_uid = current->uid;

         return cred;
}
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

Next message: mdaljeet@in.ibm.com: "mapping user space buffer to kernel address space"
Previous message: Trond Myklebust: "[PATCH] Fix hashing in 2.4.0 rpcauth code (was Re: bug in rpc code)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Sun Oct 15 2000 - 21:00:24 EST