From 9bfc52c1091c871cbc58390874b5c4ebe266bee0 Mon Sep 17 00:00:00 2001 From: Fabian Frederick Date: Thu, 23 Oct 2014 18:19:35 +0200 Subject: 9p: remove unused variable in p9_fd_create() p is initialized but unused. Signed-off-by: Fabian Frederick Signed-off-by: Dominique Martinet Signed-off-by: Eric Van Hensbergen --- net/9p/trans_fd.c | 2 -- 1 file changed, 2 deletions(-) (limited to 'net') diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c index 80d08f6664cb..c73b894846c1 100644 --- a/net/9p/trans_fd.c +++ b/net/9p/trans_fd.c @@ -1013,7 +1013,6 @@ p9_fd_create(struct p9_client *client, const char *addr, char *args) { int err; struct p9_fd_opts opts; - struct p9_trans_fd *p; parse_opts(args, &opts); @@ -1026,7 +1025,6 @@ p9_fd_create(struct p9_client *client, const char *addr, char *args) if (err < 0) return err; - p = (struct p9_trans_fd *) client->trans; p9_conn_create(client); return 0; -- cgit v1.2.3-59-g8ed1b From 6250a8badb311953a49bedb16ed17eb59d21c03a Mon Sep 17 00:00:00 2001 From: "Kirill A. Shutemov" Date: Tue, 30 Dec 2014 02:48:09 +0200 Subject: 9p: use unsigned integers for nwqid/count As specification says, all integers in messages are unsigned. Let's fix behaviour of p9pdu_vreadf()/p9pdu_vwritef() accordingly. Fix for p9pdu_vreadf() is critical. If server replies with Rwalk, where nwqid > SHRT_MAX, the value will be interpreted as negative. kmalloc, in its order, will cast the value to (very big) size_t. It should never happen in normal situation: we never submit Twalk with nwname > 16, but malicious or broken server can still produce problematic Rwalk. Signed-off-by: Kirill A. Shutemov Signed-off-by: Dominique Martinet Signed-off-by: Eric Van Hensbergen --- net/9p/protocol.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'net') diff --git a/net/9p/protocol.c b/net/9p/protocol.c index ab9127ec5b7a..305e4789f2cc 100644 --- a/net/9p/protocol.c +++ b/net/9p/protocol.c @@ -273,7 +273,7 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, const char *fmt, } break; case 'R':{ - int16_t *nwqid = va_arg(ap, int16_t *); + uint16_t *nwqid = va_arg(ap, uint16_t *); struct p9_qid **wqids = va_arg(ap, struct p9_qid **); @@ -448,7 +448,7 @@ p9pdu_vwritef(struct p9_fcall *pdu, int proto_version, const char *fmt, } break; case 'U':{ - int32_t count = va_arg(ap, int32_t); + uint32_t count = va_arg(ap, uint32_t); const char __user *udata = va_arg(ap, const void __user *); errcode = p9pdu_writef(pdu, proto_version, "d", @@ -479,7 +479,7 @@ p9pdu_vwritef(struct p9_fcall *pdu, int proto_version, const char *fmt, } break; case 'R':{ - int16_t nwqid = va_arg(ap, int); + uint16_t nwqid = va_arg(ap, int); struct p9_qid *wqids = va_arg(ap, struct p9_qid *); -- cgit v1.2.3-59-g8ed1b From 179a5bc4b8cbe68ca675057b960dd805867e41c4 Mon Sep 17 00:00:00 2001 From: Andrey Ryabinin Date: Tue, 27 Jan 2015 16:00:19 +0300 Subject: net/9p: use memcpy() instead of snprintf() in p9_mount_tag_show() p9_mount_tag_show() uses '%s' format string to print non-NULL terminated chan->tag string. This leads to out of bounds memory read, because format '%s' implies that string is NULL-terminated. The length of string is know here, so its simpler and safer to use memcpy instead of snprintf(). Signed-off-by: Andrey Ryabinin Signed-off-by: Dominique Martinet Signed-off-by: Eric Van Hensbergen --- net/9p/trans_virtio.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) (limited to 'net') diff --git a/net/9p/trans_virtio.c b/net/9p/trans_virtio.c index 36a1a739ad68..486df019f875 100644 --- a/net/9p/trans_virtio.c +++ b/net/9p/trans_virtio.c @@ -504,7 +504,10 @@ static ssize_t p9_mount_tag_show(struct device *dev, vdev = dev_to_virtio(dev); chan = vdev->priv; - return snprintf(buf, chan->tag_len + 1, "%s", chan->tag); + memcpy(buf, chan->tag, chan->tag_len); + buf[chan->tag_len] = 0; + + return chan->tag_len + 1; } static DEVICE_ATTR(mount_tag, 0444, p9_mount_tag_show, NULL); -- cgit v1.2.3-59-g8ed1b From b99baa43e533eb62a947e623d0ef844cfbf28d8e Mon Sep 17 00:00:00 2001 From: Dominique Martinet Date: Fri, 9 Jan 2015 13:05:56 +0100 Subject: net/9p: Initialize opts->privport as it should be. We're currently using an uninitialized value if option privport is not set, thus (almost) always using a privileged port. Signed-off-by: Dominique Martinet Signed-off-by: Eric Van Hensbergen --- net/9p/trans_fd.c | 1 + 1 file changed, 1 insertion(+) (limited to 'net') diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c index c73b894846c1..154479d2756d 100644 --- a/net/9p/trans_fd.c +++ b/net/9p/trans_fd.c @@ -734,6 +734,7 @@ static int parse_opts(char *params, struct p9_fd_opts *opts) opts->port = P9_PORT; opts->rfd = ~0; opts->wfd = ~0; + opts->privport = 0; if (!params) return 0; -- cgit v1.2.3-59-g8ed1b From f569d3ef8254d4b3b8daa4f131f9397d48bf296c Mon Sep 17 00:00:00 2001 From: Dominique Martinet Date: Fri, 9 Jan 2015 13:07:00 +0100 Subject: net/9p: add a privport option for RDMA transport. RDMA can use the same kind of weak security as TCP by checking the client can bind to a privileged port, which is better than nothing if TAUTH isn't implemented. Signed-off-by: Dominique Martinet Signed-off-by: Eric Van Hensbergen --- net/9p/trans_rdma.c | 52 ++++++++++++++++++++++++++++++++++++++++++++-------- 1 file changed, 44 insertions(+), 8 deletions(-) (limited to 'net') diff --git a/net/9p/trans_rdma.c b/net/9p/trans_rdma.c index 14ad43b5cf89..3533d2a53ab6 100644 --- a/net/9p/trans_rdma.c +++ b/net/9p/trans_rdma.c @@ -139,6 +139,7 @@ struct p9_rdma_opts { int sq_depth; int rq_depth; long timeout; + int privport; }; /* @@ -146,7 +147,10 @@ struct p9_rdma_opts { */ enum { /* Options that take integer arguments */ - Opt_port, Opt_rq_depth, Opt_sq_depth, Opt_timeout, Opt_err, + Opt_port, Opt_rq_depth, Opt_sq_depth, Opt_timeout, + /* Options that take no argument */ + Opt_privport, + Opt_err, }; static match_table_t tokens = { @@ -154,6 +158,7 @@ static match_table_t tokens = { {Opt_sq_depth, "sq=%u"}, {Opt_rq_depth, "rq=%u"}, {Opt_timeout, "timeout=%u"}, + {Opt_privport, "privport"}, {Opt_err, NULL}, }; @@ -175,6 +180,7 @@ static int parse_opts(char *params, struct p9_rdma_opts *opts) opts->sq_depth = P9_RDMA_SQ_DEPTH; opts->rq_depth = P9_RDMA_RQ_DEPTH; opts->timeout = P9_RDMA_TIMEOUT; + opts->privport = 0; if (!params) return 0; @@ -193,13 +199,13 @@ static int parse_opts(char *params, struct p9_rdma_opts *opts) if (!*p) continue; token = match_token(p, tokens, args); - if (token == Opt_err) - continue; - r = match_int(&args[0], &option); - if (r < 0) { - p9_debug(P9_DEBUG_ERROR, - "integer field, but no integer?\n"); - continue; + if ((token != Opt_err) && (token != Opt_privport)) { + r = match_int(&args[0], &option); + if (r < 0) { + p9_debug(P9_DEBUG_ERROR, + "integer field, but no integer?\n"); + continue; + } } switch (token) { case Opt_port: @@ -214,6 +220,9 @@ static int parse_opts(char *params, struct p9_rdma_opts *opts) case Opt_timeout: opts->timeout = option; break; + case Opt_privport: + opts->privport = 1; + break; default: continue; } @@ -607,6 +616,23 @@ static int rdma_cancelled(struct p9_client *client, struct p9_req_t *req) return 0; } +static int p9_rdma_bind_privport(struct p9_trans_rdma *rdma) +{ + struct sockaddr_in cl = { + .sin_family = AF_INET, + .sin_addr.s_addr = htonl(INADDR_ANY), + }; + int port, err = -EINVAL; + + for (port = P9_DEF_MAX_RESVPORT; port >= P9_DEF_MIN_RESVPORT; port--) { + cl.sin_port = htons((ushort)port); + err = rdma_bind_addr(rdma->cm_id, (struct sockaddr *)&cl); + if (err != -EADDRINUSE) + break; + } + return err; +} + /** * trans_create_rdma - Transport method for creating atransport instance * @client: client instance @@ -642,6 +668,16 @@ rdma_create_trans(struct p9_client *client, const char *addr, char *args) /* Associate the client with the transport */ client->trans = rdma; + /* Bind to a privileged port if we need to */ + if (opts.privport) { + err = p9_rdma_bind_privport(rdma); + if (err < 0) { + pr_err("%s (%d): problem binding to privport: %d\n", + __func__, task_pid_nr(current), -err); + goto error; + } + } + /* Resolve the server's address */ rdma->addr.sin_family = AF_INET; rdma->addr.sin_addr.s_addr = in_aton(addr); -- cgit v1.2.3-59-g8ed1b