From 69aa4ba12b52a30a0ece6e0a2db343b4f3f1a859 Mon Sep 17 00:00:00 2001 From: rmacklem Date: Wed, 1 May 2013 22:07:55 +0000 Subject: Isilon reported that sec=krb5p NFS mounts had a problem when m_len == 0 for the last mbuf of the list with an encrypted message. This patch replaces the KASSERT() with code that handles this case. Reported by: john.gemignani@isilon.com Reviewed by: jhb MFC after: 2 weeks --- sys/kgssapi/krb5/krb5_mech.c | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) (limited to 'sys/kgssapi') diff --git a/sys/kgssapi/krb5/krb5_mech.c b/sys/kgssapi/krb5/krb5_mech.c index 71f804e..4cfea58 100644 --- a/sys/kgssapi/krb5/krb5_mech.c +++ b/sys/kgssapi/krb5/krb5_mech.c @@ -1585,6 +1585,8 @@ m_trim(struct mbuf *m, int len) struct mbuf *n; int off; + if (m == NULL) + return; n = m_getptr(m, len, &off); if (n) { n->m_len = off; @@ -1600,7 +1602,7 @@ krb5_unwrap_old(struct krb5_context *kc, struct mbuf **mp, int *conf_state, uint8_t sgn_alg[2], uint8_t seal_alg[2]) { OM_uint32 res; - struct mbuf *m, *mlast, *hm, *cm; + struct mbuf *m, *mlast, *hm, *cm, *n; uint8_t *p, dir; size_t mlen, tlen, elen, datalen, padlen; size_t cklen; @@ -1702,9 +1704,25 @@ krb5_unwrap_old(struct krb5_context *kc, struct mbuf **mp, int *conf_state, /* * Check the trailing pad bytes. + * RFC1964 specifies between 1<->8 bytes, each with a binary value + * equal to the number of bytes. */ - KASSERT(mlast->m_len > 0, ("Unexpected empty mbuf")); - padlen = mlast->m_data[mlast->m_len - 1]; + if (mlast->m_len > 0) + padlen = mlast->m_data[mlast->m_len - 1]; + else { + n = m_getptr(m, tlen + datalen - 1, &i); + /* + * When the position is exactly equal to the # of data bytes + * in the mbuf list, m_getptr() will return the last mbuf in + * the list and an off == m_len for that mbuf, so that case + * needs to be checked as well as a NULL return. + */ + if (n == NULL || n->m_len == i) + return (GSS_S_DEFECTIVE_TOKEN); + padlen = n->m_data[i]; + } + if (padlen < 1 || padlen > 8 || padlen > tlen + datalen) + return (GSS_S_DEFECTIVE_TOKEN); m_copydata(m, tlen + datalen - padlen, padlen, buf); for (i = 0; i < padlen; i++) { if (buf[i] != padlen) { -- cgit v1.1