From owner-svn-src-stable@FreeBSD.ORG Wed May 15 01:37:00 2013 Return-Path: Delivered-To: svn-src-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 704BF7A4; Wed, 15 May 2013 01:37:00 +0000 (UTC) (envelope-from rmacklem@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 467C9CC6; Wed, 15 May 2013 01:37:00 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r4F1b01K091462; Wed, 15 May 2013 01:37:00 GMT (envelope-from rmacklem@svn.freebsd.org) Received: (from rmacklem@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r4F1b0md091461; Wed, 15 May 2013 01:37:00 GMT (envelope-from rmacklem@svn.freebsd.org) Message-Id: <201305150137.r4F1b0md091461@svn.freebsd.org> From: Rick Macklem Date: Wed, 15 May 2013 01:37:00 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-stable@freebsd.org, svn-src-stable-9@freebsd.org Subject: svn commit: r250652 - stable/9/sys/kgssapi/krb5 X-SVN-Group: stable-9 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-src-stable@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for all the -stable branches of the src tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 May 2013 01:37:00 -0000 Author: rmacklem Date: Wed May 15 01:36:59 2013 New Revision: 250652 URL: http://svnweb.freebsd.org/changeset/base/250652 Log: MFC: r250157 Isilon reported that sec=krb5p NFS mounts had a problem when m_len == 0 for the last mbuf of the list with an encrypted message. This patch replaces the KASSERT() with code that handles this case. Modified: stable/9/sys/kgssapi/krb5/krb5_mech.c Directory Properties: stable/9/sys/ (props changed) Modified: stable/9/sys/kgssapi/krb5/krb5_mech.c ============================================================================== --- stable/9/sys/kgssapi/krb5/krb5_mech.c Wed May 15 01:22:55 2013 (r250651) +++ stable/9/sys/kgssapi/krb5/krb5_mech.c Wed May 15 01:36:59 2013 (r250652) @@ -1585,6 +1585,8 @@ m_trim(struct mbuf *m, int len) struct mbuf *n; int off; + if (m == NULL) + return; n = m_getptr(m, len, &off); if (n) { n->m_len = off; @@ -1600,7 +1602,7 @@ krb5_unwrap_old(struct krb5_context *kc, uint8_t sgn_alg[2], uint8_t seal_alg[2]) { OM_uint32 res; - struct mbuf *m, *mlast, *hm, *cm; + struct mbuf *m, *mlast, *hm, *cm, *n; uint8_t *p, dir; size_t mlen, tlen, elen, datalen, padlen; size_t cklen; @@ -1702,9 +1704,25 @@ krb5_unwrap_old(struct krb5_context *kc, /* * Check the trailing pad bytes. + * RFC1964 specifies between 1<->8 bytes, each with a binary value + * equal to the number of bytes. */ - KASSERT(mlast->m_len > 0, ("Unexpected empty mbuf")); - padlen = mlast->m_data[mlast->m_len - 1]; + if (mlast->m_len > 0) + padlen = mlast->m_data[mlast->m_len - 1]; + else { + n = m_getptr(m, tlen + datalen - 1, &i); + /* + * When the position is exactly equal to the # of data bytes + * in the mbuf list, m_getptr() will return the last mbuf in + * the list and an off == m_len for that mbuf, so that case + * needs to be checked as well as a NULL return. + */ + if (n == NULL || n->m_len == i) + return (GSS_S_DEFECTIVE_TOKEN); + padlen = n->m_data[i]; + } + if (padlen < 1 || padlen > 8 || padlen > tlen + datalen) + return (GSS_S_DEFECTIVE_TOKEN); m_copydata(m, tlen + datalen - padlen, padlen, buf); for (i = 0; i < padlen; i++) { if (buf[i] != padlen) {