nfs: deny backchannel RPCs with an incorrect authflavor instead of dropping them

A drop should really only be done when the frame is malformed or we have reason to think that there is some sort of DoS going on. When we get an RPC with bad auth, we should send back an error instead. Cc: Andy Adamson <William.Adamson@netapp.com> Signed-off-by: Jeff Layton <jeff.layton@primarydata.com> Signed-off-by: Trond Myklebust <trond.myklebust@primarydata.com>
author: Jeff Layton <jlayton@poochiereds.net> 2015-06-04 18:40:13 -0400
committer: Trond Myklebust <trond.myklebust@primarydata.com> 2015-06-11 14:06:34 -0400
commit: 6f02dc88be1d5ecfcc2b708250f4e5d49295326c (patch)
tree: 94e3f486b1133cec11a42e07cc32800c08b1a336 /fs/nfs/callback.c
parent: 5fd23f7e1d74c0fd100ffb0b04dc85727760d9ea (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/fs/nfs/callback.c b/fs/nfs/callback.c
index 8d129bb7355a..682529c00996 100644
--- a/fs/nfs/callback.c
+++ b/fs/nfs/callback.c
@@ -458,7 +458,7 @@ check_gss_callback_principal(struct nfs_client *clp, struct svc_rqst *rqstp)
 * pg_authenticate method for nfsv4 callback threads.
 *
 * The authflavor has been negotiated, so an incorrect flavor is a server
- * bug. Drop packets with incorrect authflavor.
+ * bug. Deny packets with incorrect authflavor.
 *
 * All other checking done after NFS decoding where the nfs_client can be
 * found in nfs4_callback_compound
@@ -468,12 +468,12 @@ static int nfs_callback_authenticate(struct svc_rqst *rqstp)
        switch (rqstp->rq_authop->flavour) {
        case RPC_AUTH_NULL:
                if (rqstp->rq_proc != CB_NULL)
-                        return SVC_DROP;
+                        return SVC_DENIED;
                break;
        case RPC_AUTH_GSS:
                /* No RPC_AUTH_GSS support yet in NFSv4.1 */
                 if (svc_is_backchannel(rqstp))
-                        return SVC_DROP;
+                        return SVC_DENIED;
        }
        return SVC_OK;
 }
author	Jeff Layton <jlayton@poochiereds.net>	2015-06-04 18:40:13 -0400
committer	Trond Myklebust <trond.myklebust@primarydata.com>	2015-06-11 14:06:34 -0400
commit	6f02dc88be1d5ecfcc2b708250f4e5d49295326c (patch)
tree	94e3f486b1133cec11a42e07cc32800c08b1a336 /fs/nfs/callback.c
parent	5fd23f7e1d74c0fd100ffb0b04dc85727760d9ea (diff)

diff --git a/fs/nfs/callback.c b/fs/nfs/callback.c index 8d129bb7355a..682529c00996 100644 --- a/fs/nfs/callback.c +++ b/fs/nfs/callback.c
@@ -458,7 +458,7 @@ check_gss_callback_principal(struct nfs_client clp, struct svc_rqst rqstp)
458	* pg_authenticate method for nfsv4 callback threads.	458	* pg_authenticate method for nfsv4 callback threads.
459	*	459	*
460	* The authflavor has been negotiated, so an incorrect flavor is a server	460	* The authflavor has been negotiated, so an incorrect flavor is a server
461	* bug. Drop packets with incorrect authflavor.	461	* bug. Deny packets with incorrect authflavor.
462	*	462	*
463	* All other checking done after NFS decoding where the nfs_client can be	463	* All other checking done after NFS decoding where the nfs_client can be
464	* found in nfs4_callback_compound	464	* found in nfs4_callback_compound
@@ -468,12 +468,12 @@ static int nfs_callback_authenticate(struct svc_rqst *rqstp)
468	switch (rqstp->rq_authop->flavour) {	468	switch (rqstp->rq_authop->flavour) {
469	case RPC_AUTH_NULL:	469	case RPC_AUTH_NULL:
470	if (rqstp->rq_proc != CB_NULL)	470	if (rqstp->rq_proc != CB_NULL)
471	return SVC_DROP;	471	return SVC_DENIED;
472	break;	472	break;
473	case RPC_AUTH_GSS:	473	case RPC_AUTH_GSS:
474	/* No RPC_AUTH_GSS support yet in NFSv4.1 */	474	/* No RPC_AUTH_GSS support yet in NFSv4.1 */
475	if (svc_is_backchannel(rqstp))	475	if (svc_is_backchannel(rqstp))
476	return SVC_DROP;	476	return SVC_DENIED;
477	}	477	}
478	return SVC_OK;	478	return SVC_OK;
479	}	479	}