[PATCH] svcauth_gss oops fix

From: "J. Bruce Fields" <bfields@fieldses.org>

I've done some testing with 2.6.4-rc1.  It looks fine, except that one
critical patch got dropped somewhere along the way, without which
rpcsec_gss will oops.

We've changed gss_get_mic to write mic in place instead of kmalloc'ing new
memory for it; change must also be reflected in server side code.

diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c
index 5efabc568edf476a287deba8690cae0f01930394..a7c96554e552df9f14c89f1f38402395abeda5a5 100644 (file)
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -594,12 +594,13 @@ gss_write_verf(struct svc_rqst *rqstp, struct gss_ctx *ctx_id, u32 seq)
        iov.iov_len = sizeof(xdr_seq);
        xdr_buf_from_iov(&iov, &verf_data);
        p = rqstp->rq_res.head->iov_base + rqstp->rq_res.head->iov_len;
+       mic.data = (u8 *)(p + 1);
        maj_stat = gss_get_mic(ctx_id, 0, &verf_data, &mic);
        if (maj_stat != GSS_S_COMPLETE)
                return -1;
-       p = xdr_encode_netobj(rqstp->rq_res.head->iov_base
-                               + rqstp->rq_res.head->iov_len, &mic);
-       kfree(mic.data);
+       *p++ = htonl(mic.len);
+       memset((u8 *)p + mic.len, 0, round_up_to_quad(mic.len) - mic.len);
+       p += XDR_QUADLEN(mic.len);
        if (!xdr_ressize_check(rqstp, p))
                return -1;
        return 0;