patch-2.1.126 linux/fs/nfsd/nfsfh.c

• Lines: 83
• Date: Wed Oct 21 15:31:05 1998
• Orig file: v2.1.125/linux/fs/nfsd/nfsfh.c
• Orig date: Sat Sep 5 16:46:41 1998

diff -u --recursive --new-file v2.1.125/linux/fs/nfsd/nfsfh.c linux/fs/nfsd/nfsfh.c
@@ -493,6 +493,9 @@
 	struct fh_entry *fhe;
 	int i, found = (empty == NULL) ? 1 : 0;
 
+	if (!dentry)
+		goto out;
+
 	fhe = (cache == NFSD_FILE_CACHE) ? &filetable[0] : &dirstable[0];
 	for (i = 0; i < NFSD_MAXFH; i++, fhe++) {
 		if (fhe->dentry == dentry) {
@@ -504,6 +507,7 @@
 			*empty = fhe;
 		}
 	}
+out:
 	return NULL;
 }
 
@@ -756,8 +760,12 @@
 
 	fhe = find_fhe(fh->fh_dcookie, NFSD_FILE_CACHE, NULL);
 	if (fhe) {
-		struct dentry *parent, *dentry = fhe->dentry;
-		struct inode *inode = dentry->d_inode;
+		struct dentry *parent, *dentry;
+		struct inode *inode;
+
+		dentry = fhe->dentry;
+		inode = dentry->d_inode;
+
 		if (!inode) {
 #ifdef NFSD_PARANOIA
 printk("find_dentry_in_fhcache: %s/%s has no inode!\n",
@@ -1019,7 +1027,7 @@
 	dprintk("nfsd: fh_verify(exp %x/%u cookie %p)\n",
 		fh->fh_xdev, fh->fh_xino, fh->fh_dcookie);
 
-	if(fhp->fh_dverified)
+	if (fhp->fh_dverified)
 		goto check_type;
 	/*
 	 * Look up the export entry.
@@ -1051,11 +1059,37 @@
 	dentry = find_fh_dentry(fh);
 	if (!dentry)
 		goto out;
+
+	/*
+	 * Security: Check that the export is valid for dentry <gam3@acm.org>
+	 */
+	if (fh->fh_dev != fh->fh_xdev) {
+		printk("fh_verify: Security: export on other device"
+		       " (%d, %d).\n", fh->fh_dev, fh->fh_xdev);
+		goto out;
+	} else {
+		struct dentry *tdentry = dentry;
+
+		do {
+			if (exp->ex_dentry == tdentry) {
+				error = 0;
+				break;
+			}
+			if (tdentry->d_parent == tdentry)
+				break;
+		} while ((tdentry = tdentry->d_parent));
+		if (error) {
+			printk("fh_verify: Security: %s/%s bad export.\n",
+			       dentry->d_parent->d_name.name,
+			       dentry->d_name.name);
+			goto out;
+		}
+	}
 	/*
 	 * Note:  it's possible the returned dentry won't be the one in the
-         * file handle.  We can correct the file handle for our use, but
-         * unfortunately the client will keep sending the broken one.  Let's
-         * hope the lookup will keep patching things up.
+	 * file handle.  We can correct the file handle for our use, but
+	 * unfortunately the client will keep sending the broken one.  Let's
+	 * hope the lookup will keep patching things up.
 	 */
 	fhp->fh_dentry = dentry;
 	fhp->fh_export = exp;