From patchwork Tue May 22 20:03:49 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Olga Kornievskaia X-Patchwork-Id: 10419551 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 803F76032A for ; Tue, 22 May 2018 20:03:53 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 6F59A29030 for ; Tue, 22 May 2018 20:03:53 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 62ABC2906D; Tue, 22 May 2018 20:03:53 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-7.8 required=2.0 tests=BAYES_00,DKIM_SIGNED, MAILING_LIST_MULTI, RCVD_IN_DNSWL_HI, T_DKIM_INVALID autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id B24C329030 for ; Tue, 22 May 2018 20:03:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751593AbeEVUDv (ORCPT ); Tue, 22 May 2018 16:03:51 -0400 Received: from mail-ua0-f171.google.com ([209.85.217.171]:38912 "EHLO mail-ua0-f171.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751528AbeEVUDu (ORCPT ); Tue, 22 May 2018 16:03:50 -0400 Received: by mail-ua0-f171.google.com with SMTP id v17-v6so13191501uak.6 for ; Tue, 22 May 2018 13:03:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to; bh=U308Bxumti1SZO42v0a/g0cLWk6CgY3NdoHrKZ4p34Y=; b=aQ3sf8dW/ylfVUHgnMLjyRpv2Rm5hTLDjxK6DljLBVTWJZB4WMWRyIxlYQvIHcl7xZ UbTVBjfuoPgQQid1asA83TKu/DqC/1lFABUXfqo5MK2q33Vq/3bHCP5v4DC6rY/K5qsZ iJvh49as1MLDMN4r2T415ziWLpgdxMfE5er7ulD9M9QCdjXkkpVzm8U9SLSwVrizVq0q GDkrgcC/s1KPQ//1POMmxJRVj7w6z8qnVDeMTSQL6UcXEazriAs/pK2+A5HLbxkIgVYT ftCw+Fa08YYuF8LjC0kbBtHNf3S7J5CLQ8KJ8tuQQ93PYNFvD5BTHpsnX7IJ8x8o+H8P BOkw== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=umich.edu; s=google-2016-06-03; h=mime-version:sender:from:date:message-id:subject:to; bh=U308Bxumti1SZO42v0a/g0cLWk6CgY3NdoHrKZ4p34Y=; b=B9Ht5iPTtUFsHqAqHtAb5BW1pJ+osGfVwibZmXCWZLYoGd4/bSvo5JAVK6to2X0Fn2 hH0Koyfc2LLqVlmeOgiAe3twGMK5KtFmXqhktbiZN5OnKyr1TxuoISo1Q2JBu9skJ5Mx iUaFP5zYXCy2rGMoUvjo1tkpxUKdT6I9wKqgkbAddigzhJJ10sSn0ZXA6FOL25d+i9VT sDG/ReZW+U8rxh6ATrpzRRaGsew6p6hrInn6fN7T4eqvYNx1Vv+aLhCOJ75+fy/xEozY fkBhJxepRLNp2xVqKp43lzf2Dxu+kscN9aoH33jpwljN4Z2BW4dLHM4t1A8T+TrkTZ3p URUg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to; bh=U308Bxumti1SZO42v0a/g0cLWk6CgY3NdoHrKZ4p34Y=; b=nIh07MvEZzyTkmWUAFCLzbt535IbZrUuEvvKyaNSTVn37kjije53a62lzX1E1tT9gL yDz7At8O1HyKEScZ6mScCUd7H4BIrac6oC1oU7IirlkVYyhMNGYYpzHa8HSCEJyTNDAb A3flT+S98tjAYuAbBoMDf1JA52EzbXTPtWSSahEqsBJiP2pIDo7tEQ0SHeYGme1VMNVN sIri7K/yQleKhGf0TiizIAOdU8hiNuR+2vqiFMTn/bLjPz+M374D3r/VF2uZCSMyrIFJ LMHjlg9NMqdJ4xT1BzOeiEjih27xvLo2DY5cX+xKiPbqrhoOb3eYmYjNWYCu7KlZ3idm NhrA== X-Gm-Message-State: ALKqPwcAh4+aQTngKdfJPvGEJpAMOio3qsq89Z5c/hwRTC3WQ0TeRWzk r1UlmIzAcoP8l/y1xcZEHtSVaXNqwhlzTVzBuoWFNg== X-Google-Smtp-Source: AB8JxZofd1djYblkc7I+tRex7m+WbXvxU9/Dr0ehdM57oBJcqvxdr4F89IscxekAuoSzTW0BoH8/ES08wXQX8H/yOjo= X-Received: by 2002:ab0:16c9:: with SMTP id g9-v6mr18748165uaf.45.1527019429840; Tue, 22 May 2018 13:03:49 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a67:cf49:0:0:0:0:0 with HTTP; Tue, 22 May 2018 13:03:49 -0700 (PDT) From: Olga Kornievskaia Date: Tue, 22 May 2018 16:03:49 -0400 X-Google-Sender-Auth: 3bxvhJJFhXhctW-n2xq_uRk1PvQ Message-ID: Subject: [RFC] protect against denial-of-service on a 4.0 mount To: linux-nfs Sender: linux-nfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-nfs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP I'm looking for comments on the approach to deal with the following denial-of-service issue. Currently, during the nfs4.0 mount, the code takes the content supplied by the user in the mount command for "clientaddr" and that becomes part of the content of the SETCLIENTID client id. There are no verifications that the supplied address belongs to the client initiating the mount. A denial of services comes from where there are 2 clients with IP A and IP B (bad one). Client IP A mounts and has "IP A" in the SETCLIENTID. Client IP B does a mount and specified "clientaddr=IP A". This causes the server to invalidate the lease for the legitimate client IP A. My suggested approach to fixing it, is to have nfs-utils do a sanity checking that will check if the clientaddr that's suppose matches the IP of the machine. Then currently, if it doesn't then it will ignore the supplied value and use the IP of the machine. Whether this is desirable vs say failing the mount and forcing the user to specify the correct value is up for debate. Also, I'm not sure if the check for the value of clientaddr should be done in the kernel itself instead of the nfs-utils. Below is the rough fix to the nfs-utils. Please comment. } --- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/utils/mount/stropts.c b/utils/mount/stropts.c index 1217823..982927e 100644 --- a/utils/mount/stropts.c +++ b/utils/mount/stropts.c @@ -242,11 +242,21 @@ static int nfs_append_clientaddr_option(const struct sockaddr *sap, struct sockaddr *my_addr = &address.sa; socklen_t my_len = sizeof(address); - if (po_contains(options, "clientaddr") == PO_FOUND) - return 1; - nfs_callback_address(sap, salen, my_addr, &my_len); + if (po_contains(options, "clientaddr") == PO_FOUND) { + char *addr = po_get(options, "clientaddr"); + char address[NI_MAXHOST]; + + if (!nfs_present_sockaddr(my_addr, my_len, address, + sizeof(address))) + goto out; + + if (strcmp(addr, address)) + goto out; + return 1; + } +out: return nfs_append_generic_address_option(my_addr, my_len, "clientaddr", options);