# HG changeset patch
# User Thomas Haynes <Thomas.Haynes@Sun.COM>
# Date 1246293121 18000
# Node ID f2e8d2b3f31157ef34211b515ab7f68b8d5cd24b
# Parent  4d51e0eb2206f8b73811d2f0d584b1edb8eca817
6808437 nfs_portmon with NFSv4 needs to be stricter

diff -r 4d51e0eb2206 -r f2e8d2b3f311 usr/src/uts/common/fs/nfs/nfs_server.c
--- a/usr/src/uts/common/fs/nfs/nfs_server.c	Mon Jun 29 06:20:33 2009 -0700
+++ b/usr/src/uts/common/fs/nfs/nfs_server.c	Mon Jun 29 11:32:01 2009 -0500
@@ -2009,8 +2009,8 @@
 	int anon_res = 0;
 
 	/*
-	 *	Check for privileged port number
-	 *	N.B.:  this assumes that we know the format of a netbuf.
+	 * Check for privileged port number
+	 * N.B.:  this assumes that we know the format of a netbuf.
 	 */
 	if (nfs_portmon) {
 		struct sockaddr *ca;
@@ -2259,6 +2259,31 @@
 	cs->access &= ~CS_ACCESS_LIMITED;
 
 	/*
+	 * Check for privileged port number
+	 * N.B.:  this assumes that we know the format of a netbuf.
+	 */
+	if (nfs_portmon) {
+		struct sockaddr *ca;
+		ca = (struct sockaddr *)svc_getrpccaller(req->rq_xprt)->buf;
+
+		if (ca == NULL)
+			return (0);
+
+		if ((ca->sa_family == AF_INET &&
+		    ntohs(((struct sockaddr_in *)ca)->sin_port) >=
+		    IPPORT_RESERVED) ||
+		    (ca->sa_family == AF_INET6 &&
+		    ntohs(((struct sockaddr_in6 *)ca)->sin6_port) >=
+		    IPPORT_RESERVED)) {
+			cmn_err(CE_NOTE,
+			    "nfs_server: client %s%ssent NFSv4 request from "
+			    "unprivileged port",
+			    client_name(req), client_addr(req, buf));
+			return (0);
+		}
+	}
+
+	/*
 	 * Check the access right per auth flavor on the vnode of
 	 * this export for the given request.
 	 */