Mercurial > illumos > illumos-gate
changeset 9987:f2e8d2b3f311
6808437 nfs_portmon with NFSv4 needs to be stricter
author | Thomas Haynes <Thomas.Haynes@Sun.COM> |
---|---|
date | Mon, 29 Jun 2009 11:32:01 -0500 |
parents | 4d51e0eb2206 |
children | 4066d8f807e9 |
files | usr/src/uts/common/fs/nfs/nfs_server.c |
diffstat | 1 files changed, 27 insertions(+), 2 deletions(-) [+] |
line wrap: on
line diff
--- a/usr/src/uts/common/fs/nfs/nfs_server.c Mon Jun 29 06:20:33 2009 -0700 +++ b/usr/src/uts/common/fs/nfs/nfs_server.c Mon Jun 29 11:32:01 2009 -0500 @@ -2009,8 +2009,8 @@ int anon_res = 0; /* - * Check for privileged port number - * N.B.: this assumes that we know the format of a netbuf. + * Check for privileged port number + * N.B.: this assumes that we know the format of a netbuf. */ if (nfs_portmon) { struct sockaddr *ca; @@ -2259,6 +2259,31 @@ cs->access &= ~CS_ACCESS_LIMITED; /* + * Check for privileged port number + * N.B.: this assumes that we know the format of a netbuf. + */ + if (nfs_portmon) { + struct sockaddr *ca; + ca = (struct sockaddr *)svc_getrpccaller(req->rq_xprt)->buf; + + if (ca == NULL) + return (0); + + if ((ca->sa_family == AF_INET && + ntohs(((struct sockaddr_in *)ca)->sin_port) >= + IPPORT_RESERVED) || + (ca->sa_family == AF_INET6 && + ntohs(((struct sockaddr_in6 *)ca)->sin6_port) >= + IPPORT_RESERVED)) { + cmn_err(CE_NOTE, + "nfs_server: client %s%ssent NFSv4 request from " + "unprivileged port", + client_name(req), client_addr(req, buf)); + return (0); + } + } + + /* * Check the access right per auth flavor on the vnode of * this export for the given request. */