From: Mark Vitale Date: Thu, 23 May 2019 02:50:00 +0000 (-0400) Subject: auth: make PGetTokens2 work with 3-char cellnames X-Git-Tag: debian/1.8.4_pre1-1~9^2^2~5 X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=bb886044d8d2b309ed5d0bd6f3d0c7c71909d6c8;p=packages%2Fo%2Fopenafs.git auth: make PGetTokens2 work with 3-char cellnames PGetTokens2 accepts two different types of input: - an integer 'iterator' to request the nth token set for a user - a string cellname to request the user's token set for that cell Unfortunately, it distinguishes between these by assuming if the input length is sizeof(afs_int32) (4 bytes), it must be an integer. This assumption is incorrect if the cellname is three (3) characters long plus a nul terminator. The result is that the cellname string is interpreted as a very large "n"; the subsequent search for the user's "very-large-nth-token" fails, making it appear that the user has no valid token for this cell. Improve on this heuristic by double-checking any putative integer input. If it is actually a 3-character string, then process the input as a cellname instead. Introduced by commit 5ec5ad5dcca84e99e5f55987cc4f787cd482fdde 'New GetToken pioctl'. While here, add doxygen comments. Reviewed-on: https://gerrit.openafs.org/13599 Reviewed-by: Michael Meffie Tested-by: BuildBot Reviewed-by: Cheyenne Wills Reviewed-by: Benjamin Kaduk Reviewed-by: Andrew Deason (cherry picked from commit b0278994826f6bd1dfebc39f26282b8fbdadf1a0) Change-Id: Ib64749d65f03fc564b1d987b426832442be8d5bd Reviewed-on: https://gerrit.openafs.org/13679 Reviewed-by: Michael Meffie Reviewed-by: Andrew Deason Tested-by: BuildBot Reviewed-by: Stephan Wiesand --- diff --git a/src/afs/afs_pioctl.c b/src/afs/afs_pioctl.c index 8af2749ae..b114a1edb 100644 --- a/src/afs/afs_pioctl.c +++ b/src/afs/afs_pioctl.c @@ -5442,6 +5442,26 @@ out: return code; } +/*! + * VIOC_GETTOK2 (7) - Return a user's nth token, or token for a cell by + * name. + * + * \ingroup pioctl + * + * \param[in] ain EITHER a string cellname + * OR an integer 'iterator' to specify the nth + * token. + * + * \param[out] aout XDR-encoded tokens from the user's tokenJar + * + * \retval EINVAL invalid input (bad integer, or invalid string) + * unable to extract token(s) + * \retval ENOMEM insufficient memory (returned from called routines) + * \retval EDOM (integer) request was out of bounds or the user has no tokens + * \retval ENOTCONN user found but has no valid token(s) + * \retval E2BIG token(s) do not fit in the output buffer + * + */ DECL_PIOCTL(PGetTokens2) { struct cell *cell = NULL; @@ -5450,6 +5470,7 @@ DECL_PIOCTL(PGetTokens2) char *cellName = NULL; afs_int32 cellNum; int code = 0; + int integer_in = 1; /* assume integer input */ time_t now; XDR xdrs; struct ktc_setTokenData tokenSet; @@ -5461,11 +5482,23 @@ DECL_PIOCTL(PGetTokens2) memset(&tokenSet, 0, sizeof(tokenSet)); /* No input data - return tokens for primary cell */ - /* 4 octets of data is an iterator count */ + /* 4 octets of data is PROBABLY an iterator count */ /* Otherwise, treat as string & return tokens for that cell name */ if (afs_pd_remaining(ain) == sizeof(afs_int32)) { - /* Integer iterator - return tokens for the n'th cell found for user */ + char *scratch = afs_pd_where(ain); + + if (scratch[3] == '\0' && strlen(scratch) == 3) + integer_in = 0; + } else { + integer_in = 0; + } + + if (integer_in) { + /* The misleadingly-named getNthCell actually return the nth valid + * token found for the specified user; there can never be a gap + * in the ordinals at this level. + */ if (afs_pd_getInt(ain, &iterator) != 0) return EINVAL; tu = getNthCell(areq->uid, iterator);