xref: /freebsd/sys/rpc/authunix_prot.c (revision df21a004be237a1dccd03c7b47254625eea62fa9) 
1 /*	$NetBSD: authunix_prot.c,v 1.12 2000/01/22 22:19:17 mycroft Exp $	*/
2 
3 /*-
4  * SPDX-License-Identifier: BSD-3-Clause
5  *
6  * Copyright (c) 2009, Sun Microsystems, Inc.
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions are met:
11  * - Redistributions of source code must retain the above copyright notice,
12  *   this list of conditions and the following disclaimer.
13  * - Redistributions in binary form must reproduce the above copyright notice,
14  *   this list of conditions and the following disclaimer in the documentation
15  *   and/or other materials provided with the distribution.
16  * - Neither the name of Sun Microsystems, Inc. nor the names of its
17  *   contributors may be used to endorse or promote products derived
18  *   from this software without specific prior written permission.
19  *
20  * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
21  * AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23  * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE
24  * LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
25  * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
26  * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
27  * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
28  * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
29  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
30  * POSSIBILITY OF SUCH DAMAGE.
31  */
32 
33 /*
34  * authunix_prot.c
35  * XDR for UNIX style authentication parameters for RPC
36  *
37  * Copyright (C) 1984, Sun Microsystems, Inc.
38  */
39 
40 #include <sys/param.h>
41 #include <sys/jail.h>
42 #include <sys/libkern.h>
43 #include <sys/ucred.h>
44 
45 #include <rpc/types.h>
46 #include <rpc/xdr.h>
47 #include <rpc/auth.h>
48 
49 #include <rpc/rpc_com.h>
50 
51 /*
52  * XDR for unix authentication parameters.
53  */
54 bool_t
55 xdr_authunix_parms(XDR *xdrs, uint32_t *time, struct xucred *cred)
56 {
57 	uint32_t namelen;
58 	uint32_t supp_ngroups, i;
59 	uint32_t junk;
60 	char hostbuf[MAXHOSTNAMELEN];
61 
62 	if (xdrs->x_op == XDR_FREE)
63 		/* This function does not allocate auxiliary memory. */
64 		return (TRUE);
65 
66 	if (xdrs->x_op == XDR_ENCODE) {
67 		getcredhostname(NULL, hostbuf, sizeof(hostbuf));
68 		namelen = strlen(hostbuf);
69 		if (namelen > AUTH_SYS_MAX_HOSTNAME)
70 			namelen = AUTH_SYS_MAX_HOSTNAME;
71 	} else
72 		namelen = 0;
73 
74 	if (!xdr_uint32_t(xdrs, time) || !xdr_uint32_t(xdrs, &namelen))
75 		return (FALSE);
76 
77 	/*
78 	 * Ignore the hostname on decode.
79 	 */
80 	if (xdrs->x_op == XDR_ENCODE) {
81 		if (!xdr_opaque(xdrs, hostbuf, namelen))
82 			return (FALSE);
83 	} else {
84 		if (namelen > AUTH_SYS_MAX_HOSTNAME)
85 			return (FALSE);
86 		xdr_setpos(xdrs, xdr_getpos(xdrs) + RNDUP(namelen));
87 	}
88 
89 	if (!xdr_uint32_t(xdrs, &cred->cr_uid))
90 		return (FALSE);
91 
92 	/*
93 	 * Safety check: The protocol needs at least one group (access to
94 	 * 'cr_gid', decrementation of 'cr_ngroups' below).
95 	 */
96 	if (xdrs->x_op == XDR_ENCODE && cred->cr_ngroups == 0)
97 		return (FALSE);
98 	if (!xdr_uint32_t(xdrs, &cred->cr_gid))
99 		return (FALSE);
100 
101 	if (xdrs->x_op == XDR_ENCODE) {
102 		/*
103 		 * Note that this is a 'struct xucred', which still has the
104 		 * historical layout where the effective GID is in cr_groups[0]
105 		 * and is accounted in 'cr_ngroups'.  We substract 1 to obtain
106 		 * the number of "supplementary" groups, passed in the AUTH_SYS
107 		 * credentials variable-length array called gids[] in RFC 5531.
108 		 */
109 		MPASS(cred->cr_ngroups <= XU_NGROUPS);
110 		supp_ngroups = cred->cr_ngroups - 1;
111 		if (supp_ngroups > AUTH_SYS_MAX_GROUPS)
112 			/* With current values, this should never execute. */
113 			supp_ngroups = AUTH_SYS_MAX_GROUPS;
114 	}
115 
116 	if (!xdr_uint32_t(xdrs, &supp_ngroups))
117 		return (FALSE);
118 
119 	/*
120 	 * Because we cannot store more than XU_NGROUPS in total (16 at time of
121 	 * this writing), for now we choose to be strict with respect to RFC
122 	 * 5531's maximum number of supplementary groups (AUTH_SYS_MAX_GROUPS).
123 	 * That would also be an accidental DoS prevention measure if the
124 	 * request handling code didn't try to reassemble it in full without any
125 	 * size limits.  Although AUTH_SYS_MAX_GROUPS and XU_NGROUPS are equal,
126 	 * since the latter includes the "effective" GID, we cannot store the
127 	 * last group of a message with exactly AUTH_SYS_MAX_GROUPS
128 	 * supplementary groups.  We accept such messages so as not to violate
129 	 * the protocol, silently dropping the last group on the floor.
130 	 */
131 
132 	if (xdrs->x_op != XDR_ENCODE && supp_ngroups > AUTH_SYS_MAX_GROUPS)
133 		return (FALSE);
134 
135 	junk = 0;
136 	for (i = 0; i < supp_ngroups; ++i)
137 		if (!xdr_uint32_t(xdrs, i < XU_NGROUPS - 1 ?
138 		    &cred->cr_sgroups[i] : &junk))
139 			return (FALSE);
140 
141 	if (xdrs->x_op != XDR_ENCODE)
142 		cred->cr_ngroups = MIN(supp_ngroups + 1, XU_NGROUPS);
143 
144 	return (TRUE);
145 }
146