[torquedev] req_getcred() should match connections on client IP, not just port number

Sergio Gelato Sergio.Gelato at astro.su.se
Sun Feb 25 16:39:50 MST 2007


It occurred to me that pbs_server's req_getcred() only looks at the
client-side port number when looking for the connection to be authenticated
by AuthenUser. This is not 100% reliable, as different clients may
happen to use the same port number (on different IP addresses) at the
same time, resulting in sporadic failures. (There may be security
implications as well.)

The attached patch takes care of this from the server's point of view.
One may also need a corresponding patch to pbs_iff to guarantee that
it will use the same IP address as the connection being authenticated.
(This is only a concern if the client has more than one IP address as
seen from the server.)
-------------- next part --------------
#! /bin/sh /usr/share/dpatch/dpatch-run
## 01_req_getcred.dpatch by Sergio Gelato <Sergio.Gelato at astro.su.se>
##
## All lines beginning with `## DP:' are a description of the patch.
## DP: Match connections by IP address, not just by port number, when
## DP: authenticating. Helps avoid failures when two clients connect
## DP: from the same port number. Needs a corresponding change to pbs_iff.

@DPATCH@
diff -urNad torque-2.1.6/src/server/req_getcred.c /tmp/dpep.PkJT2O/torque-2.1.6/src/server/req_getcred.c
--- torque-2.1.6/src/server/req_getcred.c	2006-07-31 22:11:54.000000000 +0200
+++ /tmp/dpep.PkJT2O/torque-2.1.6/src/server/req_getcred.c	2007-02-15 12:51:24.872857730 +0100
@@ -86,6 +86,7 @@
  */
 #include <pbs_config.h>   /* the master config generated by configure */
 
+#include <assert.h>
 #include <sys/types.h>
 #include "libpbs.h"
 #include "server_limits.h"
@@ -147,6 +148,9 @@
   {
   int s;
 
+  int cs = preq->rq_conn;
+  assert(cs >= 0 && cs < PBS_NET_MAX_CONNECTIONS);
+
   /*
    * find the socket whose client side is bound to the port named 
    * in the request
@@ -154,7 +158,8 @@
 
   for (s = 0;s < PBS_NET_MAX_CONNECTIONS;++s) 
     {
-    if (preq->rq_ind.rq_authen.rq_port != svr_conn[s].cn_port) 
+    if (preq->rq_ind.rq_authen.rq_port != svr_conn[s].cn_port
+	|| svr_conn[cs].cn_addr != svr_conn[s].cn_addr) 
       {
       continue;
       }


More information about the torquedev mailing list