1 files changed, 399 insertions, 0 deletions
diff --git a/utils/statd/monitor.c b/utils/statd/monitor.c
new file mode 100644
index 0000000..c76589c
--- /dev/null
+++ b/utils/statd/monitor.c
@@ -0,0 +1,399 @@
+/*
+ * Copyright (C) 1995-1999 Jeffrey A. Uphoff
+ * Major rewrite by Olaf Kirch, Dec. 1996.
+ * Modified by H.J. Lu, 1998.
+ * Tighter access control, Olaf Kirch June 1999.
+ *
+ * NSM for Linux.
+ */
+
+#ifdef HAVE_CONFIG_H
+#include <config.h>
+#endif
+
+#include <fcntl.h>
+#include <limits.h>
+#include <netdb.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/stat.h>
+#include <errno.h>
+#include <arpa/inet.h>
+#include <dirent.h>
+
+#include "sockaddr.h"
+#include "rpcmisc.h"
+#include "nsm.h"
+#include "statd.h"
+#include "notlist.h"
+#include "ha-callout.h"
+
+notify_list *		rtnl = NULL;	/* Run-time notify list. */
+
+/*
+ * Reject requests from non-loopback addresses in order
+ * to prevent attack described in CERT CA-99.05.
+ *
+ * Although the kernel contacts the statd service via only IPv4
+ * transports, the statd service can receive other requests, such
+ * as SM_NOTIFY, from remote peers via IPv6.
+ */
+static _Bool
+caller_is_localhost(struct svc_req *rqstp)
+{
+	struct sockaddr *sap = nfs_getrpccaller(rqstp->rq_xprt);
+	char buf[INET6_ADDRSTRLEN];
+
+	if (!nfs_is_v4_loopback(sap))
+		goto out_nonlocal;
+	return true;
+
+out_nonlocal:
+	if (!statd_present_address(sap, buf, sizeof(buf)))
+		buf[0] = '\0';
+	xlog_warn("SM_MON/SM_UNMON call from non-local host %s", buf);
+	return false;
+}
+
+/*
+ * Services SM_MON requests.
+ */
+struct sm_stat_res *
+sm_mon_1_svc(struct mon *argp, struct svc_req *rqstp)
+{
+	static sm_stat_res result;
+	char		*mon_name = argp->mon_id.mon_name,
+			*my_name  = argp->mon_id.my_id.my_name;
+	struct my_id	*id = &argp->mon_id.my_id;
+	char		*cp;
+	notify_list	*clnt = NULL;
+	struct sockaddr_in my_addr = {
+		.sin_family		= AF_INET,
+		.sin_addr.s_addr	= htonl(INADDR_LOOPBACK),
+	};
+	char *dnsname = NULL;
+	int existing = 0;
+
+	xlog(D_CALL, "Received SM_MON for %s from %s", mon_name, my_name);
+
+	/* Assume that we'll fail. */
+	result.res_stat = STAT_FAIL;
+	result.state = -1;	/* State is undefined for STAT_FAIL. */
+
+	/* 1.	Reject any remote callers.
+	 *	Ignore the my_name specified by the caller, and
+	 *	use "127.0.0.1" instead.
+	 */
+	if (!caller_is_localhost(rqstp))
+		goto failure;
+
+	/* 2.	Reject any registrations for non-lockd services.
+	 *
+	 *	This is specific to the linux kernel lockd, which
+	 *	makes the callback procedure part of the lockd interface.
+	 *	It is also prone to break when lockd changes its callback
+	 *	procedure number -- which, in fact, has now happened once.
+	 *	There must be a better way....   XXX FIXME
+	 */
+	if (id->my_prog != 100021 ||
+	    (id->my_proc != 16 && id->my_proc != 24))
+	{
+		xlog_warn("Attempt to register callback to %d/%d",
+			id->my_prog, id->my_proc);
+		goto failure;
+	}
+
+	/*
+	 * Check hostnames.  If I can't look them up, I won't monitor.  This
+	 * might not be legal, but it adds a little bit of safety and sanity.
+	 */
+
+	/* must check for /'s in hostname!  See CERT's CA-96.09 for details. */
+	if (strchr(mon_name, '/') || mon_name[0] == '.') {
+		xlog(L_ERROR, "SM_MON request for hostname containing '/' "
+		     "or starting '.': %s", mon_name);
+		xlog(L_ERROR, "POSSIBLE SPOOF/ATTACK ATTEMPT!");
+		goto failure;
+	}
+
+	/* my_name must not have white space */
+	for (cp=my_name ; *cp ; cp++)
+		if (*cp == ' ' || *cp == '\t' || *cp == '\r' || *cp == '\n')
+			*cp = '_';
+
+	/*
+	 * Hostnames checked OK.
+	 * Now choose a hostname to use for matching.  We cannot
+	 * really trust much in the incoming NOTIFY, so to make
+	 * sure that multi-homed hosts work nicely, we get an
+	 * FQDN now, and use that for matching.
+	 */
+	dnsname = statd_canonical_name(mon_name);
+	if (dnsname == NULL) {
+		xlog(L_WARNING, "No canonical hostname found for %s", mon_name);
+		goto failure;
+	}
+
+	/* Now check to see if this is a duplicate, and warn if so.
+	 * I will also return STAT_FAIL. (I *think* this is how I should
+	 * handle it.)
+	 *
+	 * Olaf requests that I allow duplicate SM_MON requests for
+	 * hosts due to the way he is coding lockd. No problem,
+	 * I'll just do a quickie success return and things should
+	 * be happy.
+	 */
+	clnt = rtnl;
+
+	while ((clnt = nlist_gethost(clnt, mon_name, 0))) {
+		if (statd_matchhostname(NL_MY_NAME(clnt), my_name) &&
+		    NL_MY_PROC(clnt) == id->my_proc &&
+		    NL_MY_PROG(clnt) == id->my_prog &&
+		    NL_MY_VERS(clnt) == id->my_vers) {
+			if (memcmp(NL_PRIV(clnt), argp->priv, SM_PRIV_SIZE)) {
+				xlog(D_GENERAL,
+					"Received SM_MON request with new "
+					"cookie for %s from procedure on %s",
+					mon_name, my_name);
+
+				existing = 1; 
+				break;
+			} else {
+				/* Hey!  We already know you guys! */
+				xlog(D_GENERAL,
+					"Duplicate SM_MON request for %s "
+					"from procedure on %s",
+					mon_name, my_name);
+
+				/* But we'll let you pass anyway. */
+				free(dnsname);
+				goto success;
+			}
+		}
+		clnt = NL_NEXT(clnt);
+	}
+
+	/*
+	 * We're committed...ignoring errors.  Let's hope that a malloc()
+	 * doesn't fail.  (I should probably fix this assumption.)
+	 */
+	if (!existing && !(clnt = nlist_new(my_name, mon_name, 0))) {
+		free(dnsname);
+		xlog_warn("out of memory");
+		goto failure;
+	}
+
+	NL_MY_PROG(clnt) = id->my_prog;
+	NL_MY_VERS(clnt) = id->my_vers;
+	NL_MY_PROC(clnt) = id->my_proc;
+	memcpy(NL_PRIV(clnt), argp->priv, SM_PRIV_SIZE);
+	clnt->dns_name = dnsname;
+
+	/*
+	 * Now, Create file on stable storage for host, first deleting any
+	 * existing records on file.
+	 */
+	nsm_delete_monitored_host(dnsname, mon_name, my_name, 0);
+
+	if (!nsm_insert_monitored_host(dnsname,
+				(struct sockaddr *)(char *)&my_addr, argp)) {
+		nlist_free(existing ? &rtnl : NULL, clnt);
+		goto failure;
+	}
+
+	/* PRC: do the HA callout: */
+	ha_callout("add-client", mon_name, my_name, -1);
+	if (!existing)
+		nlist_insert(&rtnl, clnt);
+	xlog(D_GENERAL, "MONITORING %s for %s", mon_name, my_name);
+ success:
+	result.res_stat = STAT_SUCC;
+	/* SUN's sm_inter.x says this should be "state number of local site".
+	 * X/Open says '"state" will be contain the state of the remote NSM.'
+	 * href=http://www.opengroup.org/onlinepubs/9629799/SM_MON.htm
+	 * Linux lockd currently (2.6.21 and prior) ignores whatever is
+	 * returned, and given the above contraction, it probably always will..
+	 * So we just return what we always returned.  If possible, we
+	 * have already told lockd about our state number via a sysctl.
+	 * If lockd wants the remote state, it will need to
+	 * use SM_STAT (and prayer).
+	 */
+	result.state = MY_STATE;
+	return (&result);
+
+failure:
+	xlog_warn("STAT_FAIL to %s for SM_MON of %s", my_name, mon_name);
+	free(clnt);
+	return (&result);
+}
+
+static unsigned int
+load_one_host(const char *hostname,
+		__attribute__ ((unused)) const struct sockaddr *sap,
+		const struct mon *m,
+		__attribute__ ((unused)) const time_t timestamp)
+{
+	notify_list *clnt;
+
+	clnt = nlist_new(m->mon_id.my_id.my_name,
+				m->mon_id.mon_name, 0);
+	if (clnt == NULL)
+		return 0;
+
+	clnt->dns_name = strdup(hostname);
+	if (clnt->dns_name == NULL) {
+		nlist_free(NULL, clnt);
+		free(clnt);
+		return 0;
+	}
+
+	xlog(D_GENERAL, "Adding record for %s to the monitor list...",
+			hostname);
+
+	NL_MY_PROG(clnt) = m->mon_id.my_id.my_prog;
+	NL_MY_VERS(clnt) = m->mon_id.my_id.my_vers;
+	NL_MY_PROC(clnt) = m->mon_id.my_id.my_proc;
+	memcpy(NL_PRIV(clnt), m->priv, SM_PRIV_SIZE);
+
+	nlist_insert(&rtnl, clnt);
+	return 1;
+}
+
+void load_state(void)
+{
+	unsigned int count;
+
+	count = nsm_load_monitor_list(load_one_host);
+	if (count)
+		xlog(D_GENERAL, "Loaded %u previously monitored hosts", count);
+}
+
+/*
+ * Services SM_UNMON requests.
+ *
+ * There is no statement in the X/Open spec's about returning an error
+ * for requests to unmonitor a host that we're *not* monitoring.  I just
+ * return the state of the NSM when I get such foolish requests for lack
+ * of any better ideas.  (I also log the "offense.")
+ */
+struct sm_stat *
+sm_unmon_1_svc(struct mon_id *argp, struct svc_req *rqstp)
+{
+	static sm_stat  result;
+	notify_list	*clnt;
+	char		*mon_name = argp->mon_name,
+			*my_name  = argp->my_id.my_name;
+	struct my_id	*id = &argp->my_id;
+	char		*cp;
+
+	xlog(D_CALL, "Received SM_UNMON for %s from %s", mon_name, my_name);
+
+	result.state = MY_STATE;
+
+	if (!caller_is_localhost(rqstp))
+		goto failure;
+
+	/* my_name must not have white space */
+	for (cp=my_name ; *cp ; cp++)
+		if (*cp == ' ' || *cp == '\t' || *cp == '\r' || *cp == '\n')
+			*cp = '_';
+
+
+	/* Check if we're monitoring anyone. */
+	if (rtnl == NULL) {
+		xlog_warn("Received SM_UNMON request from %s for %s while not "
+			"monitoring any hosts", my_name, argp->mon_name);
+		return (&result);
+	}
+	clnt = rtnl;
+
+	/*
+	 * OK, we are.  Now look for appropriate entry in run-time list.
+	 * There should only be *one* match on this, since I block "duplicate"
+	 * SM_MON calls.  (Actually, duplicate calls are allowed, but only one
+	 * entry winds up in the list the way I'm currently handling them.)
+	 */
+	while ((clnt = nlist_gethost(clnt, mon_name, 0))) {
+		if (statd_matchhostname(NL_MY_NAME(clnt), my_name) &&
+			NL_MY_PROC(clnt) == id->my_proc &&
+			NL_MY_PROG(clnt) == id->my_prog &&
+			NL_MY_VERS(clnt) == id->my_vers) {
+			/* Match! */
+			xlog(D_GENERAL, "UNMONITORING %s for %s",
+					mon_name, my_name);
+
+			/* PRC: do the HA callout: */
+			ha_callout("del-client", mon_name, my_name, -1);
+
+			nsm_delete_monitored_host(clnt->dns_name,
+							mon_name, my_name, 1);
+			nlist_free(&rtnl, clnt);
+
+			return (&result);
+		} else
+			clnt = NL_NEXT(clnt);
+	}
+
+ failure:
+	xlog_warn("Received erroneous SM_UNMON request from %s for %s",
+		my_name, mon_name);
+	return (&result);
+}
+
+
+struct sm_stat *
+sm_unmon_all_1_svc(struct my_id *argp, struct svc_req *rqstp)
+{
+	short int       count = 0;
+	static sm_stat  result;
+	notify_list	*clnt;
+	char		*my_name = argp->my_name;
+
+	xlog(D_CALL, "Received SM_UNMON_ALL for %s", my_name);
+
+	if (!caller_is_localhost(rqstp))
+		goto failure;
+
+	result.state = MY_STATE;
+
+	if (rtnl == NULL) {
+		xlog_warn("Received SM_UNMON_ALL request from %s "
+			"while not monitoring any hosts", my_name);
+		return (&result);
+	}
+	clnt = rtnl;
+
+	while ((clnt = nlist_gethost(clnt, my_name, 1))) {
+		if (NL_MY_PROC(clnt) == argp->my_proc &&
+			NL_MY_PROG(clnt) == argp->my_prog &&
+			NL_MY_VERS(clnt) == argp->my_vers) {
+			/* Watch stack! */
+			char            mon_name[SM_MAXSTRLEN + 1];
+			notify_list	*temp;
+
+			xlog(D_GENERAL,
+				"UNMONITORING (SM_UNMON_ALL) %s for %s",
+				NL_MON_NAME(clnt), NL_MY_NAME(clnt));
+			strncpy(mon_name, NL_MON_NAME(clnt),
+				sizeof (mon_name) - 1);
+			mon_name[sizeof (mon_name) - 1] = '\0';
+			temp = NL_NEXT(clnt);
+			/* PRC: do the HA callout: */
+			ha_callout("del-client", mon_name, my_name, -1);
+			nsm_delete_monitored_host(clnt->dns_name,
+							mon_name, my_name, 1);
+			nlist_free(&rtnl, clnt);
+			++count;
+			clnt = temp;
+		} else
+			clnt = NL_NEXT(clnt);
+	}
+
+	if (!count) {
+		xlog(D_GENERAL, "SM_UNMON_ALL request from %s with no "
+			"SM_MON requests from it", my_name);
+	}
+
+ failure:
+	return (&result);
+}