nfs-utils/svcgssd-mem-leak

Set a more reasonable timeout for gss auth cache.

svcgssd gives info to the kernel to gss authentication
and encryption.
This information currently has no expiry time and is never
flushed so it will collected forever and eventually
cause a significant waste of memory.

So set the expiry times smaller.
For session initialisation, the context info should only be needed once. 
So set a timeout of one minutes.

For ongoing context information it could be needed for some time,
so set a timeot of one hour.

See bnc#442490

From: NeilBrown <neilb@suse.de>
Signed-off-by: NeilBrown <neilb@suse.de>

---
 utils/svcgssd/svcgssd_proc.c |    7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

Index: nfs-utils-1.1.3/utils/gssd/svcgssd_proc.c
===================================================================
--- nfs-utils-1.1.3.orig/utils/gssd/svcgssd_proc.c
+++ nfs-utils-1.1.3/utils/gssd/svcgssd_proc.c
@@ -86,7 +86,9 @@ do_svc_downcall(gss_buffer_desc *out_han
 	}
 	qword_printhex(f, out_handle->value, out_handle->length);
 	/* XXX are types OK for the rest of this? */
-	qword_printint(f, 0x7fffffff); /*XXX need a better timeout */
+
+	/* 'context' could be needed for a while. */
+	qword_printint(f, time(0) + 60*60);
 	qword_printint(f, cred->cr_uid);
 	qword_printint(f, cred->cr_gid);
 	qword_printint(f, cred->cr_ngroups);
@@ -130,7 +132,8 @@ send_response(FILE *f, gss_buffer_desc *
 
 	qword_addhex(&bp, &blen, in_handle->value, in_handle->length);
 	qword_addhex(&bp, &blen, in_token->value, in_token->length);
-	qword_addint(&bp, &blen, 0x7fffffff); /*XXX need a better timeout */
+	/* INIT context info will only be needed for a short while */
+	qword_addint(&bp, &blen, time(0) + 60);
 	qword_adduint(&bp, &blen, maj_stat);
 	qword_adduint(&bp, &blen, min_stat);
 	qword_addhex(&bp, &blen, out_handle->value, out_handle->length);
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/nfs-utils?expand=0&rev=45 2008-12-08 15:43:13 +01:00			`Set a more reasonable timeout for gss auth cache.`

			`svcgssd gives info to the kernel to gss authentication`
			`and encryption.`
			`This information currently has no expiry time and is never`
			`flushed so it will collected forever and eventually`
			`cause a significant waste of memory.`

			`So set the expiry times smaller.`
			`For session initialisation, the context info should only be needed once.`
			`So set a timeout of one minutes.`

			`For ongoing context information it could be needed for some time,`
			`so set a timeot of one hour.`

			`See bnc#442490`

			`From: NeilBrown <neilb@suse.de>`
			`Signed-off-by: NeilBrown <neilb@suse.de>`

			`---`
			`utils/svcgssd/svcgssd_proc.c \| 7 +++++--`
			`1 file changed, 5 insertions(+), 2 deletions(-)`

			`Index: nfs-utils-1.1.3/utils/gssd/svcgssd_proc.c`
			`===================================================================`
			`--- nfs-utils-1.1.3.orig/utils/gssd/svcgssd_proc.c`
			`+++ nfs-utils-1.1.3/utils/gssd/svcgssd_proc.c`
			`@@ -86,7 +86,9 @@ do_svc_downcall(gss_buffer_desc *out_han`
			`}`
			`qword_printhex(f, out_handle->value, out_handle->length);`
			`/* XXX are types OK for the rest of this? */`
			`- qword_printint(f, 0x7fffffff); /XXX need a better timeout /`
			`+`
			`+ /* 'context' could be needed for a while. */`
			`+ qword_printint(f, time(0) + 60*60);`
			`qword_printint(f, cred->cr_uid);`
			`qword_printint(f, cred->cr_gid);`
			`qword_printint(f, cred->cr_ngroups);`
			`@@ -130,7 +132,8 @@ send_response(FILE f, gss_buffer_desc `

			`qword_addhex(&bp, &blen, in_handle->value, in_handle->length);`
			`qword_addhex(&bp, &blen, in_token->value, in_token->length);`
			`- qword_addint(&bp, &blen, 0x7fffffff); /XXX need a better timeout /`
			`+ /* INIT context info will only be needed for a short while */`
			`+ qword_addint(&bp, &blen, time(0) + 60);`
			`qword_adduint(&bp, &blen, maj_stat);`
			`qword_adduint(&bp, &blen, min_stat);`
			`qword_addhex(&bp, &blen, out_handle->value, out_handle->length);`