Fix a number of server-side issues related to aborting badly formed

    NFS packets, mainly initializing structure pointers to NULL which
    are conditionally freed prior to return.

PR:		kern/15249
Submitted by:	Ian Dowse <iedowse@maths.tcd.ie>

4 files changed, 13 insertions, 5 deletions

diff --git a/sys/nfs/nfs_common.c b/sys/nfs/nfs_common.c
index 0da996b..e63ba63 100644
--- a/sys/nfs/nfs_common.c
+++ b/sys/nfs/nfs_common.c
@@ -1974,6 +1974,7 @@ nfsrv_fhtovp(fhp, lockflag, vpp, cred, slp, nam, rdonlyp, kerbflag, pubflag)
 		if (saddr->sin_family == AF_INET &&
 		    ntohs(saddr->sin_port) >= IPPORT_RESERVED) {
 			vput(*vpp);
+			*vpp = NULL;
 			return (NFSERR_AUTHERR | AUTH_TOOWEAK);
 		}
 	}
@@ -1984,10 +1985,12 @@ nfsrv_fhtovp(fhp, lockflag, vpp, cred, slp, nam, rdonlyp, kerbflag, pubflag)
 	if (exflags & MNT_EXKERB) {
 		if (!kerbflag) {
 			vput(*vpp);
+			*vpp = NULL;
 			return (NFSERR_AUTHERR | AUTH_TOOWEAK);
 		}
 	} else if (kerbflag) {
 		vput(*vpp);
+		*vpp = NULL;
 		return (NFSERR_AUTHERR | AUTH_TOOWEAK);
 	} else if (cred->cr_uid == 0 || (exflags & MNT_EXPORTANON)) {
 		cred->cr_uid = credanon->cr_uid;
diff --git a/sys/nfs/nfs_nqlease.c b/sys/nfs/nfs_nqlease.c
index e64a82a..be90100 100644
--- a/sys/nfs/nfs_nqlease.c
+++ b/sys/nfs/nfs_nqlease.c
@@ -769,8 +769,10 @@ nqnfsrv_getlease(nfsd, slp, procp, mrq)
 	nfsd->nd_duration = fxdr_unsigned(int, *tl);
 	error = nfsrv_fhtovp(fhp, 1, &vp, cred, slp, nam, &rdonly,
 		(nfsd->nd_flag & ND_KERBAUTH), TRUE);
-	if (error)
+	if (error) {
 		nfsm_reply(0);
+		goto nfsmout;
+	}
 	if (rdonly && flags == ND_WRITE) {
 		error = EROFS;
 		vput(vp);
diff --git a/sys/nfs/nfs_serv.c b/sys/nfs/nfs_serv.c
index 122e7f3..e0aa5ab 100644
--- a/sys/nfs/nfs_serv.c
+++ b/sys/nfs/nfs_serv.c
@@ -249,7 +249,7 @@ nfsrv_getattr(nfsd, slp, procp, mrq)
 	register struct nfs_fattr *fp;
 	struct vattr va;
 	register struct vattr *vap = &va;
-	struct vnode *vp;
+	struct vnode *vp = NULL;
 	nfsfh_t nfh;
 	fhandle_t *fhp;
 	register u_int32_t *tl;
@@ -453,7 +453,7 @@ nfsrv_lookup(nfsd, slp, procp, mrq)
 	struct ucred *cred = &nfsd->nd_cr;
 	register struct nfs_fattr *fp;
 	struct nameidata nd, ind, *ndp = &nd;
-	struct vnode *vp, *dirp;
+	struct vnode *vp, *dirp = NULL;
 	nfsfh_t nfh;
 	fhandle_t *fhp;
 	register caddr_t cp;
@@ -775,7 +775,7 @@ nfsrv_read(nfsd, slp, procp, mrq)
 	char *cp2;
 	struct mbuf *mb, *mb2, *mreq;
 	struct mbuf *m2;
-	struct vnode *vp;
+	struct vnode *vp = NULL;
 	nfsfh_t nfh;
 	fhandle_t *fhp;
 	struct uio io, *uiop = &io;
@@ -1168,7 +1168,7 @@ nfsrv_writegather(ndp, slp, procp, mrq)
 	int ioflags, aftat_ret = 1, s, adjust, v3, zeroing;
 	char *cp2;
 	struct mbuf *mb, *mb2, *mreq, *mrep, *md;
-	struct vnode *vp;
+	struct vnode *vp = NULL;
 	struct uio io, *uiop = &io;
 	u_quad_t frev, cur_usec;
 
diff --git a/sys/nfs/nfs_subs.c b/sys/nfs/nfs_subs.c
index 0da996b..e63ba63 100644
--- a/sys/nfs/nfs_subs.c
+++ b/sys/nfs/nfs_subs.c
@@ -1974,6 +1974,7 @@ nfsrv_fhtovp(fhp, lockflag, vpp, cred, slp, nam, rdonlyp, kerbflag, pubflag)
 		if (saddr->sin_family == AF_INET &&
 		    ntohs(saddr->sin_port) >= IPPORT_RESERVED) {
 			vput(*vpp);
+			*vpp = NULL;
 			return (NFSERR_AUTHERR | AUTH_TOOWEAK);
 		}
 	}
@@ -1984,10 +1985,12 @@ nfsrv_fhtovp(fhp, lockflag, vpp, cred, slp, nam, rdonlyp, kerbflag, pubflag)
 	if (exflags & MNT_EXKERB) {
 		if (!kerbflag) {
 			vput(*vpp);
+			*vpp = NULL;
 			return (NFSERR_AUTHERR | AUTH_TOOWEAK);
 		}
 	} else if (kerbflag) {
 		vput(*vpp);
+		*vpp = NULL;
 		return (NFSERR_AUTHERR | AUTH_TOOWEAK);
 	} else if (cred->cr_uid == 0 || (exflags & MNT_EXPORTANON)) {
 		cred->cr_uid = credanon->cr_uid;