diff options
| author | wpaul <wpaul@FreeBSD.org> | 1997-06-27 19:10:46 +0000 |
|---|---|---|
| committer | wpaul <wpaul@FreeBSD.org> | 1997-06-27 19:10:46 +0000 |
| commit | 97f50d063cec0cfb8b7b4e630c58c3ebd7acc097 (patch) | |
| tree | ae1c850b9fa49a00e064d2ff668c94f0ed752579 /sys/nfsclient/nfs_vfsops.c | |
| parent | cb0446e5aea34c51845c3a4617a9044e48667558 (diff) | |
| download | FreeBSD-src-97f50d063cec0cfb8b7b4e630c58c3ebd7acc097.zip FreeBSD-src-97f50d063cec0cfb8b7b4e630c58c3ebd7acc097.tar.gz | |
Fix a condition where nfs_statfs() can precipitate a panic. There is
code that says this:
nfsm_request(vp, NFSPROC_FSSTAT, p, cred);
if (v3)
nfsm_postop_attr(vp, retattr);
if (!error)
nfsm_dissect(sfp, struct nfs_statfs *, NFSX_STATFS(v3));
The problem here is that if error != 0, nfsm_dissect() will not be
called, which leaves sfp == NULL. But nfs_statfs() does not bail out
at this point: it continues processing until it tries to dereference
sfp, which causes a panic. I was able to generate this crash under
the following conditions:
1) Set up a machine as an NFS server and NFS client, with amd running
(using NIS maps). /usr/local is exported, though any exported fs
can can be used to trigger the bug.
2) Log in as normal user, with home directory mounted from a SunOS 4.1.3
NFS server via amd (along with a few other NFS filesystems from same
machine).
3) Su to root and type the following:
# mount localhost:/usr/local /mnt
# df
To fix the panic, I changed the code to read:
if (!error) {
nfsm_dissect(sfp, struct nfs_statfs *, NFSX_STATFS(v3));
} else
goto nfsmout;
This is a bit kludgy in that nfsmout is a label defined by the nfsm_subs.h
macros, but these macros are themselves more than a little kludgy. This
stops the machine from crashing, but does not fix the overall bug: 'error'
somehow becomes 5 (EIO) when a statfs() is performed on the locally mounted
NFS filesystem. This seems to only happen the first time the filesystem
is accesed: on subsequent accesses, it seems to work fine again.
Now, I know there's no practical use in mounting a local filesystem
via NFS, but doing it shouldn't cause the system to melt down.
Diffstat (limited to 'sys/nfsclient/nfs_vfsops.c')
| -rw-r--r-- | sys/nfsclient/nfs_vfsops.c | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/sys/nfsclient/nfs_vfsops.c b/sys/nfsclient/nfs_vfsops.c index 9bcc0f7..f867948 100644 --- a/sys/nfsclient/nfs_vfsops.c +++ b/sys/nfsclient/nfs_vfsops.c @@ -34,7 +34,7 @@ * SUCH DAMAGE. * * @(#)nfs_vfsops.c 8.12 (Berkeley) 5/20/95 - * $Id: nfs_vfsops.c,v 1.42 1997/05/12 19:02:56 tegge Exp $ + * $Id: nfs_vfsops.c,v 1.43 1997/06/03 17:22:47 dfr Exp $ */ #include <sys/param.h> @@ -269,8 +269,11 @@ nfs_statfs(mp, sbp, p) nfsm_request(vp, NFSPROC_FSSTAT, p, cred); if (v3) nfsm_postop_attr(vp, retattr); - if (!error) + if (!error) { nfsm_dissect(sfp, struct nfs_statfs *, NFSX_STATFS(v3)); + } else + goto nfsmout; + #ifdef __NetBSD__ #ifdef COMPAT_09 sbp->f_type = 2; |
