summaryrefslogtreecommitdiffstats
path: root/sys/nfsserver/nfs_srvsock.c
diff options
context:
space:
mode:
authordillon <dillon@FreeBSD.org>2002-07-17 01:07:08 +0000
committerdillon <dillon@FreeBSD.org>2002-07-17 01:07:08 +0000
commitc57275f3471899132e94d39ef870d25599ec6f95 (patch)
treebf9f24f32d32f2bf3ffb9cf63dc71854ba3519b8 /sys/nfsserver/nfs_srvsock.c
parent13f06ac4e819dff0ececa14911781f2f2cd608f9 (diff)
downloadFreeBSD-src-c57275f3471899132e94d39ef870d25599ec6f95.zip
FreeBSD-src-c57275f3471899132e94d39ef870d25599ec6f95.tar.gz
'recm' was not being unconditionally cleared for each loop, leading to
system lockups (infinite loops) when a zero-length RPC is received. Linux clients will sometimes send zero-length RPC requests. Reorganize the use of recm in the loop. Cc: security@freebsd.org Submitted by: Mike Junk <junk@isilon.com> MFC after: 3 days
Diffstat (limited to 'sys/nfsserver/nfs_srvsock.c')
-rw-r--r--sys/nfsserver/nfs_srvsock.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/sys/nfsserver/nfs_srvsock.c b/sys/nfsserver/nfs_srvsock.c
index 1feffa9..c03a38a 100644
--- a/sys/nfsserver/nfs_srvsock.c
+++ b/sys/nfsserver/nfs_srvsock.c
@@ -519,7 +519,7 @@ nfsrv_getstream(struct nfssvc_sock *slp, int waitflag)
struct mbuf *m, **mpp;
char *cp1, *cp2;
int len;
- struct mbuf *om, *m2, *recm = NULL;
+ struct mbuf *om, *m2, *recm;
u_int32_t recmark;
if (slp->ns_flag & SLP_GETSTREAM)
@@ -564,7 +564,11 @@ nfsrv_getstream(struct nfssvc_sock *slp, int waitflag)
/*
* Now get the record part.
+ *
+ * Note that slp->ns_reclen may be 0. Linux sometimes
+ * generates 0-length RPCs.
*/
+ recm = NULL;
if (slp->ns_cc == slp->ns_reclen) {
recm = slp->ns_raw;
slp->ns_raw = slp->ns_rawend = NULL;
@@ -573,6 +577,7 @@ nfsrv_getstream(struct nfssvc_sock *slp, int waitflag)
len = 0;
m = slp->ns_raw;
om = NULL;
+
while (len < slp->ns_reclen) {
if ((len + m->m_len) > slp->ns_reclen) {
m2 = m_copym(m, 0, slp->ns_reclen - len,
OpenPOWER on IntegriCloud