diff options
author | dillon <dillon@FreeBSD.org> | 2002-07-17 01:07:08 +0000 |
---|---|---|
committer | dillon <dillon@FreeBSD.org> | 2002-07-17 01:07:08 +0000 |
commit | c57275f3471899132e94d39ef870d25599ec6f95 (patch) | |
tree | bf9f24f32d32f2bf3ffb9cf63dc71854ba3519b8 /sys/nfsserver | |
parent | 13f06ac4e819dff0ececa14911781f2f2cd608f9 (diff) | |
download | FreeBSD-src-c57275f3471899132e94d39ef870d25599ec6f95.zip FreeBSD-src-c57275f3471899132e94d39ef870d25599ec6f95.tar.gz |
'recm' was not being unconditionally cleared for each loop, leading to
system lockups (infinite loops) when a zero-length RPC is received.
Linux clients will sometimes send zero-length RPC requests.
Reorganize the use of recm in the loop.
Cc: security@freebsd.org
Submitted by: Mike Junk <junk@isilon.com>
MFC after: 3 days
Diffstat (limited to 'sys/nfsserver')
-rw-r--r-- | sys/nfsserver/nfs_srvsock.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/sys/nfsserver/nfs_srvsock.c b/sys/nfsserver/nfs_srvsock.c index 1feffa9..c03a38a 100644 --- a/sys/nfsserver/nfs_srvsock.c +++ b/sys/nfsserver/nfs_srvsock.c @@ -519,7 +519,7 @@ nfsrv_getstream(struct nfssvc_sock *slp, int waitflag) struct mbuf *m, **mpp; char *cp1, *cp2; int len; - struct mbuf *om, *m2, *recm = NULL; + struct mbuf *om, *m2, *recm; u_int32_t recmark; if (slp->ns_flag & SLP_GETSTREAM) @@ -564,7 +564,11 @@ nfsrv_getstream(struct nfssvc_sock *slp, int waitflag) /* * Now get the record part. + * + * Note that slp->ns_reclen may be 0. Linux sometimes + * generates 0-length RPCs. */ + recm = NULL; if (slp->ns_cc == slp->ns_reclen) { recm = slp->ns_raw; slp->ns_raw = slp->ns_rawend = NULL; @@ -573,6 +577,7 @@ nfsrv_getstream(struct nfssvc_sock *slp, int waitflag) len = 0; m = slp->ns_raw; om = NULL; + while (len < slp->ns_reclen) { if ((len + m->m_len) > slp->ns_reclen) { m2 = m_copym(m, 0, slp->ns_reclen - len, |