The macro nfsm_reply() is supposed to allocate a reply in all cases,

but since the nfs cleanup, it hasn't done so in the case where `error' is EBADRPC. Callers of this macro expect it to initialise *mrq, and the `nfsmout' exit point expects a reply to be allocated if error == 0. When nfsm_reply() was called with error = EBADRPC, whatever junk was in *mrq (often a stale pointer to an old reply mbuf) would be assumed to be a valid reply and passed to pru_sosend(), causing a crash sooner or later. Fix this by allocating a reply even in the EBADRPC case like we used to do. This bug was specific to -current.
author: iedowse <iedowse@FreeBSD.org> 2002-01-11 22:22:39 +0000
committer: iedowse <iedowse@FreeBSD.org> 2002-01-11 22:22:39 +0000
commit: e41e7ac3ee918d790075b6c6a8fdd9f38c4b87bb (patch)
tree: 8a25c6deb4415201b183879135b275b19946f6b1 /sys/nfsserver
parent: cfacbbda64ac4013d5df1e5e7d4b65f36816110e (diff)
download: FreeBSD-src-e41e7ac3ee918d790075b6c6a8fdd9f38c4b87bb.zip
FreeBSD-src-e41e7ac3ee918d790075b6c6a8fdd9f38c4b87bb.tar.gz
1 files changed, 2 insertions, 2 deletions
diff --git a/sys/nfsserver/nfsm_subs.h b/sys/nfsserver/nfsm_subs.h
index f81127b..5d3f61b 100644
--- a/sys/nfsserver/nfsm_subs.h
+++ b/sys/nfsserver/nfsm_subs.h
@@ -134,12 +134,12 @@ do { \
 		m_freem(mrep); \
 		mrep = NULL; \
 	} \
+	mreq = nfs_rephead((s), nfsd, error, &mb, &bpos); \
+	*mrq = mreq; \
 	if (error == EBADRPC) { \
 		error = 0; \
 		goto nfsmout; \
 	} \
-	mreq = nfs_rephead((s), nfsd, error, &mb, &bpos); \
-	*mrq = mreq; \
 } while (0)
 
 #define	nfsm_writereply(s) \
author	iedowse <iedowse@FreeBSD.org>	2002-01-11 22:22:39 +0000
committer	iedowse <iedowse@FreeBSD.org>	2002-01-11 22:22:39 +0000
commit	e41e7ac3ee918d790075b6c6a8fdd9f38c4b87bb (patch)
tree	8a25c6deb4415201b183879135b275b19946f6b1 /sys/nfsserver
parent	cfacbbda64ac4013d5df1e5e7d4b65f36816110e (diff)
download	FreeBSD-src-e41e7ac3ee918d790075b6c6a8fdd9f38c4b87bb.zip FreeBSD-src-e41e7ac3ee918d790075b6c6a8fdd9f38c4b87bb.tar.gz