diff options
| author | rmacklem <rmacklem@FreeBSD.org> | 2009-08-12 16:27:51 +0000 |
|---|---|---|
| committer | rmacklem <rmacklem@FreeBSD.org> | 2009-08-12 16:27:51 +0000 |
| commit | e0f9ca5ab5b6816a246a04faceaae64adbc9b8cd (patch) | |
| tree | 8ffffe3b8759622a730a2e5cf589ff0fd9e6ee1b /sys/xdr | |
| parent | e934441f677085c7bc7f79208ae2f70f48164b66 (diff) | |
| download | FreeBSD-src-e0f9ca5ab5b6816a246a04faceaae64adbc9b8cd.zip FreeBSD-src-e0f9ca5ab5b6816a246a04faceaae64adbc9b8cd.tar.gz | |
Add a check for a NULL mbuf ptr at the beginning of xdrmbuf_inline()
so that it returns failure instead of crashing when "m->m_len" is
executed and m == NULL. The mbuf ptr can be NULL when a call to
xdrmbuf_getbytes() gets the bytes it needs, but they are at the end
of a short RPC reply. When this happens, xdrmbuf_getbytes() returns
success, but advances the mbuf ptr (xdrs->x_private) to m_next, which
is NULL. If this is followed by a call to xdrmbuf_getlong(), it calls
xdrmbuf_inline(), which would cause a crash by accessing "m->m_len".
Tested by: pho, serenity at exscape dot org
Approved by: re (rwatson), kib (mentor)
Diffstat (limited to 'sys/xdr')
| -rw-r--r-- | sys/xdr/xdr_mbuf.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/sys/xdr/xdr_mbuf.c b/sys/xdr/xdr_mbuf.c index ab79e19..bcfdb18 100644 --- a/sys/xdr/xdr_mbuf.c +++ b/sys/xdr/xdr_mbuf.c @@ -282,6 +282,8 @@ xdrmbuf_inline(XDR *xdrs, u_int len) size_t available; char *p; + if (!m) + return (0); if (xdrs->x_op == XDR_ENCODE) { available = M_TRAILINGSPACE(m) + (m->m_len - xdrs->x_handy); } else { |
