When parsing an RPC request in nfsrv_dorec(), KASSERT that there

actually is an mbuf to process. This catches the missing mbuf before it would otherwise causes a NULL pointer dereference, which could be triggered by a 0 length RPC record before the check for such records was added in rev 1.97. Approved by: cperciva (mentor)
author: simon <simon@FreeBSD.org> 2006-03-08 20:21:15 +0000
committer: simon <simon@FreeBSD.org> 2006-03-08 20:21:15 +0000
commit: edc000b320776d276fa4e27697ec56b442e934a5 (patch)
tree: 51aaf0ab967ab89f26c2b56dff7bcb2651f15fad /sys
parent: d8de19b5bd92d8e69276e26a077f19bbc5ac4e98 (diff)
download: FreeBSD-src-edc000b320776d276fa4e27697ec56b442e934a5.zip
FreeBSD-src-edc000b320776d276fa4e27697ec56b442e934a5.tar.gz
1 files changed, 1 insertions, 0 deletions
diff --git a/sys/nfsserver/nfs_srvsock.c b/sys/nfsserver/nfs_srvsock.c
index 50c7cbf..805c5ca4 100644
--- a/sys/nfsserver/nfs_srvsock.c
+++ b/sys/nfsserver/nfs_srvsock.c
@@ -699,6 +699,7 @@ nfsrv_dorec(struct nfssvc_sock *slp, struct nfsd *nfsd,
 	    STAILQ_FIRST(&slp->ns_rec) == NULL)
 		return (ENOBUFS);
 	rec = STAILQ_FIRST(&slp->ns_rec);
+	KASSERT(rec->nr_packet != NULL, ("nfsrv_dorec: missing mbuf"));
 	STAILQ_REMOVE_HEAD(&slp->ns_rec, nr_link);
 	nam = rec->nr_address;
 	m = rec->nr_packet;
author	simon <simon@FreeBSD.org>	2006-03-08 20:21:15 +0000
committer	simon <simon@FreeBSD.org>	2006-03-08 20:21:15 +0000
commit	edc000b320776d276fa4e27697ec56b442e934a5 (patch)
tree	51aaf0ab967ab89f26c2b56dff7bcb2651f15fad /sys
parent	d8de19b5bd92d8e69276e26a077f19bbc5ac4e98 (diff)
download	FreeBSD-src-edc000b320776d276fa4e27697ec56b442e934a5.zip FreeBSD-src-edc000b320776d276fa4e27697ec56b442e934a5.tar.gz