From a037faba698d8538a0e264aa9eaff8aa82406084 Mon Sep 17 00:00:00 2001 From: mckusick Date: Tue, 29 Sep 1998 22:33:05 +0000 Subject: The code checks each fragment mark to see if it's valid; if the fragment is less than NFS_MINPACKET or greater than NFS_MAXPACKET in size, it barfs and, I think, drops the connection. However, there's no guarantee that in a multi-fragment RPC, all the fragments will be at least as large as NFS_MINPACKET. In fact, with the version of "tclnfs" we have here, which supports NFS over TCP, at least when built under SunOS 4.1.3 (i.e., with 4.1.3's user-mode ONC RPC library), I can *repeatably* cause "tclnfs" to send a request with more than one fragment, one of which is only 8 bytes long. I just do a 3877-byte write to a file, at an offset of 0. The check that "slp->ns_reclen" is greater than or equal to NFS_MINPACKET serves no useful purpose - if the NFS server code can't handle packets < NFS_MINPACKET bytes, it can't handle them over *any* protocol, so the check has to be done above the RPC-over-TCP layer - and should be removed. Obtained from: Fix from Guy Harris, forwarded by Rick Macklem. --- sys/nfsclient/nfs_socket.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'sys/nfsclient/nfs_socket.c') diff --git a/sys/nfsclient/nfs_socket.c b/sys/nfsclient/nfs_socket.c index 7b54d9e..11ac518 100644 --- a/sys/nfsclient/nfs_socket.c +++ b/sys/nfsclient/nfs_socket.c @@ -34,7 +34,7 @@ * SUCH DAMAGE. * * @(#)nfs_socket.c 8.5 (Berkeley) 3/30/95 - * $Id: nfs_socket.c,v 1.44 1998/08/23 03:07:16 wollman Exp $ + * $Id: nfs_socket.c,v 1.45 1998/09/07 05:42:15 bde Exp $ */ /* @@ -2125,7 +2125,7 @@ nfsrv_getstream(slp, waitflag) slp->ns_flag |= SLP_LASTFRAG; else slp->ns_flag &= ~SLP_LASTFRAG; - if (slp->ns_reclen < NFS_MINPACKET || slp->ns_reclen > NFS_MAXPACKET) { + if (slp->ns_reclen > NFS_MAXPACKET) { slp->ns_flag &= ~SLP_GETSTREAM; return (EPERM); } -- cgit v1.1