From a0ef521585d908307c1c0c0496ad72c93e8f397b Mon Sep 17 00:00:00 2001 From: wpaul Date: Thu, 29 Jul 1999 21:42:57 +0000 Subject: Correct the sanity test length calculation in nfsrv_readdirplus(): len is being incremented by 4 bytes too few each time through the loop, which allows more data into the mbuf chain that we really want. In the worst case, when we're using 32K read/write sizes with a TCP client, this causes readdirplus replies to sometimes exceed NFS_MAXPACKET which leads to a panic. This problem cropped up for me using an IRIX 6.5.4 NFSv3 TCP client with 32K read/write sizes, however supposedly it can be triggered by WinNT NFS servers too. In theory, it can probably be triggered by any NFS v3 implementation using TCP as long as it's using the maxiumum block size. Reviewed by: Matthew Dillon --- sys/nfsserver/nfs_serv.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'sys/nfsserver') diff --git a/sys/nfsserver/nfs_serv.c b/sys/nfsserver/nfs_serv.c index b8203c8..b5ee411 100644 --- a/sys/nfsserver/nfs_serv.c +++ b/sys/nfsserver/nfs_serv.c @@ -34,7 +34,7 @@ * SUCH DAMAGE. * * @(#)nfs_serv.c 8.8 (Berkeley) 7/31/95 - * $Id: nfs_serv.c,v 1.81 1999/07/17 18:43:46 phk Exp $ + * $Id: nfs_serv.c,v 1.82 1999/07/28 08:20:49 alc Exp $ */ /* @@ -3474,7 +3474,7 @@ again: * are calculated conservatively, including all * XDR overheads. */ - len += (7 * NFSX_UNSIGNED + nlen + rem + NFSX_V3FH + + len += (8 * NFSX_UNSIGNED + nlen + rem + NFSX_V3FH + NFSX_V3POSTOPATTR); dirlen += (6 * NFSX_UNSIGNED + nlen + rem); if (len > cnt || dirlen > fullsiz) { -- cgit v1.1