From c57275f3471899132e94d39ef870d25599ec6f95 Mon Sep 17 00:00:00 2001
From: dillon <dillon@FreeBSD.org>
Date: Wed, 17 Jul 2002 01:07:08 +0000
Subject: 'recm' was not being unconditionally cleared for each loop, leading
 to system lockups (infinite loops) when a zero-length RPC is received. Linux
 clients will sometimes send zero-length RPC requests.

Reorganize the use of recm in the loop.

Cc: security@freebsd.org
Submitted by:	Mike Junk <junk@isilon.com>
MFC after:	3 days
---
 sys/nfsserver/nfs_srvsock.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'sys/nfsserver')

diff --git a/sys/nfsserver/nfs_srvsock.c b/sys/nfsserver/nfs_srvsock.c
index 1feffa9..c03a38a 100644
--- a/sys/nfsserver/nfs_srvsock.c
+++ b/sys/nfsserver/nfs_srvsock.c
@@ -519,7 +519,7 @@ nfsrv_getstream(struct nfssvc_sock *slp, int waitflag)
 	struct mbuf *m, **mpp;
 	char *cp1, *cp2;
 	int len;
-	struct mbuf *om, *m2, *recm = NULL;
+	struct mbuf *om, *m2, *recm;
 	u_int32_t recmark;
 
 	if (slp->ns_flag & SLP_GETSTREAM)
@@ -564,7 +564,11 @@ nfsrv_getstream(struct nfssvc_sock *slp, int waitflag)
 
 	    /*
 	     * Now get the record part.
+	     *
+	     * Note that slp->ns_reclen may be 0.  Linux sometimes
+	     * generates 0-length RPCs.
 	     */
+	    recm = NULL;
 	    if (slp->ns_cc == slp->ns_reclen) {
 		recm = slp->ns_raw;
 		slp->ns_raw = slp->ns_rawend = NULL;
@@ -573,6 +577,7 @@ nfsrv_getstream(struct nfssvc_sock *slp, int waitflag)
 		len = 0;
 		m = slp->ns_raw;
 		om = NULL;
+
 		while (len < slp->ns_reclen) {
 			if ((len + m->m_len) > slp->ns_reclen) {
 				m2 = m_copym(m, 0, slp->ns_reclen - len,
-- 
cgit v1.1