Fixes for NFS crashes on architectures that require strict alignment.

- Fix nfsm_disct() so that after pulling up data, the remaining data is aligned if necessary. - Fix nfs_clnt_tcp_soupcall() to bcopy() the rpc length out of the mbuf (instead of casting m_data to a uint32). Submitted by: Pyun YongHyeon Reviewed by: Mohan Srinivasan
svn path=/head/; revision=148008
2005-07-14 20:08:27 +00:00 · 2005-07-14 20:08:27 +00:00 · 0e38f5365b · 2020-12-20 02:59:44 +00:00
commit 0e38f5365b
parent 37b40e499e
3 changed files with 20 additions and 4 deletions
--- a/sys/nfs/nfs_common.c
+++ b/sys/nfs/nfs_common.c
@ -170,7 +170,7 @@ nfsm_disct(struct mbuf **mdp, caddr_t *dposp, int siz, int left, int how)
 {
 	struct mbuf *mp, *mp2;
 	int siz2, xfer;
-	caddr_t ptr;
+	caddr_t ptr, npos = NULL;
 	void *ret;

 	mp = *mdp;
@ -192,6 +192,7 @@ nfsm_disct(struct mbuf **mdp, caddr_t *dposp, int siz, int left, int how)
 		MGET(mp2, how, MT_DATA);
 		if (mp2 == NULL)
 			return NULL;
+		mp2->m_len = siz;
 		mp2->m_next = mp->m_next;
 		mp->m_next = mp2;
 		mp->m_len -= left;
@ -202,6 +203,7 @@ nfsm_disct(struct mbuf **mdp, caddr_t *dposp, int siz, int left, int how)
 		siz2 = siz-left;
 		ptr += left;
 		mp2 = mp->m_next;
+		npos = mtod(mp2, caddr_t);
 		/* Loop around copying up the siz2 bytes */
 		while (siz2 > 0) {
 			if (mp2 == NULL)
@ -214,12 +216,19 @@ nfsm_disct(struct mbuf **mdp, caddr_t *dposp, int siz, int left, int how)
 				ptr += xfer;
 				siz2 -= xfer;
 			}
-			if (siz2 > 0)
+			if (siz2 > 0) {
 				mp2 = mp2->m_next;
+				if (mp2 != NULL)
+					npos = mtod(mp2, caddr_t);
+			}
 		}
-		mp->m_len = siz;
 		*mdp = mp2;
 		*dposp = mtod(mp2, caddr_t);
+		if (!nfsm_aligned(*dposp, u_int32_t)) {
+			bcopy(*dposp, npos, mp2->m_len);
+			mp2->m_data = npos;
+			*dposp = npos;
+		}
 	}
 	return ret;
 }
--- a/sys/nfs/nfs_common.h
+++ b/sys/nfs/nfs_common.h
@ -127,4 +127,10 @@ do { \
 	nfsm_dcheck(t1, mrep); \
 } while (0)

+#ifdef __NO_STRICT_ALIGNMENT
+#define nfsm_aligned(p, t)	1
+#else
+#define nfsm_aligned(p, t)	((((u_long)(p)) & (sizeof(t) - 1)) == 0)
+#endif
+
 #endif
--- a/sys/nfsclient/nfs_socket.c
+++ b/sys/nfsclient/nfs_socket.c
@ -814,7 +814,8 @@ nfs_clnt_tcp_soupcall(struct socket *so, void *arg, int waitflag)
 			}
 			if (mp == NULL)
 				panic("nfs_clnt_tcp_soupcall: Got empty mbuf chain from sorecv\n");
-			len = ntohl(*mtod(mp, u_int32_t *)) & ~0x80000000;
+			bcopy(mtod(mp, u_int32_t *), &len, sizeof(len));
+			len = ntohl(len) & ~0x80000000;
 			m_freem(mp);
 			/*
 			 * This is SERIOUS! We are out of sync with the sender