The macro nfsm_reply() is supposed to allocate a reply in all cases,
but since the nfs cleanup, it hasn't done so in the case where `error' is EBADRPC. Callers of this macro expect it to initialise *mrq, and the `nfsmout' exit point expects a reply to be allocated if error == 0. When nfsm_reply() was called with error = EBADRPC, whatever junk was in *mrq (often a stale pointer to an old reply mbuf) would be assumed to be a valid reply and passed to pru_sosend(), causing a crash sooner or later. Fix this by allocating a reply even in the EBADRPC case like we used to do. This bug was specific to -current.
This commit is contained in:
parent
76980afbc0
commit
66b462a989
@ -134,12 +134,12 @@ do { \
|
||||
m_freem(mrep); \
|
||||
mrep = NULL; \
|
||||
} \
|
||||
mreq = nfs_rephead((s), nfsd, error, &mb, &bpos); \
|
||||
*mrq = mreq; \
|
||||
if (error == EBADRPC) { \
|
||||
error = 0; \
|
||||
goto nfsmout; \
|
||||
} \
|
||||
mreq = nfs_rephead((s), nfsd, error, &mb, &bpos); \
|
||||
*mrq = mreq; \
|
||||
} while (0)
|
||||
|
||||
#define nfsm_writereply(s) \
|
||||
|
Loading…
Reference in New Issue
Block a user