The macro nfsm_reply() is supposed to allocate a reply in all cases,

but since the nfs cleanup, it hasn't done so in the case where
`error' is EBADRPC. Callers of this macro expect it to initialise
*mrq, and the `nfsmout' exit point expects a reply to be allocated
if error == 0. When nfsm_reply() was called with error = EBADRPC,
whatever junk was in *mrq (often a stale pointer to an old reply
mbuf) would be assumed to be a valid reply and passed to pru_sosend(),
causing a crash sooner or later.

Fix this by allocating a reply even in the EBADRPC case like we
used to do. This bug was specific to -current.
This commit is contained in:
Ian Dowse 2002-01-11 22:22:39 +00:00
parent 76980afbc0
commit 66b462a989

View File

@ -134,12 +134,12 @@ do { \
m_freem(mrep); \
mrep = NULL; \
} \
mreq = nfs_rephead((s), nfsd, error, &mb, &bpos); \
*mrq = mreq; \
if (error == EBADRPC) { \
error = 0; \
goto nfsmout; \
} \
mreq = nfs_rephead((s), nfsd, error, &mb, &bpos); \
*mrq = mreq; \
} while (0)
#define nfsm_writereply(s) \