'recm' was not being unconditionally cleared for each loop, leading to

system lockups (infinite loops) when a zero-length RPC is received.
Linux clients will sometimes send zero-length RPC requests.

Reorganize the use of recm in the loop.

Cc: security@freebsd.org
Submitted by:	Mike Junk <junk@isilon.com>
MFC after:	3 days
This commit is contained in:
Matthew Dillon 2002-07-17 01:07:08 +00:00
parent 21a392ac13
commit a96f7d1a1b

View File

@ -519,7 +519,7 @@ nfsrv_getstream(struct nfssvc_sock *slp, int waitflag)
struct mbuf *m, **mpp;
char *cp1, *cp2;
int len;
struct mbuf *om, *m2, *recm = NULL;
struct mbuf *om, *m2, *recm;
u_int32_t recmark;
if (slp->ns_flag & SLP_GETSTREAM)
@ -564,7 +564,11 @@ nfsrv_getstream(struct nfssvc_sock *slp, int waitflag)
/*
* Now get the record part.
*
* Note that slp->ns_reclen may be 0. Linux sometimes
* generates 0-length RPCs.
*/
recm = NULL;
if (slp->ns_cc == slp->ns_reclen) {
recm = slp->ns_raw;
slp->ns_raw = slp->ns_rawend = NULL;
@ -573,6 +577,7 @@ nfsrv_getstream(struct nfssvc_sock *slp, int waitflag)
len = 0;
m = slp->ns_raw;
om = NULL;
while (len < slp->ns_reclen) {
if ((len + m->m_len) > slp->ns_reclen) {
m2 = m_copym(m, 0, slp->ns_reclen - len,