'recm' was not being unconditionally cleared for each loop, leading to

system lockups (infinite loops) when a zero-length RPC is received.
Linux clients will sometimes send zero-length RPC requests.

Reorganize the use of recm in the loop.

Cc: security@freebsd.org
Submitted by:	Mike Junk <junk@isilon.com>
MFC after:	3 days

sys/nfsserver/nfs_srvsock.c

@@ -519,7 +519,7 @@ nfsrv_getstream(struct nfssvc_sock *slp, int waitflag)
 	struct mbuf *m, **mpp;
 	char *cp1, *cp2;
 	int len;
-	struct mbuf *om, *m2, *recm = NULL;
+	struct mbuf *om, *m2, *recm;
 	u_int32_t recmark;
 
 	if (slp->ns_flag & SLP_GETSTREAM)
@@ -564,7 +564,11 @@ nfsrv_getstream(struct nfssvc_sock *slp, int waitflag)
 
 	    /*
 	     * Now get the record part.
+	     *
+	     * Note that slp->ns_reclen may be 0.  Linux sometimes
+	     * generates 0-length RPCs.
 	     */
+	    recm = NULL;
 	    if (slp->ns_cc == slp->ns_reclen) {
 		recm = slp->ns_raw;
 		slp->ns_raw = slp->ns_rawend = NULL;
@@ -573,6 +577,7 @@ nfsrv_getstream(struct nfssvc_sock *slp, int waitflag)
 		len = 0;
 		m = slp->ns_raw;
 		om = NULL;
+
 		while (len < slp->ns_reclen) {
 			if ((len + m->m_len) > slp->ns_reclen) {
 				m2 = m_copym(m, 0, slp->ns_reclen - len,