From 66b462a989f46bd2114f2277fca3391976fb626f Mon Sep 17 00:00:00 2001 From: Ian Dowse Date: Fri, 11 Jan 2002 22:22:39 +0000 Subject: [PATCH] The macro nfsm_reply() is supposed to allocate a reply in all cases, but since the nfs cleanup, it hasn't done so in the case where `error' is EBADRPC. Callers of this macro expect it to initialise *mrq, and the `nfsmout' exit point expects a reply to be allocated if error == 0. When nfsm_reply() was called with error = EBADRPC, whatever junk was in *mrq (often a stale pointer to an old reply mbuf) would be assumed to be a valid reply and passed to pru_sosend(), causing a crash sooner or later. Fix this by allocating a reply even in the EBADRPC case like we used to do. This bug was specific to -current. --- sys/nfsserver/nfsm_subs.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/sys/nfsserver/nfsm_subs.h b/sys/nfsserver/nfsm_subs.h index f81127be70a..5d3f61b1eb4 100644 --- a/sys/nfsserver/nfsm_subs.h +++ b/sys/nfsserver/nfsm_subs.h @@ -134,12 +134,12 @@ do { \ m_freem(mrep); \ mrep = NULL; \ } \ + mreq = nfs_rephead((s), nfsd, error, &mb, &bpos); \ + *mrq = mreq; \ if (error == EBADRPC) { \ error = 0; \ goto nfsmout; \ } \ - mreq = nfs_rephead((s), nfsd, error, &mb, &bpos); \ - *mrq = mreq; \ } while (0) #define nfsm_writereply(s) \