upstream/opnsense-src
1
0
Fork 0
mirror of https://github.com/opnsense/src.git synced 2026-03-24 19:53:08 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

Fix a condition where nfs_statfs() can precipitate a panic. There is

Browse source 
code that says this:

        nfsm_request(vp, NFSPROC_FSSTAT, p, cred);
        if (v3)
                nfsm_postop_attr(vp, retattr);
        if (!error)
                nfsm_dissect(sfp, struct nfs_statfs *, NFSX_STATFS(v3));

The problem here is that if error != 0, nfsm_dissect() will not be
called, which leaves sfp == NULL. But nfs_statfs() does not bail out
at this point: it continues processing until it tries to dereference
sfp, which causes a panic. I was able to generate this crash under
the following conditions:

1) Set up a machine as an NFS server and NFS client, with amd running
   (using NIS maps). /usr/local is exported, though any exported fs
   can can be used to trigger the bug.
2) Log in as normal user, with home directory mounted from a SunOS 4.1.3
   NFS server via amd (along with a few other NFS filesystems from same
   machine).
3) Su to root and type the following:
   # mount localhost:/usr/local /mnt
   # df

To fix the panic, I changed the code to read:

        if (!error) {
                nfsm_dissect(sfp, struct nfs_statfs *, NFSX_STATFS(v3));
        } else
                goto nfsmout;

This is a bit kludgy in that nfsmout is a label defined by the nfsm_subs.h
macros, but these macros are themselves more than a little kludgy. This
stops the machine from crashing, but does not fix the overall bug: 'error'
somehow becomes 5 (EIO) when a statfs() is performed on the locally mounted
NFS filesystem. This seems to only happen the first time the filesystem
is accesed: on subsequent accesses, it seems to work fine again.

Now, I know there's no practical use in mounting a local filesystem
via NFS, but doing it shouldn't cause the system to melt down.
This commit is contained in:
Bill Paul 1997-06-27 19:10:46 +00:00
parent 0eb9918b17
commit de38397ecf
2 changed files with 10 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
sys/nfs/nfs_vfsops.c
View file

@ -34,7 +34,7 @@
* SUCH DAMAGE.
*
* @(#)nfs_vfsops.c 8.12 (Berkeley) 5/20/95
* $Id: nfs_vfsops.c,v 1.42 1997/05/12 19:02:56 tegge Exp $
* $Id: nfs_vfsops.c,v 1.43 1997/06/03 17:22:47 dfr Exp $
*/
#include <sys/param.h>
@ -269,8 +269,11 @@ nfs_statfs(mp, sbp, p)
nfsm_request(vp, NFSPROC_FSSTAT, p, cred);
if (v3)
nfsm_postop_attr(vp, retattr);
if (!error)
if (!error) {
nfsm_dissect(sfp, struct nfs_statfs *, NFSX_STATFS(v3));
} else
goto nfsmout;
#ifdef __NetBSD__
#ifdef COMPAT_09
sbp->f_type = 2;

7
sys/nfsclient/nfs_vfsops.c
View file

@ -34,7 +34,7 @@
* SUCH DAMAGE.
*
* @(#)nfs_vfsops.c 8.12 (Berkeley) 5/20/95
* $Id: nfs_vfsops.c,v 1.42 1997/05/12 19:02:56 tegge Exp $
* $Id: nfs_vfsops.c,v 1.43 1997/06/03 17:22:47 dfr Exp $
*/
#include <sys/param.h>
@ -269,8 +269,11 @@ nfs_statfs(mp, sbp, p)
nfsm_request(vp, NFSPROC_FSSTAT, p, cred);
if (v3)
nfsm_postop_attr(vp, retattr);
if (!error)
if (!error) {
nfsm_dissect(sfp, struct nfs_statfs *, NFSX_STATFS(v3));
} else
goto nfsmout;
#ifdef __NetBSD__
#ifdef COMPAT_09
sbp->f_type = 2;