Attachment 230127 Details for Bug 260412 – check for cbsequence not first op at the beginning of processing

[patch] check for cbsequence not first op at the beginning of processing

crash11.patch (text/plain), 3.05 KB, created by Rick Macklem on 2021-12-15 01:26:53 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Rick Macklem

Created: 2021-12-15 01:26:53 UTC

Size: 3.05 KB

patch

obsolete

>--- sys/fs/nfsclient/nfs_clstate.c.crash11	2021-12-14 15:05:26.781429000 -0800
>+++ sys/fs/nfsclient/nfs_clstate.c	2021-12-14 17:02:31.036043000 -0800
>@@ -3531,7 +3531,7 @@ nfscl_docb(struct nfsrv_descript *nd, NFSPROC_T *p)
> 	nfsrvd_rephead(nd);
> 	NFSM_DISSECT(tl, u_int32_t *, NFSX_UNSIGNED);
> 	taglen = fxdr_unsigned(int, *tl);
>-	if (taglen < 0) {
>+	if (taglen < 0 || taglen > NFSV4_OPAQUELIMIT) {
> 		error = EBADRPC;
> 		goto nfsmout;
> 	}
>@@ -3570,6 +3570,14 @@ nfscl_docb(struct nfsrv_descript *nd, NFSPROC_T *p)
> 		NFSM_BUILD(repp, u_int32_t *, 2 * NFSX_UNSIGNED);
> 		*repp++ = *tl;
> 		op = fxdr_unsigned(int, *tl);
>+		nd->nd_procnum = op;
>+		if (i == 0 && op != NFSV4OP_CBSEQUENCE && minorvers !=
>+		    NFSV4_MINORVERSION) {
>+		    nd->nd_repstat = NFSERR_OPNOTINSESS;
>+		    *repp = nfscl_errmap(nd, minorvers);
>+		    retops++;
>+		    break;
>+		}
> 		if (op < NFSV4OP_CBGETATTR ||
> 		   (op > NFSV4OP_CBRECALL && minorvers == NFSV4_MINORVERSION) ||
> 		   (op > NFSV4OP_CBNOTIFYDEVID &&
>@@ -3581,7 +3589,6 @@ nfscl_docb(struct nfsrv_descript *nd, NFSPROC_T *p)
> 		    retops++;
> 		    break;
> 		}
>-		nd->nd_procnum = op;
> 		if (op < NFSV42_CBNOPS)
> 			nfsstatsv1.cbrpccnt[nd->nd_procnum]++;
> 		switch (op) {
>@@ -3593,9 +3600,6 @@ nfscl_docb(struct nfsrv_descript *nd, NFSPROC_T *p)
> 			if (!error)
> 				error = nfsrv_getattrbits(nd, &attrbits,
> 				    NULL, NULL);
>-			if (error == 0 && i == 0 &&
>-			    minorvers != NFSV4_MINORVERSION)
>-				error = NFSERR_OPNOTINSESS;
> 			if (!error) {
> 				mp = nfscl_getmnt(minorvers, sessionid, cbident,
> 				    &clp);
>@@ -3659,9 +3663,6 @@ nfscl_docb(struct nfsrv_descript *nd, NFSPROC_T *p)
> 			tl += (NFSX_STATEIDOTHER / NFSX_UNSIGNED);
> 			trunc = fxdr_unsigned(int, *tl);
> 			error = nfsm_getfh(nd, &nfhp);
>-			if (error == 0 && i == 0 &&
>-			    minorvers != NFSV4_MINORVERSION)
>-				error = NFSERR_OPNOTINSESS;
> 			if (!error) {
> 				NFSLOCKCLSTATE();
> 				if (minorvers == NFSV4_MINORVERSION)
>@@ -3716,8 +3717,6 @@ nfscl_docb(struct nfsrv_descript *nd, NFSPROC_T *p)
> 				NFSBCOPY(tl, stateid.other, NFSX_STATEIDOTHER);
> 				if (minorvers == NFSV4_MINORVERSION)
> 					error = NFSERR_NOTSUPP;
>-				else if (i == 0)
>-					error = NFSERR_OPNOTINSESS;
> 				NFSCL_DEBUG(4, "off=%ju len=%ju sq=%u err=%d\n",
> 				    (uintmax_t)off, (uintmax_t)len,
> 				    stateid.seqid, error);
>@@ -3828,6 +3827,10 @@ nfscl_docb(struct nfsrv_descript *nd, NFSPROC_T *p)
> 			}
> 			break;
> 		case NFSV4OP_CBSEQUENCE:
>+			if (i != 0) {
>+			    error = NFSERR_SEQUENCEPOS;
>+			    break;
>+			}
> 			NFSM_DISSECT(tl, uint32_t *, NFSX_V4SESSIONID +
> 			    5 * NFSX_UNSIGNED);
> 			bcopy(tl, sessionid, NFSX_V4SESSIONID);
>@@ -3849,12 +3852,9 @@ nfscl_docb(struct nfsrv_descript *nd, NFSPROC_T *p)
> 				}
> 			}
> 			NFSLOCKCLSTATE();
>-			if (i == 0) {
>-				clp = nfscl_getclntsess(sessionid);
>-				if (clp == NULL)
>-					error = NFSERR_SERVERFAULT;
>-			} else
>-				error = NFSERR_SEQUENCEPOS;
>+			clp = nfscl_getclntsess(sessionid);
>+			if (clp == NULL)
>+				error = NFSERR_SERVERFAULT;
> 			if (error == 0) {
> 				tsep = nfsmnt_mdssession(clp->nfsc_nmp);
> 				error = nfsv4_seqsession(seqid, slotid,

Actions: View | Diff

Attachments on bug 260412: 230107 | 230127 | 230161