Bug 15249

Summary: nfs_serv.c can vput() junk + more
Product: Base System Reporter: iedowse <iedowse>
Component: kernAssignee: freebsd-bugs (Nobody) <bugs>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: 3.3-STABLE   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description iedowse 1999-12-03 23:30:01 UTC 
	There are a number of places in nfs_serv.c where certain badly-formed
	NFS requests can result in vput() being called on an uninitialised
	vnode pointer. In nfsrv_getattr(), nfsrv_lookup(), nfsrv_read(),
	and nfsrv_writegather(), the exit code performs a vput(vp) if vp
	is non-NULL. However since vp is not initialised before the macro
	nfsm_srvmtofh() is invoked, it is possible for this exit code to
	get called with a junk vp if nfsm_srvmtofh() does a 'goto nfsmout'.

	Another problem that affects even more functions is that on certain
	(mainly kerboros related) errors nfsrv_fhtovp() does not leave NULL
	in its *vpp argument.

	Finally there is a problem in nqnfsrv_getlease() where it is
	possible to get it to vput(NULL).

Fix: Apply the following patches in src/sys/nfs
	
How-To-Repeat: 
	To repeat the first problem, send a truncated request to an NFS
	server where the request ends in the middle of the filehandle.

	I haven't cwtried to trigger the others, but it should be fairly
	easy.
Comment 1 Matt Dillon freebsd_committer freebsd_triage 1999-12-12 07:16:23 UTC 
State Changed
From-To: open->closed

Patch with minor modifications applied to 4.x, 3.x, and 2.2.x trees.  Nice 
catch Ian!