Manuel Bouyer
2009-04-05 16:42:00 UTC
Hi,
I finally found the cause of the infinite recursion in m_split()
exposted by the NFS server. It's a bug in m_split() itself,
where the m_len field of a newly allocated mbuf could be left
uninitialized (see attached patch) This would cause the size of the new
chain to be computed wrongly in various place, and other issue.
If this uninitialized m_len happens to be larger than MHLEN, m_split()
will loop on it if called again on this new chain.
This is going to also cause other issues in the NFS server when trying
to get data from this chain (it'll be copied from the wrong place).
Interestingly this bug seems to have been there for a long time;
it's already there in netbsd-3. I guess this code path would not be used
a lot before NFS became MP-safe.
I commited the attached patch and will request a pullup to netbsd-5
(and probably netbsd-4 and netbsd-3 too)
I finally found the cause of the infinite recursion in m_split()
exposted by the NFS server. It's a bug in m_split() itself,
where the m_len field of a newly allocated mbuf could be left
uninitialized (see attached patch) This would cause the size of the new
chain to be computed wrongly in various place, and other issue.
If this uninitialized m_len happens to be larger than MHLEN, m_split()
will loop on it if called again on this new chain.
This is going to also cause other issues in the NFS server when trying
to get data from this chain (it'll be copied from the wrong place).
Interestingly this bug seems to have been there for a long time;
it's already there in netbsd-3. I guess this code path would not be used
a lot before NFS became MP-safe.
I commited the attached patch and will request a pullup to netbsd-5
(and probably netbsd-4 and netbsd-3 too)
--
Manuel Bouyer <***@antioche.eu.org>
NetBSD: 26 ans d'experience feront toujours la difference
--
Manuel Bouyer <***@antioche.eu.org>
NetBSD: 26 ans d'experience feront toujours la difference
--