Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 21 Apr 2002 10:18:41 +0200 (CEST)
From:      Frank Denis <j@pureftpd.org>
To:        FreeBSD-gnats-submit@FreeBSD.org
Cc:        j@pureftpd.org
Subject:   kern/37304: Denial of service through bad NFS packet
Message-ID:  <200204210818.g3L8IfZ32009@hosting3.clara.carpediem.fr>
next in thread | raw e-mail | index | archive | help 


>Number:         37304
>Category:       kern
>Synopsis:       Denial of service through bad NFS packet
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Apr 21 01:20:02 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Jedi/Sector One
>Release:        FreeBSD 4.5-STABLE i386
>Organization:
42 Networks
>Environment:
System: FreeBSD hosting3.carpediem.fr 4.5-STABLE FreeBSD 4.5-STABLE #11: Mon Jan 28 09:43:06 CET 2002 j@hosting3.carpediem.fr:/usr/obj/usr/src/sys/J i386



>Description:

Special NFS packets can cause a kernel panic on a BSD NFS server.

It doesn't seem to be a FreeBSD specific issue, I've found that OpenBSD is
vulnerable as well.

>How-To-Repeat:

To trigger the kernel crash, a client can mount a NFS export with the
following options :

tcp,rdirplus,-r=32768,-w=32768

The server immediately crashes after some transfers.

With UDP NFS + rdirplus, transfers hang but the server doesn't crash.
With TCP NFS + rdirplus, a kernel panic occurs because the chunk is too
large (it exceeds NFS_MAXPACKET) .

>Fix:

While this may not be a correct fix, it may be better to ignore such packets
instead of going into a kernel panic (think about publicly accessible NFS
shares) .

Simple patch follows :

--- sys/nfs/nfs_syscalls.c.orig	Sun Apr 21 10:08:01 2002
+++ sys/nfs/nfs_syscalls.c	Sun Apr 21 10:08:47 2002
@@ -622,8 +622,8 @@
 				m = m->m_next;
 			}
 			if (siz <= 0 || siz > NFS_MAXPACKET) {
-				printf("mbuf siz=%d\n",siz);
-				panic("Bad nfs svc reply");
+				printf("mbuf siz=%d - bad client options\n",siz);
+				break;
 			}
 			m = mreq;
 			m->m_pkthdr.len = siz;

>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200204210818.g3L8IfZ32009>