From owner-freebsd-bugs  Sun Apr 21  1:20:14 2002
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21])
	by hub.freebsd.org (Postfix) with ESMTP id 7198B37B416
	for <freebsd-bugs@hub.freebsd.org>; Sun, 21 Apr 2002 01:20:03 -0700 (PDT)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.11.6/8.11.6) id g3L8K3f83970;
	Sun, 21 Apr 2002 01:20:03 -0700 (PDT)
	(envelope-from gnats)
Received: from hosting3.clara.carpediem.fr (hosting3.clara.carpediem.fr [212.43.240.203])
	by hub.freebsd.org (Postfix) with ESMTP id 131F937B41C
	for <FreeBSD-gnats-submit@freebsd.org>; Sun, 21 Apr 2002 01:18:58 -0700 (PDT)
Received: (from root@localhost)
	by hosting3.clara.carpediem.fr (8.11.6/8.11.6) id g3L8IfZ32009;
	Sun, 21 Apr 2002 10:18:41 +0200 (CEST)
	(envelope-from j)
Message-Id: <200204210818.g3L8IfZ32009@hosting3.clara.carpediem.fr>
Date: Sun, 21 Apr 2002 10:18:41 +0200 (CEST)
From: Frank Denis <j@pureftpd.org>
Reply-To: Frank Denis <j@pureftpd.org>
To: FreeBSD-gnats-submit@FreeBSD.org
Cc: j@pureftpd.org
X-Send-Pr-Version: 3.113
Subject: kern/37304: Denial of service through bad NFS packet
Sender: owner-freebsd-bugs@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-bugs.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-bugs>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-bugs>
X-Loop: FreeBSD.org


>Number:         37304
>Category:       kern
>Synopsis:       Denial of service through bad NFS packet
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Sun Apr 21 01:20:02 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator:     Jedi/Sector One
>Release:        FreeBSD 4.5-STABLE i386
>Organization:
42 Networks
>Environment:
System: FreeBSD hosting3.carpediem.fr 4.5-STABLE FreeBSD 4.5-STABLE #11: Mon Jan 28 09:43:06 CET 2002 j@hosting3.carpediem.fr:/usr/obj/usr/src/sys/J i386



>Description:

Special NFS packets can cause a kernel panic on a BSD NFS server.

It doesn't seem to be a FreeBSD specific issue, I've found that OpenBSD is
vulnerable as well.

>How-To-Repeat:

To trigger the kernel crash, a client can mount a NFS export with the
following options :

tcp,rdirplus,-r=32768,-w=32768

The server immediately crashes after some transfers.

With UDP NFS + rdirplus, transfers hang but the server doesn't crash.
With TCP NFS + rdirplus, a kernel panic occurs because the chunk is too
large (it exceeds NFS_MAXPACKET) .

>Fix:

While this may not be a correct fix, it may be better to ignore such packets
instead of going into a kernel panic (think about publicly accessible NFS
shares) .

Simple patch follows :

--- sys/nfs/nfs_syscalls.c.orig	Sun Apr 21 10:08:01 2002
+++ sys/nfs/nfs_syscalls.c	Sun Apr 21 10:08:47 2002
@@ -622,8 +622,8 @@
 				m = m->m_next;
 			}
 			if (siz <= 0 || siz > NFS_MAXPACKET) {
-				printf("mbuf siz=%d\n",siz);
-				panic("Bad nfs svc reply");
+				printf("mbuf siz=%d - bad client options\n",siz);
+				break;
 			}
 			m = mreq;
 			m->m_pkthdr.len = siz;

>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message