Date: Thu, 29 Jul 1999 13:48:44 +0800 From: Peter Wemm <peter@netplex.com.au> To: Bill Paul <wpaul@skynet.ctr.columbia.edu> Cc: dillon@apollo.backplane.com (Matthew Dillon), crossd@cs.rpi.edu, current@FreeBSD.ORG Subject: Re: IRIX 6.5.4 NFS v3 TCP client + FreeBSD server = bewm Message-ID: <19990729054844.2C49C1C9E@overcee.netplex.com.au> In-Reply-To: Your message of "Wed, 28 Jul 1999 19:40:18 -0400." <199907282340.TAA15454@skynet.ctr.columbia.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
Bill Paul wrote: > Of all the gin joints in all the towns in all the world, Matthew Dillon > had to walk into mine and say: > > > :This is yet another problem that we have run into here. If you check the > > :digest for -hackers it was reported awhile ago (mike smith even cc-ed it > > :to security since it may have been a kernel stack overflow) . Anyway, the > > :problem is that IRIX defaults to 32K packets on TCP NFSv3 mounts, and > > :16K on UDP NFSv3 mounts. I recommend using UDP and setting rsize=8192, > > :wsize=8192 in your amd maps (as we do now, no problems at all). > > : > > :-- > > :David Cross | email: crossd@cs.rpi.edu > > :Systems Administrator/Research Programmer | Web: http://www.cs.rpi.edu/~cr ossd > > > > Ah ha! Yes, 32K packets will certainly screw up NFS under FreeBSD. > > Uh.... could you elaborate a little? No, strike that: could you elaborate > a *lot*. A whole lot. > > > We need to fix that panic to have it simply drop the packet, I guess. > > No, we need to fix the code so it handles 32K "packets" (datagrams) > correctly. Yes, we do. I've run into this problem elsewhere but a quick fix was needed so it just got hacked. NT NFS clients tend to trigger it too. The problem is that the sanity check is a fair way away from where the problem packet is generated. The bad reply is generated in the readdirplus routine, gets replied (without checking) and cached. The client drops the (oversize) packet, resends, and the nfsd replies from the cache and this time hits the sanity check and panics. I didn't have access to the machine that was dying and don't have an NT or IRIX client to provoke it. I suspect a 32K mount from a freebsd box will do it too but (at the time) didn't have one I could afford to crash test with, and never got around to revisiting it. I will have another look shortly. Anyway, the clue is that the server readdirplus routine is the apparent culprit. > -Bill Cheers, -Peter To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990729054844.2C49C1C9E>