Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 5 Jun 2007 21:17:55 +0200 (CEST)
From:      Andre Albsmeier <andre@albsmeier.net>
To:        FreeBSD-gnats-submit@FreeBSD.org
Subject:   kern/113387: [PATCH] possibly improper MFC in sys/nfsclient/nfs_socket.c
Message-ID:  <200706051917.l55JHtjn037341@voyager.home.albsmeier.net>
Resent-Message-ID: <200706051940.l55Je2gi068166@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 


>Number:         113387
>Category:       kern
>Synopsis:       [PATCH] possibly improper MFC in sys/nfsclient/nfs_socket.c
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jun 05 19:40:02 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Andre Albsmeier
>Release:        FreeBSD 6.2-STABLE i386
>Organization:
>Environment:

System: FreeBSD 6.2-STABLE #0: Thu May 17 14:17:47 CEST 2007

>Description:

Rev 1.138 of nfs_socket.c fixed some bugs in -current:
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/nfsclient/nfs_socket.c.diff?r1=1.137;r2=1.138

Rev 1.139 apparently was a fix to the previous commit:
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/nfsclient/nfs_socket.c.diff?r1=1.138;r2=1.139

If I understand the code correctly, Rev 1.138 introduced a
new, corrected way of calculating "len" but the result was
ineffective because the subsequent 'bcopy(mtod(mp,...' line
was not removed. This was fixed by Rev 1.139.

Later, the first patch was MFC'ed to -STABLE:
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/nfsclient/nfs_socket.c.diff?r1=1.125.2.10;r2=1.125.2.11

However, the 'bcopy(mtod(mp,...' line is still in STABLE's
version of nfs_socket.c what seems to be wrong.

>How-To-Repeat:

Examine the links above and/or sys/nfsclient/nfs_socket.c

>Fix:

In RELENG_6:

--- sys/nfsclient/nfs_socket.c.ORI	Wed Feb 28 16:42:10 2007
+++ sys/nfsclient/nfs_socket.c	Tue Jun  5 20:56:02 2007
@@ -922,7 +922,6 @@
 				    nmp->nm_mountp->mnt_stat.f_mntfromname);
 				goto mark_reconnect;
 			}				
-			bcopy(mtod(mp, u_int32_t *), &len, sizeof(len));
 			len = ntohl(len) & ~0x80000000;
 			m_freem(mp);
 			/*

>Release-Note:
>Audit-Trail:
>Unformatted:

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200706051917.l55JHtjn037341>