From owner-freebsd-bugs@FreeBSD.ORG  Tue Jun  5 19:40:03 2007
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
X-Original-To: freebsd-bugs@hub.freebsd.org
Delivered-To: freebsd-bugs@hub.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 1848816A421
	for <freebsd-bugs@hub.freebsd.org>;
	Tue,  5 Jun 2007 19:40:03 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (freefall.freebsd.org [69.147.83.40])
	by mx1.freebsd.org (Postfix) with ESMTP id DB4BC13C4B7
	for <freebsd-bugs@hub.freebsd.org>;
	Tue,  5 Jun 2007 19:40:02 +0000 (UTC)
	(envelope-from gnats@FreeBSD.org)
Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1])
	by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id l55Je2e0068167
	for <freebsd-bugs@freefall.freebsd.org>; Tue, 5 Jun 2007 19:40:02 GMT
	(envelope-from gnats@freefall.freebsd.org)
Received: (from gnats@localhost)
	by freefall.freebsd.org (8.13.4/8.13.4/Submit) id l55Je2gi068166;
	Tue, 5 Jun 2007 19:40:02 GMT (envelope-from gnats)
Resent-Date: Tue, 5 Jun 2007 19:40:02 GMT
Resent-Message-Id: <200706051940.l55Je2gi068166@freefall.freebsd.org>
Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer)
Resent-To: freebsd-bugs@FreeBSD.org
Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org,
	Andre Albsmeier <andre@albsmeier.net>
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 6834416A421
	for <FreeBSD-gnats-submit@freebsd.org>;
	Tue,  5 Jun 2007 19:31:27 +0000 (UTC)
	(envelope-from andre@albsmeier.net)
Received: from outside.albsmeier.net (outside.albsmeier.net [80.81.31.28])
	by mx1.freebsd.org (Postfix) with ESMTP id EF5EA13C44C
	for <FreeBSD-gnats-submit@freebsd.org>;
	Tue,  5 Jun 2007 19:31:26 +0000 (UTC)
	(envelope-from andre@albsmeier.net)
Received: from dipb140784.dig-prov.de (dipb140784.dig-prov.de [195.238.139.22])
	(authenticated bits=128)
	by outside.albsmeier.net (8.14.1/8.14.1) with ESMTP id l55JHuub087935
	for <FreeBSD-gnats-submit@freebsd.org>;
	Tue, 5 Jun 2007 21:17:57 +0200 (CEST)
	(envelope-from andre@albsmeier.net)
Received: from voyager.home.albsmeier.net (root@voyager.home.albsmeier.net
	[192.168.128.2])
	by gate.home.albsmeier.net (8.14.1/8.14.1) with ESMTP id l55JHu0F065207
	for <FreeBSD-gnats-submit@freebsd.org>;
	Tue, 5 Jun 2007 21:17:56 +0200 (CEST)
	(envelope-from andre@gate.home.albsmeier.net)
Received: from voyager.home.albsmeier.net (andre@localhost [127.0.0.1])
	by voyager.home.albsmeier.net (8.14.1/8.14.1) with ESMTP id
	l55JHtcg037342 for <FreeBSD-gnats-submit@freebsd.org>;
	Tue, 5 Jun 2007 21:17:56 +0200 (CEST)
	(envelope-from andre@voyager.home.albsmeier.net)
Received: (from andre@localhost)
	by voyager.home.albsmeier.net (8.14.1/8.14.1/Submit) id l55JHtjn037341; 
	Tue, 5 Jun 2007 21:17:55 +0200 (CEST) (envelope-from andre)
Message-Id: <200706051917.l55JHtjn037341@voyager.home.albsmeier.net>
Date: Tue, 5 Jun 2007 21:17:55 +0200 (CEST)
From: Andre Albsmeier <andre@albsmeier.net>
To: FreeBSD-gnats-submit@FreeBSD.org
X-Send-Pr-Version: 3.113
Cc: 
Subject: kern/113387: [PATCH] possibly improper MFC in
	sys/nfsclient/nfs_socket.c
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Andre Albsmeier <andre@albsmeier.net>
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
	<mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 05 Jun 2007 19:40:03 -0000


>Number:         113387
>Category:       kern
>Synopsis:       [PATCH] possibly improper MFC in sys/nfsclient/nfs_socket.c
>Confidential:   no
>Severity:       critical
>Priority:       high
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Jun 05 19:40:02 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator:     Andre Albsmeier
>Release:        FreeBSD 6.2-STABLE i386
>Organization:
>Environment:

System: FreeBSD 6.2-STABLE #0: Thu May 17 14:17:47 CEST 2007

>Description:

Rev 1.138 of nfs_socket.c fixed some bugs in -current:
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/nfsclient/nfs_socket.c.diff?r1=1.137;r2=1.138

Rev 1.139 apparently was a fix to the previous commit:
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/nfsclient/nfs_socket.c.diff?r1=1.138;r2=1.139

If I understand the code correctly, Rev 1.138 introduced a
new, corrected way of calculating "len" but the result was
ineffective because the subsequent 'bcopy(mtod(mp,...' line
was not removed. This was fixed by Rev 1.139.

Later, the first patch was MFC'ed to -STABLE:
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/nfsclient/nfs_socket.c.diff?r1=1.125.2.10;r2=1.125.2.11

However, the 'bcopy(mtod(mp,...' line is still in STABLE's
version of nfs_socket.c what seems to be wrong.

>How-To-Repeat:

Examine the links above and/or sys/nfsclient/nfs_socket.c

>Fix:

In RELENG_6:

--- sys/nfsclient/nfs_socket.c.ORI	Wed Feb 28 16:42:10 2007
+++ sys/nfsclient/nfs_socket.c	Tue Jun  5 20:56:02 2007
@@ -922,7 +922,6 @@
 				    nmp->nm_mountp->mnt_stat.f_mntfromname);
 				goto mark_reconnect;
 			}				
-			bcopy(mtod(mp, u_int32_t *), &len, sizeof(len));
 			len = ntohl(len) & ~0x80000000;
 			m_freem(mp);
 			/*

>Release-Note:
>Audit-Trail:
>Unformatted: