[Bug 260266] NFS callback RPC with negative taglen can crash client

From: <bugzilla-noreply_at_freebsd.org>
Date: Wed, 08 Dec 2021 21:58:11 UTC

Rick Macklem <rmacklem@FreeBSD.org> changed:

           What    |Removed                     |Added
           Assignee|bugs@FreeBSD.org            |rmacklem@FreeBSD.org
             Status|New                         |Open

--- Comment #1 from Rick Macklem <rmacklem@FreeBSD.org> ---
Created attachment 229981
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=229981&action=edit
properly sanity check the callback taglen

The sanity check for taglen in the callback request
was incoorect in two ways.
1 - It did not check for an excessively large value.
2 - It did not set the taglen to -1 when the sanity check failed.
This patch fixes the above and should stop the crashes.

Maybe the reporter can confirm that the patch stops the
crashes for them?

You are receiving this mail because:
You are the assignee for the bug.