From nobody Wed Dec 15 01:26:53 2021
X-Original-To: bugs@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 7FD0018DD791
	for <bugs@mlmmj.nyi.freebsd.org>; Wed, 15 Dec 2021 01:26:53 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4JDHf51cYCz3qjD
	for <bugs@FreeBSD.org>; Wed, 15 Dec 2021 01:26:53 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 0EBD5133C0
	for <bugs@FreeBSD.org>; Wed, 15 Dec 2021 01:26:53 +0000 (UTC)
	(envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org ([127.0.1.5])
	by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 1BF1Qq2W085635
	for <bugs@FreeBSD.org>; Wed, 15 Dec 2021 01:26:52 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
Received: (from www@localhost)
	by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 1BF1QqUT085634
	for bugs@FreeBSD.org; Wed, 15 Dec 2021 01:26:52 GMT
	(envelope-from bugzilla-noreply@freebsd.org)
X-Authentication-Warning: kenobi.freebsd.org: www set sender to bugzilla-noreply@freebsd.org using -f
From: bugzilla-noreply@freebsd.org
To: bugs@FreeBSD.org
Subject: [Bug 260412] NFS v4 client crash if server sends a second
 CB_SEQUENCE with wild slotid
Date: Wed, 15 Dec 2021 01:26:53 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Some People
X-Bugzilla-Who: rmacklem@FreeBSD.org
X-Bugzilla-Status: Open
X-Bugzilla-Resolution: 
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: rmacklem@FreeBSD.org
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_status assigned_to attachments.created
Message-ID: <bug-260412-227-yrY6Hr4wSn@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-260412-227@https.bugs.freebsd.org/bugzilla/>
References: <bug-260412-227@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-bugs
List-Help: <mailto:freebsd-bugs+help@freebsd.org>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Subscribe: <mailto:freebsd-bugs+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-bugs+unsubscribe@freebsd.org>
Sender: owner-freebsd-bugs@freebsd.org
MIME-Version: 1.0
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1639531613;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=YGwBOuv7FhFw57rHSp6BXXeVL6hnV5l3Th0+sU9mDSc=;
	b=gTCm53Rcn8DE1NxbRrECfp9Q7Jy76eV3dCCFvX5jh2MuWwRNCqrr3jbmCcpkW546PA9lIY
	vHFR68zt5a4NQDdq8theQeB8266dMwdXqDiH4yDjDh8DrCfImVoEyd87jI10Tvad2Npj+v
	xKpAkJyfJ8qfjw4k+RR1cYbPGn1jjPdone6Vzc3aGL/8Mvhn6+tz+db0xH0bZRvi735bCi
	V0iMyQxdgMPQlXOcSdyjElhX6bsequhAxHOoD/8vS18KwLQNfH1WFc7UQrcI0ieTa5OM/r
	xe1FY+WAm792Kcb1gpz/k5KtRiqwf4reG9pxLPCqCX24wk2TrV2MYhuUT2odyA==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1639531613; a=rsa-sha256; cv=none;
	b=AZDpSItt8n8HDleRXaq/UeyyHd9EozUR/EryBk4ZX3n+ZymTlNPD/bdVcIXJLZGal9ybDE
	nGdz+Oe287U9X824AmZt1soMXtYb/OokNZ/Mx4ZL6+7CpLs8fM4l9pxyCE6u+HvhvIjwU6
	/L+OpKkpl1T1J0FACQ8bfBpkoUZP4swrB+mXp/CzRQJMZigqZdzmaTPDENmASBENvaeXWI
	IL5Id31SSpQNddgxSAXnkVoqL6rNwxRZRp/guKzhahMRb7rtZbcmodMgijAsFea+n8uIjn
	orQyxGw8FS2voLzCAykLcs6LhyjE7SaGFhqRmNDV1oE5pNyBgCGrP3HK2iWXUw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
X-ThisMailContainsUnwantedMimeParts: N

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D260412

Rick Macklem <rmacklem@FreeBSD.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|New                         |Open
           Assignee|bugs@FreeBSD.org            |rmacklem@FreeBSD.org

--- Comment #1 from Rick Macklem <rmacklem@FreeBSD.org> ---
Created attachment 230127
  --> https://bugs.freebsd.org/bugzilla/attachment.cgi?id=3D230127&action=
=3Dedit
check for cbsequence not first op at the beginning of processing

This patch should stop the crashes.
It moves the check for "not first op" to
the beginning of CB_Sequence processing.

It also fixes a couple of other things:
- Adds a sanity check for a large taglen.
- Moves the check for "no cbsequence" to
  the beginning of op processing, since the
  check was in some CB ops, but not all of them.

Maybe the reporter can confirm it fixes the problem for them?

--=20
You are receiving this mail because:
You are the assignee for the bug.=