kern/113387: [PATCH] possibly improper MFC in
sys/nfsclient/nfs_socket.c
Andre Albsmeier
andre at albsmeier.net
Tue Jun 5 19:40:03 UTC 2007
>Number: 113387
>Category: kern
>Synopsis: [PATCH] possibly improper MFC in sys/nfsclient/nfs_socket.c
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: freebsd-bugs
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: sw-bug
>Submitter-Id: current-users
>Arrival-Date: Tue Jun 05 19:40:02 GMT 2007
>Closed-Date:
>Last-Modified:
>Originator: Andre Albsmeier
>Release: FreeBSD 6.2-STABLE i386
>Organization:
>Environment:
System: FreeBSD 6.2-STABLE #0: Thu May 17 14:17:47 CEST 2007
>Description:
Rev 1.138 of nfs_socket.c fixed some bugs in -current:
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/nfsclient/nfs_socket.c.diff?r1=1.137;r2=1.138
Rev 1.139 apparently was a fix to the previous commit:
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/nfsclient/nfs_socket.c.diff?r1=1.138;r2=1.139
If I understand the code correctly, Rev 1.138 introduced a
new, corrected way of calculating "len" but the result was
ineffective because the subsequent 'bcopy(mtod(mp,...' line
was not removed. This was fixed by Rev 1.139.
Later, the first patch was MFC'ed to -STABLE:
http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/nfsclient/nfs_socket.c.diff?r1=1.125.2.10;r2=1.125.2.11
However, the 'bcopy(mtod(mp,...' line is still in STABLE's
version of nfs_socket.c what seems to be wrong.
>How-To-Repeat:
Examine the links above and/or sys/nfsclient/nfs_socket.c
>Fix:
In RELENG_6:
--- sys/nfsclient/nfs_socket.c.ORI Wed Feb 28 16:42:10 2007
+++ sys/nfsclient/nfs_socket.c Tue Jun 5 20:56:02 2007
@@ -922,7 +922,6 @@
nmp->nm_mountp->mnt_stat.f_mntfromname);
goto mark_reconnect;
}
- bcopy(mtod(mp, u_int32_t *), &len, sizeof(len));
len = ntohl(len) & ~0x80000000;
m_freem(mp);
/*
>Release-Note:
>Audit-Trail:
>Unformatted:
More information about the freebsd-bugs
mailing list