[Bug 235582] rpc_svc_gss / nfsd kernel panic

[bugzilla-noreply at freebsd.org]

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=235582

--- Comment #2 from Peter Eriksson <peter.x.eriksson at liu.se> ---
This is a huge wild chance, but I was looking at the assembler code for the
svc_rpc_gss function at around the offset (0x8f2 = 2290) and it looks like
this:

0xffffffff8286d4bc <svc_rpc_gss+2268>:  callq  0xffffffff8286bc50
<rpc_gss_oid_to_mech>
0xffffffff8286d4c1 <svc_rpc_gss+2273>:  mov    0x78(%r14),%rsi
0xffffffff8286d4c5 <svc_rpc_gss+2277>:  lea    -0x38(%rbp),%rdi
0xffffffff8286d4c9 <svc_rpc_gss+2281>:  lea    -0x70(%rbp),%rdx
0xffffffff8286d4cd <svc_rpc_gss+2285>:  callq  0xffffffff828678b0
<gss_export_name>
0xffffffff8286d4d2 <svc_rpc_gss+2290>:  test   %eax,%eax
0xffffffff8286d4d4 <svc_rpc_gss+2292>:  je     0xffffffff8286d932
<svc_rpc_gss+3410>

Looking at the source code in the svc_rpcsec_gss.c file this _might_ correspond
to code in svc_rpc_gss_accept_sec_context() at around line 941:

            client->cl_rawcred.version = RPCSEC_GSS_VERSION;
                rpc_gss_oid_to_mech(mech, &client->cl_rawcred.mechanism);
                maj_stat = gss_export_name(&min_stat, client->cl_cname,
                    &export_name);
                if (maj_stat != GSS_S_COMPLETE) {
                        rpc_gss_log_status("gss_export_name", client->cl_mech,
                            maj_stat, min_stat);
                        return (FALSE);
                }
                client->cl_rawcred.client_principal =
                        mem_alloc(sizeof(*client->cl_rawcred.client_principal)
                            + export_name.length);
                client->cl_rawcred.client_principal->len = export_name.length;
                memcpy(client->cl_rawcred.client_principal->name,
                    export_name.value, export_name.length);

-- 
You are receiving this mail because:
You are the assignee for the bug.