From owner-freebsd-bugs Mon Feb 3 14:10:16 2003 Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 081D537B408 for ; Mon, 3 Feb 2003 14:10:14 -0800 (PST) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3492E43FAF for ; Mon, 3 Feb 2003 14:10:11 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.6/8.12.6) with ESMTP id h13MAANS000283 for ; Mon, 3 Feb 2003 14:10:11 -0800 (PST) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.6/8.12.6/Submit) id h13MAAsU000282; Mon, 3 Feb 2003 14:10:10 -0800 (PST) Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5112337B401 for ; Mon, 3 Feb 2003 14:05:38 -0800 (PST) Received: from amsterdam.lcs.mit.edu (amsterdam.lcs.mit.edu [18.26.4.9]) by mx1.FreeBSD.org (Postfix) with ESMTP id AC81B43E4A for ; Mon, 3 Feb 2003 14:05:37 -0800 (PST) (envelope-from rsc@amsterdam.lcs.mit.edu) Received: (from rsc@localhost) by amsterdam.lcs.mit.edu (8.11.6/8.11.6) id h13M5ad41934; Mon, 3 Feb 2003 17:05:36 -0500 (EST) (envelope-from rsc) Message-Id: <200302032205.h13M5ad41934@amsterdam.lcs.mit.edu> Date: Mon, 3 Feb 2003 17:05:36 -0500 (EST) From: Russ Cox Reply-To: Russ Cox To: FreeBSD-gnats-submit@FreeBSD.org Cc: rsc@amsterdam.lcs.mit.edu X-Send-Pr-Version: 3.113 Subject: kern/47874: NFS server crashes when given mount daemon requests Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 47874 >Category: kern >Synopsis: NFS server crashes when given mount daemon requests >Confidential: no >Severity: critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Feb 03 14:10:10 PST 2003 >Closed-Date: >Last-Modified: >Originator: Russ Cox >Release: FreeBSD 4.5-RELEASE-p23 i386 >Organization: MIT LCS >Environment: System: FreeBSD amsterdam.lcs.mit.edu 4.5-RELEASE-p23 FreeBSD 4.5-RELEASE-p23 #0: Thu Jan 30 17:00:22 EST 2003 rsc@amsterdam.lcs.mit.edu:/disk/am1/rsc/freebsd/compile/PDOS-PAUSING i386 >Description: If you send an NFS mount RPC to the NFS server (instead of to the mount server), then the NFS server crashes. It crashes in nfs_syscalls.c in the function dispatch a couple lines below the only instance of writegather in that file. I think somehow the fact that the unmarshal failed is being ignored, and so the server is not correctly responding with program unavailable. This bug does not exist in 4.5-RELEASE nor does it exist in 5.0. >How-To-Repeat: perl -e ' print "\x80\x00\x00\x28\x31\x23\xee\x70\x00\x00\x00\x00\x00\x00\x00\x02" . "\x00\x01\x86\xa5\x00\x00\x00\x03\x00\x00\x00\x02\x00\x00\x00\x00" . "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" ' | nc your-machine 2049 >Fix: I inserted a check for a bad function pointer in the dispatch, but that's not the right fix -- we shouldn't be getting into the NFS service code at all! >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message