Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 3 Feb 2003 17:05:36 -0500 (EST)
From:      Russ Cox <rsc@amsterdam.lcs.mit.edu>
To:        FreeBSD-gnats-submit@FreeBSD.org
Cc:        rsc@amsterdam.lcs.mit.edu
Subject:   kern/47874: NFS server crashes when given mount daemon requests
Message-ID:  <200302032205.h13M5ad41934@amsterdam.lcs.mit.edu>
next in thread | raw e-mail | index | archive | help 

>Number:         47874
>Category:       kern
>Synopsis:       NFS server crashes when given mount daemon requests
>Confidential:   no
>Severity:       critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 03 14:10:10 PST 2003
>Closed-Date:
>Last-Modified:
>Originator:     Russ Cox
>Release:        FreeBSD 4.5-RELEASE-p23 i386
>Organization:
MIT LCS
>Environment:
System: FreeBSD amsterdam.lcs.mit.edu 4.5-RELEASE-p23 FreeBSD 4.5-RELEASE-p23 #0: Thu Jan 30 17:00:22 EST 2003 rsc@amsterdam.lcs.mit.edu:/disk/am1/rsc/freebsd/compile/PDOS-PAUSING i386


	
>Description:

	If you send an NFS mount RPC to the NFS server (instead of to
	the mount server), then the NFS server crashes.  It crashes
	in nfs_syscalls.c in the function dispatch a couple lines below
	the only instance of writegather in that file.

	I think somehow the fact that the unmarshal failed is being
	ignored, and so the server is not correctly responding with
	program unavailable.

	This bug does not exist in 4.5-RELEASE nor does it exist in 5.0.

>How-To-Repeat:

perl -e '
	print "\x80\x00\x00\x28\x31\x23\xee\x70\x00\x00\x00\x00\x00\x00\x00\x02"
	. "\x00\x01\x86\xa5\x00\x00\x00\x03\x00\x00\x00\x02\x00\x00\x00\x00"
	. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
' | nc your-machine 2049

>Fix:

	I inserted a check for a bad function pointer in the dispatch,
	but that's not the right fix -- we shouldn't be getting into the
	NFS service code at all!

>Release-Note:
>Audit-Trail:
>Unformatted:

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200302032205.h13M5ad41934>