Date: Mon, 3 Feb 2003 17:05:36 -0500 (EST) From: Russ Cox <rsc@amsterdam.lcs.mit.edu> To: FreeBSD-gnats-submit@FreeBSD.org Cc: rsc@amsterdam.lcs.mit.edu Subject: kern/47874: NFS server crashes when given mount daemon requests Message-ID: <200302032205.h13M5ad41934@amsterdam.lcs.mit.edu>
next in thread | raw e-mail | index | archive | help
>Number: 47874 >Category: kern >Synopsis: NFS server crashes when given mount daemon requests >Confidential: no >Severity: critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Feb 03 14:10:10 PST 2003 >Closed-Date: >Last-Modified: >Originator: Russ Cox >Release: FreeBSD 4.5-RELEASE-p23 i386 >Organization: MIT LCS >Environment: System: FreeBSD amsterdam.lcs.mit.edu 4.5-RELEASE-p23 FreeBSD 4.5-RELEASE-p23 #0: Thu Jan 30 17:00:22 EST 2003 rsc@amsterdam.lcs.mit.edu:/disk/am1/rsc/freebsd/compile/PDOS-PAUSING i386 >Description: If you send an NFS mount RPC to the NFS server (instead of to the mount server), then the NFS server crashes. It crashes in nfs_syscalls.c in the function dispatch a couple lines below the only instance of writegather in that file. I think somehow the fact that the unmarshal failed is being ignored, and so the server is not correctly responding with program unavailable. This bug does not exist in 4.5-RELEASE nor does it exist in 5.0. >How-To-Repeat: perl -e ' print "\x80\x00\x00\x28\x31\x23\xee\x70\x00\x00\x00\x00\x00\x00\x00\x02" . "\x00\x01\x86\xa5\x00\x00\x00\x03\x00\x00\x00\x02\x00\x00\x00\x00" . "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" ' | nc your-machine 2049 >Fix: I inserted a check for a bad function pointer in the dispatch, but that's not the right fix -- we shouldn't be getting into the NFS service code at all! >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200302032205.h13M5ad41934>