Date: Sun, 21 Apr 2002 10:18:41 +0200 (CEST) From: Frank Denis <j@pureftpd.org> To: FreeBSD-gnats-submit@FreeBSD.org Cc: j@pureftpd.org Subject: kern/37304: Denial of service through bad NFS packet Message-ID: <200204210818.g3L8IfZ32009@hosting3.clara.carpediem.fr>
next in thread | raw e-mail | index | archive | help
>Number: 37304 >Category: kern >Synopsis: Denial of service through bad NFS packet >Confidential: no >Severity: serious >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Sun Apr 21 01:20:02 PDT 2002 >Closed-Date: >Last-Modified: >Originator: Jedi/Sector One >Release: FreeBSD 4.5-STABLE i386 >Organization: 42 Networks >Environment: System: FreeBSD hosting3.carpediem.fr 4.5-STABLE FreeBSD 4.5-STABLE #11: Mon Jan 28 09:43:06 CET 2002 j@hosting3.carpediem.fr:/usr/obj/usr/src/sys/J i386 >Description: Special NFS packets can cause a kernel panic on a BSD NFS server. It doesn't seem to be a FreeBSD specific issue, I've found that OpenBSD is vulnerable as well. >How-To-Repeat: To trigger the kernel crash, a client can mount a NFS export with the following options : tcp,rdirplus,-r=32768,-w=32768 The server immediately crashes after some transfers. With UDP NFS + rdirplus, transfers hang but the server doesn't crash. With TCP NFS + rdirplus, a kernel panic occurs because the chunk is too large (it exceeds NFS_MAXPACKET) . >Fix: While this may not be a correct fix, it may be better to ignore such packets instead of going into a kernel panic (think about publicly accessible NFS shares) . Simple patch follows : --- sys/nfs/nfs_syscalls.c.orig Sun Apr 21 10:08:01 2002 +++ sys/nfs/nfs_syscalls.c Sun Apr 21 10:08:47 2002 @@ -622,8 +622,8 @@ m = m->m_next; } if (siz <= 0 || siz > NFS_MAXPACKET) { - printf("mbuf siz=%d\n",siz); - panic("Bad nfs svc reply"); + printf("mbuf siz=%d - bad client options\n",siz); + break; } m = mreq; m->m_pkthdr.len = siz; >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200204210818.g3L8IfZ32009>