Module Name: src
Committed By: bouyer
Date: Sun Apr 5 16:31:21 UTC 2009
Modified Files:
src/sys/kern: uipc_mbuf.c
Log Message:
m_split0(): If the newly allocated mbuf holds only the header,
don't forget to set m_len to 0. Otherwise whatever will compute the size
of this chain (including s_split() itself if called again on this chain)
will get it wrong, leading to various issues.
Bug exposed by the NFS server code with linux clients using TCP mounts.
To generate a diff of this commit:
cvs rdiff -u -r1.131 -r1.132 src/sys/kern/uipc_mbuf.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/kern/uipc_mbuf.c
diff -u src/sys/kern/uipc_mbuf.c:1.131 src/sys/kern/uipc_mbuf.c:1.132
--- src/sys/kern/uipc_mbuf.c:1.131 Sun Mar 15 17:14:40 2009
+++ src/sys/kern/uipc_mbuf.c Sun Apr 5 16:31:21 2009
@@ -1,4 +1,4 @@
-/* $NetBSD: uipc_mbuf.c,v 1.131 2009/03/15 17:14:40 cegger Exp $ */
+/* $NetBSD: uipc_mbuf.c,v 1.132 2009/04/05 16:31:21 bouyer Exp $ */
/*-
* Copyright (c) 1999, 2001 The NetBSD Foundation, Inc.
@@ -62,7 +62,7 @@
*/
#include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.131 2009/03/15 17:14:40 cegger Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.132 2009/04/05 16:31:21 bouyer Exp $");
#include "opt_mbuftrace.h"
#include "opt_ddb.h"
@@ -1056,6 +1056,7 @@
if (remain > MHLEN) {
/* m can't be the lead packet */
MH_ALIGN(n, 0);
+ n->m_len = 0;
n->m_next = m_split(m, len, wait);
if (n->m_next == 0) {
(void) m_free(n);
