CVSROOT: /cvs
Module name: src
Changes by: bl...@cvs.openbsd.org 2024/09/15 16:35:07
Modified files:
sys/nfs : Tag: OPENBSD_7_4 nfs_socket.c nfsm_subs.h
Log message:
After calling m_freem() on nmi_mrep (or nmi_mreq) set the pointer to NULL.
Only do this if struct nfsm_info doesn't have local scope.
In some cases the caller would perfrom another m_freem and double free
the mbuf and Bad Things(TM) would happen.
from claudio@; Reported by Claes M Nyberg on bugs@; with & ok miod@
nfsm_srvnamesiz() may set up an NFSERR_NAMETOL error, which nfsm_reply() would
consider as not tragic enough to abort the operation, in order to batch error
replies.
This would end up invoking nfs_namei() using the length obtained from
the NFS request, and Bad Things(TM) would happen if this value is larger
than MAXPATHLEN.
from miod@; Reported by Claes M Nyberg on bugs@; tweaks & ok claudio@
this is errata/7.4/021_nfs.patch.sig
