--1yeeQ81UyVL57Vl7
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline

On Sat, Aug 05, 2006 at 11:48:02PM +0200, Kurt Schreiner wrote:
> The problem showed up after I installed kernel and userland on August 4:
> Aug  4 19:40:32 ipaddi-bsd lfs_cleanerd[474]: /home: couldn't init: error code -4
> Aug  4 19:40:32 ipaddi-bsd lfs_cleanerd[474]: : detaching cleaner

I think backing out the

  - vfs_copyinfh_alloc_size: check fhsize strictly.

of rev. 1.265 of sys/kern/vfs_syscalls.c will work around this problem (see
attached patch).

I originally did the slightly lax check because it helps userland
(lfs_cleanerd, as reported here, mountd and rpc.lockd are using NFSV3_FHMAX
too) slighly, and also  should be harmless (the value is checked for valid
range before, and for truncation after the copyin).

Yamamoto-san, is this kernel change ok with you or should we adapt userland
to the strict version? The tmpfs regression suite does it right, but I'm not
sure how easy it will be with rpc.lockd.

Martin

--1yeeQ81UyVL57Vl7
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename=patch

Index: vfs_syscalls.c
===================================================================
RCS file: /cvsroot/src/sys/kern/vfs_syscalls.c,v
retrieving revision 1.266
diff -u -p -r1.266 vfs_syscalls.c
--- vfs_syscalls.c	4 Aug 2006 17:07:32 -0000	1.266
+++ vfs_syscalls.c	6 Aug 2006 08:22:02 -0000
@@ -1379,14 +1379,11 @@ vfs_copyinfh_alloc(const void *ufhp, siz
 	}
 	error = copyin(ufhp, fhp, fhsize);
 	if (error == 0) {
-		/* XXX this check shouldn't be here */
-		if (FHANDLE_SIZE(fhp) == fhsize) {
+		if (FHANDLE_SIZE(fhp) >= FHANDLE_SIZE_MIN
+		    || FHANDLE_SIZE(fhp) <= fhsize) {
 			*fhpp = fhp;
 			return 0;
 		} else {
-			/*
-			 * userland told us wrong size.
-			 */
 		    	error = EINVAL;
 		}
 	}

--1yeeQ81UyVL57Vl7--