Subject: lib/32572: xdr_rec.c missing a bugfix for an improper security check
To: None <firstname.lastname@example.org, email@example.com,>
From: None <firstname.lastname@example.org>
Date: 01/19/2006 14:05:00
>Synopsis: xdr_rec.c missing a bugfix for an improper security check
>Arrival-Date: Thu Jan 19 14:05:00 +0000 2006
>Originator: John Kohl
FreeBSD added a sanity check to set_input_fragment() in xdr_rec.c
You picked up the first half of this check, but didn't get the second half.
see FreeBSD's change request 16028:
and the diffs between their xdr_rec.c versions 1.11 and 1.12.
Their version 1.12 (dated exactly 6 years ago!) says:
Close PR#16028. Make the sanity check saner. The condition that we
check for on the server may arise legitimately on the client. The
correct way to check for a zero record length is to check for it
without the LAST_FRAG marker in it, since it's legal to send a LAST_FRAG
marker with 0 bytes of data.
get some specific data patterns in a TCP RPC stream
pull changes from FreeBSD