Re: kern/38336: NULL deref in nfs_lookup

To: gnats-bugs%NetBSD.org@localhost
Subject: Re: kern/38336: NULL deref in nfs_lookup
From: yamt%mwd.biglobe.ne.jp@localhost (YAMAMOTO Takashi)
Date: Sun, 30 Mar 2008 22:55:03 +0900 (JST)

> nfs_vnops.c:
> 
>     925       nfsm_request(np, NFSPROC_LOOKUP, curlwp, cnp->cn_cred);
>     926       if (error) {
>     927               nfsm_postop_attr(dvp, attrflag, 0);
>     928               m_freem(mrep);
>     929               goto nfsmout;
>     930       }
> 
> nfsm_request() fills 'error' and typically 'md'. In case of error,
> 'md' is sometimes not filled and can contain junk from the stack,
> but nfsm_postop_attr() assumes that 'md' is always filled. Here is 

can you be specific about "sometimes"?
unless NFSERR_RETERR is set, nfsm_request macro itself does "goto nfsmout"
so "if (error)" in the above code is not executed.

YAMAMOTO Takashi

References:
- kern/38336: NULL deref in nfs_lookup
  - From: ad

Prev by Date: Re: kern/29050 (USB unplug makes kernel panic)
Next by Date: Re: kern/38336: NULL deref in nfs_lookup
Previous by Thread: kern/38336: NULL deref in nfs_lookup
Next by Thread: Re: kern/38336: NULL deref in nfs_lookup
Indexes:

Home | Main Index | Thread Index | Old Index