tech-net archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: m_split() bug causing NFS server issue



> I finally found the cause of the infinite recursion in m_split()
> exposted by the NFS server. It's a bug in m_split() itself,
> where the m_len field of a newly allocated mbuf could be left
> uninitialized (see attached patch) This would cause the size of the new
> chain to be computed wrongly in various place, and other issue.

Good catch!

> Index: uipc_mbuf.c
> ===================================================================
> RCS file: /cvsroot/src/sys/kern/uipc_mbuf.c,v
> retrieving revision 1.131
> diff -u -p -u -r1.131 uipc_mbuf.c
> --- uipc_mbuf.c       15 Mar 2009 17:14:40 -0000      1.131
> +++ uipc_mbuf.c       5 Apr 2009 16:28:06 -0000
> @@ -1056,6 +1056,7 @@ m_split0(struct mbuf *m0, int len0, int 
>               if (remain > MHLEN) {
>                       /* m can't be the lead packet */
>                       MH_ALIGN(n, 0);
> +                     n->m_len = 0;
>                       n->m_next = m_split(m, len, wait);
>                       if (n->m_next == 0) {
>                               (void) m_free(n);

I wonder if we can detect such a mistake somehow.  How about making MGETHDR
set m_len to some poisonous value?

Masao


Home | Main Index | Thread Index | Old Index