tech-net archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: m_split() bug causing NFS server issue
> I finally found the cause of the infinite recursion in m_split()
> exposted by the NFS server. It's a bug in m_split() itself,
> where the m_len field of a newly allocated mbuf could be left
> uninitialized (see attached patch) This would cause the size of the new
> chain to be computed wrongly in various place, and other issue.
Good catch!
> Index: uipc_mbuf.c
> ===================================================================
> RCS file: /cvsroot/src/sys/kern/uipc_mbuf.c,v
> retrieving revision 1.131
> diff -u -p -u -r1.131 uipc_mbuf.c
> --- uipc_mbuf.c 15 Mar 2009 17:14:40 -0000 1.131
> +++ uipc_mbuf.c 5 Apr 2009 16:28:06 -0000
> @@ -1056,6 +1056,7 @@ m_split0(struct mbuf *m0, int len0, int
> if (remain > MHLEN) {
> /* m can't be the lead packet */
> MH_ALIGN(n, 0);
> + n->m_len = 0;
> n->m_next = m_split(m, len, wait);
> if (n->m_next == 0) {
> (void) m_free(n);
I wonder if we can detect such a mistake somehow. How about making MGETHDR
set m_len to some poisonous value?
Masao
Home |
Main Index |
Thread Index |
Old Index