>Number:         32572
>Category:       lib
>Synopsis:       xdr_rec.c missing a bugfix for an improper security check
>Confidential:   no
>Severity:       serious
>Priority:       high
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Jan 19 14:05:00 +0000 2006
>Originator:     John Kohl
>Release:        3.0
>Organization:
IBM
>Environment:
>Description:
FreeBSD added a sanity check to set_input_fragment() in xdr_rec.c
You picked up the first half of this check, but didn't get the second half.

see FreeBSD's change request 16028:
http://www.freebsd.org/cgi/query-pr.cgi?pr=16028

and the diffs between their xdr_rec.c versions 1.11 and 1.12.
http://www.freebsd.org/cgi/cvsweb.cgi/src/lib/libc/xdr/xdr_rec.c.diff?r1=1.11&r2=1.12&f=h

Their version 1.12 (dated exactly 6 years ago!) says:

Close PR#16028. Make the sanity check saner. The condition that we
check for on the server may arise legitimately on the client. The
correct way to check for a zero record length is to check for it
without the LAST_FRAG marker in it, since it's legal to send a LAST_FRAG
marker with 0 bytes of data.
>How-To-Repeat:
get some specific data patterns in a TCP RPC stream
>Fix:
pull changes from FreeBSD