Re: kern/38336: NULL deref in nfs_lookup

To: kern-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost,ad%netbsd.org@localhost
Subject: Re: kern/38336: NULL deref in nfs_lookup
From: yamt%mwd.biglobe.ne.jp@localhost (YAMAMOTO Takashi)
Date: Sun, 30 Mar 2008 14:00:05 +0000 (UTC)

The following reply was made to PR kern/38336; it has been noted by GNATS.

From: yamt%mwd.biglobe.ne.jp@localhost (YAMAMOTO Takashi)
To: gnats-bugs%NetBSD.org@localhost
Cc: kern-bug-people%netbsd.org@localhost, gnats-admin%netbsd.org@localhost, 
netbsd-bugs%netbsd.org@localhost
Subject: Re: kern/38336: NULL deref in nfs_lookup
Date: Sun, 30 Mar 2008 22:55:03 +0900 (JST)

 > nfs_vnops.c:
 > 
 >     925      nfsm_request(np, NFSPROC_LOOKUP, curlwp, cnp->cn_cred);
 >     926      if (error) {
 >     927              nfsm_postop_attr(dvp, attrflag, 0);
 >     928              m_freem(mrep);
 >     929              goto nfsmout;
 >     930      }
 > 
 > nfsm_request() fills 'error' and typically 'md'. In case of error,
 > 'md' is sometimes not filled and can contain junk from the stack,
 > but nfsm_postop_attr() assumes that 'md' is always filled. Here is 
 
 can you be specific about "sometimes"?
 unless NFSERR_RETERR is set, nfsm_request macro itself does "goto nfsmout"
 so "if (error)" in the above code is not executed.
 
 YAMAMOTO Takashi

Prev by Date: Re: kern/38336: NULL deref in nfs_lookup
Next by Date: Re: kern/38336: NULL deref in nfs_lookup
Previous by Thread: Re: kern/38336: NULL deref in nfs_lookup
Next by Thread: Re: kern/38336: NULL deref in nfs_lookup
Indexes:

Home | Main Index | Thread Index | Old Index