Re: kern/38336: NULL deref in nfs_lookup

[Andrew Doran <ad%netbsd.org@localhost>]

The following reply was made to PR kern/38336; it has been noted by GNATS.

From: Andrew Doran <ad%netbsd.org@localhost>
To: gnats-bugs%NetBSD.org@localhost
Cc: 
Subject: Re: kern/38336: NULL deref in nfs_lookup
Date: Sun, 30 Mar 2008 15:55:06 +0100

 On Sun, Mar 30, 2008 at 02:00:05PM +0000, YAMAMOTO Takashi wrote:
 
 >  > nfs_vnops.c:
 >  > 
 >  >     925   nfsm_request(np, NFSPROC_LOOKUP, curlwp, cnp->cn_cred);
 >  >     926   if (error) {
 >  >     927           nfsm_postop_attr(dvp, attrflag, 0);
 >  >     928           m_freem(mrep);
 >  >     929           goto nfsmout;
 >  >     930   }
 >  > 
 >  > nfsm_request() fills 'error' and typically 'md'. In case of error,
 >  > 'md' is sometimes not filled and can contain junk from the stack,
 >  > but nfsm_postop_attr() assumes that 'md' is always filled. Here is 
 >  
 >  can you be specific about "sometimes"?
 >  unless NFSERR_RETERR is set, nfsm_request macro itself does "goto nfsmout"
 >  so "if (error)" in the above code is not executed.
 
 I had a broken sbwait() that returned ERESTART when it should have been
 ignoring signals. I haven't checked to see if the error can happen in
 -current, but it seems better to handle it. I think the return path for the
 error code was:
 
 sbwait -> soreceive -> nfs_receive -> nfs_reply -> nfs_request -> nfs_lookup
 
 Andrew