kern/41153: nfs doesn't check failure of m_get() or m_clget()

[Manuel Bouyer <Manuel.Bouyer%lip6.fr@localhost>]

>Number:         41153
>Category:       kern
>Synopsis:       nfs doesn't check failure of m_get() or m_clget()
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    kern-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sun Apr 05 20:50:00 +0000 2009
>Originator:     Manuel Bouyer
>Release:        NetBSD 5.0_RC3
>Organization:
>Environment:
System: NetBSD horn 5.0_RC3 NetBSD 5.0_RC3 (DISCODEBUG) #34: Sun Apr 5 21:37:10 
MEST 2009 bouyer@disco:/home/bouyer/src-5/src/sys/arch/i386/compile/DISCODEBUG 
i386
Architecture: i386
Machine: i386
>Description:
        In various places, the nfs code (both client and server) blindly
        assumes that m_get(M_WAIT) and m_clget(M_WAIT) will work.
        However both m_get() and m_clget() call pool_cache_get() with
        PR_LIMITFAIL. There's no limit on the mbpl pool so I'm
        not sure m_get() can fail, but m_clget() definitively can.

        If a m_clget() fails the NFS code won't notice and hapilly set
        m_len and copy data to it, overflowing the mbuf data area and
        causing other damage in the networking stack.
>How-To-Repeat:
        code inspection
>Fix:
        Check M_EXT after m_clget() and find a way to fail gracefully
        (returning an error to client or userland is not gracefull)