From rsc@amsterdam.lcs.mit.edu  Mon Feb  3 14:05:38 2003
Return-Path: <rsc@amsterdam.lcs.mit.edu>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 5112337B401
	for <FreeBSD-gnats-submit@freebsd.org>; Mon,  3 Feb 2003 14:05:38 -0800 (PST)
Received: from amsterdam.lcs.mit.edu (amsterdam.lcs.mit.edu [18.26.4.9])
	by mx1.FreeBSD.org (Postfix) with ESMTP id AC81B43E4A
	for <FreeBSD-gnats-submit@freebsd.org>; Mon,  3 Feb 2003 14:05:37 -0800 (PST)
	(envelope-from rsc@amsterdam.lcs.mit.edu)
Received: (from rsc@localhost)
	by amsterdam.lcs.mit.edu (8.11.6/8.11.6) id h13M5ad41934;
	Mon, 3 Feb 2003 17:05:36 -0500 (EST)
	(envelope-from rsc)
Message-Id: <200302032205.h13M5ad41934@amsterdam.lcs.mit.edu>
Date: Mon, 3 Feb 2003 17:05:36 -0500 (EST)
From: Russ Cox <rsc@amsterdam.lcs.mit.edu>
Reply-To: Russ Cox <rsc@amsterdam.lcs.mit.edu>
To: FreeBSD-gnats-submit@freebsd.org
Cc: rsc@amsterdam.lcs.mit.edu
Subject: NFS server crashes when given mount daemon requests
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         47874
>Category:       kern
>Synopsis:       NFS server crashes when given mount daemon requests
>Confidential:   no
>Severity:       critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Mon Feb 03 14:10:10 PST 2003
>Closed-Date:    Sat Nov 15 14:07:14 PST 2003
>Last-Modified:  Sat Nov 15 14:07:14 PST 2003
>Originator:     Russ Cox
>Release:        FreeBSD 4.5-RELEASE-p23 i386
>Organization:
MIT LCS
>Environment:
System: FreeBSD amsterdam.lcs.mit.edu 4.5-RELEASE-p23 FreeBSD 4.5-RELEASE-p23 #0: Thu Jan 30 17:00:22 EST 2003 rsc@amsterdam.lcs.mit.edu:/disk/am1/rsc/freebsd/compile/PDOS-PAUSING i386


	
>Description:

	If you send an NFS mount RPC to the NFS server (instead of to
	the mount server), then the NFS server crashes.  It crashes
	in nfs_syscalls.c in the function dispatch a couple lines below
	the only instance of writegather in that file.

	I think somehow the fact that the unmarshal failed is being
	ignored, and so the server is not correctly responding with
	program unavailable.

	This bug does not exist in 4.5-RELEASE nor does it exist in 5.0.

>How-To-Repeat:

perl -e '
	print "\x80\x00\x00\x28\x31\x23\xee\x70\x00\x00\x00\x00\x00\x00\x00\x02"
	. "\x00\x01\x86\xa5\x00\x00\x00\x03\x00\x00\x00\x02\x00\x00\x00\x00"
	. "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
' | nc your-machine 2049

>Fix:

	I inserted a check for a bad function pointer in the dispatch,
	but that's not the right fix -- we shouldn't be getting into the
	NFS service code at all!

>Release-Note:
>Audit-Trail:
State-Changed-From-To: open->analyzed 
State-Changed-By: kris 
State-Changed-When: Mon Jul 14 03:04:32 PDT 2003 
State-Changed-Why:  
I am unable to reproduce this on a 4.8-STABLE server. 
Can you confirm that the problem no longer exists? 

http://www.freebsd.org/cgi/query-pr.cgi?pr=47874 
State-Changed-From-To: analyzed->closed 
State-Changed-By: kris 
State-Changed-When: Sat Nov 15 14:07:03 PST 2003 
State-Changed-Why:  
Unable to reproduce, assuming fixed 

http://www.freebsd.org/cgi/query-pr.cgi?pr=47874 
>Unformatted:
