Project

General

Profile

Actions
Copy link

Bug #4342

closed

NULL pointer dereference in rfs4_op_setclientid()

Added by Marcel Telka over 9 years ago. Updated over 9 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Marcel Telka
Category:
nfs - NFS server and client
Start date:
2013-11-20
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:
External Bug:

Description

In a case the NFSv4 client sends SETCLIENTID with zero length SETCLIENTID4args.client.id the server will panic at line 7960 here in rfs4_op_setclientid() dereferencing NULL pointer:

7960    if (strstr(args->client.id_val, "Solaris") &&
7961        !strstr(args->client.id_val, "+referrals")) {

The panic is easily reproducible using this nfsv4shell script:

connect localhost
compound {Setclientid "" "" {0 0 0}}

In addition, it is not guaranteed that id_val will be null terminated, so strstr() usage at lines 7960 and 7961 is wrong.

The problem was introduced in December 2009 when support for fs_locations was added.

Related issues

Related to illumos gate - Bug #4681: bcmp(NULL, NULL, 0) panics in DEBUG kernelResolvedMarcel Telka2014-03-11

Actions
Actions
Copy link
 #1

Updated by Marcel Telka over 9 years ago

  • Status changed from In Progress to Pending RTI
Actions
Copy link
 #2

Updated by Robert Mustacchi over 9 years ago

  • Status changed from Pending RTI to Resolved
  • % Done changed from 0 to 100
  • Tags deleted (needs-triage)

Resolved in 7c9adcc5db714f9170fd80006e7c2b613f5b17db.

Actions
Copy link

Also available in: Atom PDF