Project

General

Profile

Actions

Bug #4342

closed

NULL pointer dereference in rfs4_op_setclientid()

Added by Marcel Telka almost 8 years ago. Updated almost 8 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
nfs - NFS server and client
Start date:
2013-11-20
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

In a case the NFSv4 client sends SETCLIENTID with zero length SETCLIENTID4args.client.id the server will panic at line 7960 here in rfs4_op_setclientid() dereferencing NULL pointer:

7960    if (strstr(args->client.id_val, "Solaris") &&
7961        !strstr(args->client.id_val, "+referrals")) {

The panic is easily reproducible using this nfsv4shell script:

connect localhost
compound {Setclientid "" "" {0 0 0}}

In addition, it is not guaranteed that id_val will be null terminated, so strstr() usage at lines 7960 and 7961 is wrong.

The problem was introduced in December 2009 when support for fs_locations was added.


Related issues

Related to illumos gate - Bug #4681: bcmp(NULL, NULL, 0) panics in DEBUG kernelResolvedMarcel Telka2014-03-11

Actions
Actions #1

Updated by Marcel Telka almost 8 years ago

  • Status changed from In Progress to Pending RTI
Actions #2

Updated by Robert Mustacchi almost 8 years ago

  • Status changed from Pending RTI to Resolved
  • % Done changed from 0 to 100
  • Tags deleted (needs-triage)

Resolved in 7c9adcc5db714f9170fd80006e7c2b613f5b17db.

Actions

Also available in: Atom PDF