>Number:         1327
>Category:       kern
>Synopsis:       Silly NFS mbuf code caused corruption of malloc's freelist
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    kern-bug-people (Kernel Bug People)
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Aug 10 17:20:01 1995
>Last-Modified:
>Originator:     Trevor Mendez
>Organization:
BBN
>Release:        NetBSD 1.0A (early June '95)
>Environment:
sparc
System: NetBSD dart17.bbn.com 1.0A NetBSD 1.0A (TMENDEZ) #185: Thu Aug 10 16:23:22 EDT 1995 tmendez@dart17.bbn.com:/usr/home/tmendez/kernels/sys/arch/sparc/compile/TMENDEZ sparc


>Description:
	nfs_socket.c:nfs_rephead() assumes that there is enough room to
	store "6*NFSX_UNSIGNED" (24) bytes in a header mbuf after incrementing
	"m_data" by "max_hdr" bytes.  If "max_hdr" is atleast 80, then there
	are only 20 bytes left the header mbuf, so the immediately following
	object in memory will be overwritten.  Sooner or later
	kern_malloc.c:malloc()'s freelist is overwritten...
>How-To-Repeat:
	Edit tcp_subr.c:tcp_init() to set "max_protohdr" to atleast 64
	(so that "max_hdr") will be atleast 80.  Compile the kernel with
	the DIAGNOSTIC option set.  Export a file system via NFS, and
	try to access it using a remote NFS client.  nfsd's NFS socket
	system calls sooner or later will overrun mbufs in
	nfs_socket.c:nfs_rephead().  kern_malloc.c:malloc() will complain
	when its freelist is clobbered.
>Fix:
	Use a sensible scheme fore checking how much room is left in the
	mbuf after incrementing "mreq->m_data" by "max_hdr" bytes.
>Audit-Trail:
>Unformatted: