mirror of
https://github.com/opnsense/src.git
synced 2026-05-16 11:09:35 -04:00
8410066787
Michael Dexter <editor@callfortesting.org> reported
a crash in FreeNAS, where the first argument to
clnt_bck_svccall() was no longer valid.
This argument is a pointer to the callback CLIENT
structure, which is free'd when the associated
NFSv4 ClientID is free'd.
This appears to have occurred because a callback
reply was still in the socket receive queue when
the CLIENT structure was free'd.
This patch acquires a reference count on the CLIENT
that is not CLNT_RELEASE()'d until the socket structure
is destroyed. This should guarantee that the CLIENT
structure is still valid when clnt_bck_svccall() is called.
It also adds a check for closed or closing to
clnt_bck_svccall() so that it will not process the callback
RPC reply message after the ClientID is free'd.
(cherry picked from commit
|
||
|---|---|---|
| .. | ||
| rpcsec_gss | ||
| rpcsec_tls | ||
| auth.h | ||
| auth_none.c | ||
| auth_unix.c | ||
| authunix_prot.c | ||
| clnt.h | ||
| clnt_bck.c | ||
| clnt_dg.c | ||
| clnt_rc.c | ||
| clnt_stat.h | ||
| clnt_vc.c | ||
| getnetconfig.c | ||
| krpc.h | ||
| netconfig.h | ||
| nettype.h | ||
| pmap_prot.h | ||
| replay.c | ||
| replay.h | ||
| rpc.h | ||
| rpc_callmsg.c | ||
| rpc_com.h | ||
| rpc_generic.c | ||
| rpc_msg.h | ||
| rpc_prot.c | ||
| rpcb_clnt.c | ||
| rpcb_clnt.h | ||
| rpcb_prot.c | ||
| rpcb_prot.h | ||
| rpcm_subs.h | ||
| rpcsec_gss.h | ||
| rpcsec_tls.h | ||
| svc.c | ||
| svc.h | ||
| svc_auth.c | ||
| svc_auth.h | ||
| svc_auth_unix.c | ||
| svc_dg.c | ||
| svc_generic.c | ||
| svc_vc.c | ||
| types.h | ||
| xdr.h | ||