From 7f9161735d514ab289c27c62f4a0358b3862195f Mon Sep 17 00:00:00 2001
From: Colin Percival <cperciva@FreeBSD.org>
Date: Wed, 14 Feb 2007 22:30:33 +0000
Subject: Correct problems with locking, namei leakage, and symlink creation in
 the NFS subsystem.

Approved by:	so (cperciva)
Submitted by:	re (hrs)
Errata:		FreeBSD-EN-07:01.nfs
---
 sys/nfsserver/nfs_srvsubs.c | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

(limited to 'sys/nfsserver/nfs_srvsubs.c')

diff --git a/sys/nfsserver/nfs_srvsubs.c b/sys/nfsserver/nfs_srvsubs.c
index 912b5a7bf20b9..41adae0f0da19 100644
--- a/sys/nfsserver/nfs_srvsubs.c
+++ b/sys/nfsserver/nfs_srvsubs.c
@@ -875,6 +875,10 @@ nfs_namei(struct nameidata *ndp, fhandle_t *fhp, int len,
 	}
 	if (!lockleaf)
 		cnp->cn_flags &= ~LOCKLEAF;
+	if (cnp->cn_flags & GIANTHELD) {
+		mtx_unlock(&Giant);
+		cnp->cn_flags &= ~GIANTHELD;
+	}
 
 	/*
 	 * nfs_namei() guarentees that fields will not contain garbage
@@ -1331,6 +1335,24 @@ nfsm_srvnamesiz_xx(int *s, int m, struct mbuf **md, caddr_t *dpos)
 	return 0;
 }
 
+int
+nfsm_srvnamesiz0_xx(int *s, int m, struct mbuf **md, caddr_t *dpos)
+{
+	u_int32_t *tl;
+
+	NFSD_LOCK_DONTCARE();
+
+	tl = nfsm_dissect_xx_nonblock(NFSX_UNSIGNED, md, dpos);
+	if (tl == NULL)
+		return EBADRPC;
+	*s = fxdr_unsigned(int32_t, *tl);
+	if (*s > m)
+		return NFSERR_NAMETOL;
+	if (*s < 0)
+		return EBADRPC;
+	return 0;
+}
+
 void
 nfsm_clget_xx(u_int32_t **tl, struct mbuf *mb, struct mbuf **mp,
     char **bp, char **be, caddr_t bpos, int droplock)
-- 
cgit v1.2.3