m_split0(): If the newly allocated mbuf holds only the header,

don't forget to set m_len to 0. Otherwise whatever will compute the size of this chain (including s_split() itself if called again on this chain) will get it wrong, leading to various issues. Bug exposed by the NFS server code with linux clients using TCP mounts.
2009-04-05 16:31:21 +00:00 · 2009-04-05 16:31:21 +00:00 · f8059f7e67
commit f8059f7e67
parent dc1b0e5339
1 changed files with 3 additions and 2 deletions
--- a/sys/kern/uipc_mbuf.c
+++ b/sys/kern/uipc_mbuf.c
@ -1,4 +1,4 @@
-/*	$NetBSD: uipc_mbuf.c,v 1.131 2009/03/15 17:14:40 cegger Exp $	*/
+/*	$NetBSD: uipc_mbuf.c,v 1.132 2009/04/05 16:31:21 bouyer Exp $	*/

 /*-
 * Copyright (c) 1999, 2001 The NetBSD Foundation, Inc.
@ -62,7 +62,7 @@
 */

 #include <sys/cdefs.h>
-__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.131 2009/03/15 17:14:40 cegger Exp $");
+__KERNEL_RCSID(0, "$NetBSD: uipc_mbuf.c,v 1.132 2009/04/05 16:31:21 bouyer Exp $");

 #include "opt_mbuftrace.h"
 #include "opt_ddb.h"
@ -1056,6 +1056,7 @@ m_split0(struct mbuf *m0, int len0, int wait, int copyhdr)
 		if (remain > MHLEN) {
 			/* m can't be the lead packet */
 			MH_ALIGN(n, 0);
+			n->m_len = 0;
 			n->m_next = m_split(m, len, wait);
 			if (n->m_next == 0) {
 				(void) m_free(n);