xnu-4570.71.2.tar.gz

[apple/xnu.git] / bsd / nfs / nfs_vfsops.c

diff --git a/bsd/nfs/nfs_vfsops.c b/bsd/nfs/nfs_vfsops.c
index 89f6ca9566ccf1f31bfe10f3ffe425ec46189f36..a5fc908b504c5aa94bec4e59bea17ca97d99c55a 100644 (file)
--- a/bsd/nfs/nfs_vfsops.c
+++ b/bsd/nfs/nfs_vfsops.c
@@ -2328,6 +2328,9 @@ nocomponents:
                nfsmout_if(error);
                nfsm_chain_op_check(error, &nmrep, NFS_OP_GETFH);
                nfsm_chain_get_32(error, &nmrep, fh.fh_len);
+               if (fh.fh_len > sizeof(fh.fh_data))
+                       error = EBADRPC;
+               nfsmout_if(error);
                nfsm_chain_get_opaque(error, &nmrep, fh.fh_len, fh.fh_data);
                nfsm_chain_op_check(error, &nmrep, NFS_OP_GETATTR);
                if (!error) {
@@ -3030,8 +3033,7 @@ mountnfs(
                        error = ENOMEM;
                xb_get_32(error, &xb, nmp->nm_fh->fh_len);
                nfsmerr_if(error);
-               if (nmp->nm_fh->fh_len < 0 ||
-                   (size_t)nmp->nm_fh->fh_len > sizeof(nmp->nm_fh->fh_data))
+               if ((size_t)nmp->nm_fh->fh_len > sizeof(nmp->nm_fh->fh_data))
                        error = EINVAL;
                else
                        error = xb_get_bytes(&xb, (char*)&nmp->nm_fh->fh_data[0], nmp->nm_fh->fh_len, 0);
@@ -4458,6 +4460,7 @@ nfs_mount_zombie(struct nfsmount *nmp, int nm_state_flags)
        if ((nmp->nm_vers >= NFS_VER4) && nmp->nm_renew_timer) {
                thread_call_cancel(nmp->nm_renew_timer);
                thread_call_free(nmp->nm_renew_timer);
+               nmp->nm_renew_timer = NULL;
        }
 
        lck_mtx_unlock(&nmp->nm_lock);
@@ -4483,6 +4486,7 @@ nfs_mount_zombie(struct nfsmount *nmp, int nm_state_flags)
                if (nmp->nm_longid->nci_id)
                        FREE(nmp->nm_longid->nci_id, M_TEMP);
                FREE(nmp->nm_longid, M_TEMP);
+               nmp->nm_longid = NULL;
                lck_mtx_unlock(nfs_global_mutex);
        }