this just in from the bugtraq mailing list. i figure *some* of us probably aren't on that. i also don't expect thousands of people to be trying this exploit, but given that it's just gone out on bugtraq, if your toaster panics anytime soon, you might want to bear this in mind.

needless to say, i haven't tried it. anyone want to have a go?

Tom Yates - Unix Chap - The Mathworks, Inc. - +1 (508) 647 7561 MAG#65061 DoD#0135 AMA#461546 1024/CFDFDE39 0C E7 46 60 BB 96 87 05 04 BD FB F8 BB 20 C1 8C

---------- Forwarded message ---------- Date: Wed, 5 Nov 1997 21:34:00 -0800 From: "Dmitry Kohmanyuk [KOI8-R] ������� ��������" dk@GENESYSLAB.COM To: BUGTRAQ@NETSPACE.ORG Subject: netapp NFS server crash by FreeBSD client [w/patch]

this is only relevant to those using NetApp NFS file servers.

background:

there are 2 versions of NFS in town, v2 and v3. In v3, one of things introduced was ability to read names of files in directory with stat(2)ing them at the same time; the procedure name is readdirplus. It can be used to speed up programs like ls(1).

Apparently, NFS code in FreeBSD 2.2 (derived from 4.4BSD code, so perhaps this applies to all of modern BSD systems here) allow client to specify this in mount options without using NFS v3.

This meaningless set of options panics NetApp file server.

the following simple patch (attached) for /usr/src/sys/nfs/nfs_bio.c fixes this problem.

--- nfs_bio.c.ok Wed Nov 5 20:11:17 1997 +++ nfs_bio.c Wed Nov 5 20:14:06 1997 @@ -1031,6 +1031,8 @@ case VDIR: nfsstats.readdir_bios++; uiop->uio_offset = ((u_quad_t)bp->b_lblkno) * NFS_DIRBLKSIZ; + if (!(nmp->nm_flag & NFSMNT_NFSV3)) + nmp->nm_flag &= ~NFSMNT_RDIRPLUS; /* dk@farm.org */ if (nmp->nm_flag & NFSMNT_RDIRPLUS) { error = nfs_readdirplusrpc(vp, uiop, cr); if (error == NFSERR_NOTSUPP)