The attached patch fixes a buffer overflow vulnerability and fixes building on

FreeBSD 7.0. Furthermore nbd.h has been updated to a version from a newer
Linux kernel.

Requested by:	remko

3 files changed, 41 insertions, 19 deletions

diff --git a/net/nbd-server/Makefile b/net/nbd-server/Makefile
index 9bcc6cdd991b..7ae01e820816 100644
--- a/net/nbd-server/Makefile
+++ b/net/nbd-server/Makefile
@@ -7,6 +7,7 @@
 
 PORTNAME=	nbd-server
 PORTVERSION=	2.8.2
+PORTREVISION=	1
 CATEGORIES=	net
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE}
 MASTER_SITE_SUBDIR=	nbd
@@ -25,13 +26,7 @@ CONFIGURE_ARGS=	--prefix=${PREFIX} --enable-lfs --enable-syslog
 PLIST_FILES=	bin/nbd-server
 MAN1=		nbd-server.1
 
-.include <bsd.port.pre.mk>
-
-.if ${OSVERSION} >= 700000
-BROKEN=		"GCC fails on FreeBSD >= 7.0"
-.endif
-
 post-extract:
 	@${CP} ${FILESDIR}/nbd.h ${WRKSRC}
 
-.include <bsd.port.post.mk>
+.include <bsd.port.mk>
diff --git a/net/nbd-server/files/nbd.h b/net/nbd-server/files/nbd.h
index dcb0228efcae..090e210e98f0 100644
--- a/net/nbd-server/files/nbd.h
+++ b/net/nbd-server/files/nbd.h
@@ -8,6 +8,8 @@
  * 2003/06/24 Louis D. Langholtz <ldl@aros.net>
  *            Removed unneeded blksize_bits field from nbd_device struct.
  *            Cleanup PARANOIA usage & code.
+ * 2004/02/19 Paul Clements
+ *            Removed PARANOIA, plus various cleanup and comments
  */
 
 #ifndef LINUX_NBD_H
@@ -32,22 +34,19 @@ enum {
 #define nbd_cmd(req) ((req)->cmd[0])
 #define MAX_NBD 128
 
-/* Define PARANOIA to include extra sanity checking code in here & driver */
-#define PARANOIA
-
 /* userspace doesn't need the nbd_device structure */
 #ifdef __KERNEL__
 
+/* values for flags field */
+#define NBD_READ_ONLY 0x0001
+#define NBD_WRITE_NOCHK 0x0002
+
 struct nbd_device {
 	int flags;
 	int harderror;		/* Code of hard error			*/
-#define NBD_READ_ONLY 0x0001
-#define NBD_WRITE_NOCHK 0x0002
 	struct socket * sock;
 	struct file * file; 	/* If == NULL, device is not ready, yet	*/
-#ifdef PARANOIA
-	int magic;		/* FIXME: not if debugging is off	*/
-#endif
+	int magic;
 	spinlock_t queue_lock;
 	struct list_head queue_head;/* Requests are added here...	*/
 	struct semaphore tx_lock;
@@ -58,16 +57,14 @@ struct nbd_device {
 
 #endif
 
-/* This now IS in some kind of include file...	*/
-
-/* These are send over network in request/reply magic field */
+/* These are sent over the network in the request/reply magic fields */
 
 #define NBD_REQUEST_MAGIC 0x25609513
 #define NBD_REPLY_MAGIC 0x67446698
 /* Do *not* use magics: 0x12560953 0x96744668. */
 
 /*
- * This is packet used for communication between client and
+ * This is the packet used for communication between client and
  * server. All data are in network byte order.
  */
 struct nbd_request {
@@ -82,6 +79,10 @@ struct nbd_request {
 #endif
 ;
 
+/*
+ * This is the reply packet that nbd-server sends back to the client after
+ * it has completed an I/O request (or an error occurs).
+ */
 struct nbd_reply {
 	u32 magic;
 	u32 error;		/* 0 = ok, else error	*/
diff --git a/net/nbd-server/files/patch-nbd-server.c b/net/nbd-server/files/patch-nbd-server.c
new file mode 100644
index 000000000000..383f8961562c
--- /dev/null
+++ b/net/nbd-server/files/patch-nbd-server.c
@@ -0,0 +1,26 @@
+diff -urN nbd-2.8.2.orig/nbd-server.c nbd-2.8.2/nbd-server.c
+--- nbd-2.8.2.orig/nbd-server.c	Wed Nov  9 22:38:44 2005
++++ nbd-server.c	Thu Dec 22 16:04:47 2005
+@@ -363,11 +363,11 @@
+  * is severely wrong)
+  **/
+ void sigchld_handler(int s) {
+-        int* status=NULL;
++        int status;
+ 	int* i;
+ 	pid_t pid;
+ 
+-	while((pid=wait(status)) > 0) {
++	while ((pid = waitpid(-1, &status, WNOHANG)) > 0) {
+ 		if(WIFEXITED(status)) {
+ 			msg3(LOG_INFO, "Child exited with %d", WEXITSTATUS(status));
+ 		}
+@@ -684,7 +684,7 @@
+ 
+ 		if (request.magic != htonl(NBD_REQUEST_MAGIC))
+ 			err("Not enough magic.");
+-		if (len > BUFSIZE)
++		if (len > (BUFSIZE-sizeof(struct nbd_reply)))
+ 			err("Request too big!");
+ #ifdef DODBG
+ 		printf("%s from %Lu (%Lu) len %d, ", request.type ? "WRITE" :