Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/sys/arch/sandpoint/stand/altboot Fix tftp boot with RTL8169/...
details:   https://anonhg.NetBSD.org/src/rev/4273e85679af
branches:  trunk
changeset: 953925:4273e85679af
user:      rin <rin%NetBSD.org@localhost>
date:      Thu Mar 25 03:44:25 2021 +0000
description:
Fix tftp boot with RTL8169/8110.
When sending frame shorter than 60 octets, we add trailing \0's to
payload to construct 60-octet frame.
rge.c rev 1.4--1.7 did this tail-padding on buffer provided by caller,
which results in memory corruption if buffer is shorter than 60 bytes.
Instead, allocate temporary buffer on stack, and work on it.
This bug affects tftp_getnextblock() compiled by GCC8 and later, by
which stack layout has drastically changed. However, even with GCC7,
if tftp.c is compiled with -O0, the bug becomes tangible.
diffstat:
 sys/arch/sandpoint/stand/altboot/rge.c |  8 ++++++--
 1 files changed, 6 insertions(+), 2 deletions(-)
diffs (26 lines):
diff -r 85b98396c918 -r 4273e85679af sys/arch/sandpoint/stand/altboot/rge.c
--- a/sys/arch/sandpoint/stand/altboot/rge.c    Thu Mar 25 01:42:53 2021 +0000
+++ b/sys/arch/sandpoint/stand/altboot/rge.c    Thu Mar 25 03:44:25 2021 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: rge.c,v 1.7 2012/12/25 17:07:06 phx Exp $ */
+/* $NetBSD: rge.c,v 1.8 2021/03/25 03:44:25 rin Exp $ */
 
 /*-
  * Copyright (c) 2007 The NetBSD Foundation, Inc.
@@ -235,11 +235,15 @@
        struct local *l = dev;
        volatile struct desc *txd;
        unsigned loop, ret;
+       char tmp[60];
 
        ret = len;
+       /* RTL does not stretch <60 Tx frame */
        if (len < 60) {
+               memcpy(tmp, buf, len);
+               buf = tmp;
                memset(buf + len, 0, 60 - len);
-               len = 60; /* RTL does not stretch <60 Tx frame */
+               len = 60;
        }
        wbinv(buf, len);
        txd = &l->txd[l->tx];
Home |
Main Index |
Thread Index |
Old Index