bug-grub
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

tftp bug when seeking back


From: Frank Mehnert
Subject: tftp bug when seeking back
Date: Wed, 19 Sep 2001 09:55:36 +0200

Hi,

since GRUB is able to load ELF symbols, GRUB crashes if the ELF kernel
contains symbols and the kernel image is to be read from network
((nd)/tftpboot/ directory, line ). I've tracked down what goes wrong:

In file netboot/fsys_tftp.c in function tftp_read(), the file is
reopened if the new seek position is less than the current seek position
of the file (filepos < saved_filepos). In that case, a rrq request is
sended to the TFTP server:


  (line 324)
  if (filepos < saved_filepos)
    {
      /* Uggh.. FILEPOS has been moved backwards. So reopen the file.  */
      buf_read = 0;
      buf_fill (1);
      grub_memmove ((char *) &tp, (char *) &saved_tp, saved_len);
      len = saved_len;

      ...
 
      if (! send_rrq ())
        {
          errnum = ERR_WRITE;
          return 0;
        }
    }

  while (size > 0)
    {
      int amt = buf_read + saved_filepos - filepos;
 
      ...

But after that, the buf_read value is decremented by FSYS_BUFLEN / 2
and gets _negative_ (because it was 0 before):

     (line 372)
      /* If the size of the empty space becomes small, move the unused
         data forwards.  */
      if (filepos - saved_filepos > FSYS_BUFLEN / 2)
        {
          grub_memmove (buf, buf + FSYS_BUFLEN / 2, FSYS_BUFLEN / 2);
          buf_read -= FSYS_BUFLEN / 2;
          saved_filepos += FSYS_BUFLEN / 2;
        }

That is wrong because buf_read is the offset into buf.
The following patch should resolve the problem, but please could
someone who is responsible for the network stuff take a look on it?

Index: netboot/fsys_tftp.c
===================================================================
RCS file: /cvs/grub/netboot/fsys_tftp.c,v
retrieving revision 1.11
diff -u -r1.11 fsys_tftp.c
--- netboot/fsys_tftp.c 2000/05/25 04:54:05     1.11
+++ netboot/fsys_tftp.c 2001/09/19 07:52:08
@@ -348,6 +348,13 @@
          errnum = ERR_WRITE;
          return 0;
        }
+
+      if (! buf_fill (0))
+       {
+         errnum = ERR_READ;
+         return 0;
+       }
+
     }
 
   while (size > 0)

Frank
-- 
Frank Mehnert
## Dept. of Computer Science, Dresden University of Technology, Germany ##
## E-Mail: address@hidden    http://os.inf.tu-dresden.de/~fm3 ##



reply via email to

[Prev in Thread] Current Thread [Next in Thread]