diff options
author | H. Peter Anvin <hpa@linux.intel.com> | 2010-06-25 13:13:11 -0700 |
---|---|---|
committer | H. Peter Anvin <hpa@linux.intel.com> | 2010-06-25 13:13:11 -0700 |
commit | d61a4a879b6a6a875b06e3cb461470b82b0ecb41 (patch) | |
tree | be1df569cf4d1648e10335e4614c9e9adccf81b8 /core/fs | |
parent | bfc223004955a1bfdf1651d4a21e0546d2cd47fc (diff) | |
download | syslinux-d61a4a879b6a6a875b06e3cb461470b82b0ecb41.tar.gz |
pxe: don't corrupt the length of an RRQ packet on retry
Due to double use of the variable "buf", we would end up corrupting
the length, but not the contents, of an RRQ packet if we ended up
having to re-send. Some TFTP servers ignored the extra garbage
(including tftp-hpa), others would refuse to accept the RRQ, causing
failures.
Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
Diffstat (limited to 'core/fs')
-rw-r--r-- | core/fs/pxe/pxe.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/core/fs/pxe/pxe.c b/core/fs/pxe/pxe.c index 369af5df..dd209fcf 100644 --- a/core/fs/pxe/pxe.c +++ b/core/fs/pxe/pxe.c @@ -659,6 +659,7 @@ static void pxe_searchdir(const char *filename, struct file *file) int i = 0; int err; int buffersize; + int rrq_len; const uint8_t *timeout_ptr; uint32_t timeout; uint32_t oldtime; @@ -743,6 +744,8 @@ static void pxe_searchdir(const char *filename, struct file *file) memcpy(buf, rrq_tail, sizeof rrq_tail); buf += sizeof rrq_tail; + rrq_len = buf - rrq_packet_buf; + inode = allocate_socket(fs); if (!inode) return; /* Allocation failure */ @@ -787,7 +790,7 @@ sendreq: udp_write.gw = gateway(udp_write.ip); udp_write.src_port = tid; udp_write.dst_port = server_port; - udp_write.buffer_size = buf - rrq_packet_buf; + udp_write.buffer_size = rrq_len; pxe_call(PXENV_UDP_WRITE, &udp_write); /* If the WRITE call fails, we let the timeout take care of it... */ |