[syslinux] [PATCH] pxelinux corrupts ipappend-ed paramaters...

Sun Feb 29 18:11:52 PST 2004

Attached patch addresses following problems with pxelinux:

1. If a x0y number is present in ip address to be ipappend-ed, middle
   zero is omitted, e.g. 192.168.0.109 is passed as 192.168.0.19.

2. UDP port numbers allocated by pxelinux.0 are 100% predictable,
   which might cause trouble when client reboots too fast for orphaned
   tftpd process to time out.

The latter problem is [suggested to be] addressed in two ways:
a) port number can be randomized with timer value; b) pxelinux should
discards datagrams submitted by orphaned tftpd process.

The patch is applicable to both 2.08 and 2.09-preX. Please note that
I'm not subscribed to the list, so keep me on Cc: A lot of thanks in
advance. A.

8<--------8<--------8<--------8<--------8<--------8<--------8<--------

--- ./pxelinux.asm.orig	Mon Dec  8 22:17:08 2003
+++ ./pxelinux.asm	Mon Mar  1 02:35:58 2004
@@ -590,6 +590,56 @@
 		add ax,PKTBUF_SIZE
 		loop .setbufptr
 
+%if 1
+;
+; Seed NextSocket...
+;
+%if 1
+	push	ebx
+	push	edx
+	push	ecx
+		xor	eax,eax
+
+		pushfd
+		pop	eax
+        	mov	edx,eax
+        	xor	eax,1<<21	; EFLAGS.ID
+        	push	eax
+        	popfd
+        	pushfd
+        	pop	eax
+        	xor	eax,edx
+        	and	eax,1<<21
+        	jz	.skip_rdtsc
+        	mov	eax,1
+		cpuid
+        	and	edx,1<<4	; TSC
+        	jz      .skip_rdtsc
+		rdtsc
+		or	[NextSocket],ax
+.skip_rdtsc
+	pop	ecx
+	pop	edx
+	pop	ebx
+%endif
+%macro  udelay 0
+	jmp short %%skip
+%%skip:	rep nop
+%endmacro
+		xor	eax,eax
+		cli		; disable interrupts
+		or	al, 80h	; disable NMI?
+		out	70h,al	; write to indexport 70h
+		udelay
+		in	al,71h	; read from dataport 71h
+		udelay
+		mov	ah,al	; store in AH
+		xor	al,al	; AL = 0
+		out	70h,al	; enable NMI
+		udelay
+		sti		; enable interrupts
+		xor	[NextSocket],ah
+%endif
 ;
 ; Now attempt to get the BOOTP/DHCP packet that brought us life (and an IP
 ; address).  This lives in the DHCPACK packet (query info 2).
@@ -1785,6 +1835,10 @@
 .recv_ok:	pop dx				; <F>
 		pop cx				; <E>
 
+		mov	ax,[si+tftp_remoteport]
+		cmp	ax,[pxe_udp_read_pkt.rport]
+		jne	.wait_data		; data from orphaned tftpd
+.port_ok:
 		cmp word [pxe_udp_read_pkt.buffersize],byte 4
 		jb .wait_data			; Bad size for a DATA packet
 
@@ -2034,6 +2088,8 @@
 		mov cx,4
 .genchar:
 		push eax
+		cmp al,10
+		jb .lt10
 		cmp al,100
 		jb .lt100
 
@@ -2044,9 +2100,6 @@
 		inc di
 
 .lt100:
-		cmp al,10
-		jb .lt10
-
 		aam 10
 		; Now AH = 10-digit; AL = remainder
 		add ah,'0'


