[syslinux] [PATCH] EFI TCP buffer reuse bug
Joshua.Weage at dell.com
Joshua.Weage at dell.com
Tue Nov 21 13:55:40 PST 2017
The attached patch resolves a buffer reuse bug in the efi/tcp.c code. The bug can be triggered when multiple TCP connections are opened when using the EFI bootloader.
Signed-off-by: Joshua Weage <joshua.weage at dell.com>
---
--- master/core/fs/pxe/pxe.h 2017-07-22 14:45:46.561674329 -0500
+++ jw/core/fs/pxe/pxe.h 2017-07-23 19:44:46.466498950 -0500
@@ -144,6 +144,7 @@ struct pxe_pvt_inode {
uint8_t tftp_goteof; /* 1 if the EOF packet received */
uint8_t tftp_unused[3]; /* Currently unused */
char *tftp_pktbuf; /* Packet buffer */
+ char tcp_databuf[8192]; /* data buffer */
struct inode *ctl; /* Control connection (for FTP) */
const struct pxe_conn_ops *ops;
};
--- master/efi/tcp.c 2017-07-22 14:45:46.628674366 -0500
+++ jw/efi/tcp.c 2017-07-24 09:24:37.072922478 -0500
@@ -199,8 +199,6 @@ void core_tcp_close_file(struct inode *i
socket->net.efi.binding = NULL;
}
-static char databuf[8192];
-
void core_tcp_fill_buffer(struct inode *inode)
{
struct pxe_pvt_inode *socket = PVT(inode);
@@ -210,7 +208,6 @@ void core_tcp_fill_buffer(struct inode *
EFI_TCP4_FRAGMENT_DATA *frag;
EFI_STATUS status;
EFI_TCP4 *tcp = (EFI_TCP4 *)b->this;
- void *data;
size_t len;
memset(&iotoken, 0, sizeof(iotoken));
@@ -223,10 +220,10 @@ void core_tcp_fill_buffer(struct inode *
iotoken.Packet.RxData = &rxdata;
rxdata.FragmentCount = 1;
- rxdata.DataLength = sizeof(databuf);
+ rxdata.DataLength = sizeof(socket->tcp_databuf);
frag = &rxdata.FragmentTable[0];
- frag->FragmentBuffer = databuf;
- frag->FragmentLength = sizeof(databuf);
+ frag->FragmentBuffer = socket->tcp_databuf;
+ frag->FragmentLength = sizeof(socket->tcp_databuf);
status = uefi_call_wrapper(tcp->Receive, 2, tcp, &iotoken);
if (status == EFI_CONNECTION_FIN) {
@@ -244,10 +241,8 @@ void core_tcp_fill_buffer(struct inode *
cb_status = -1;
len = frag->FragmentLength;
- memcpy(databuf, frag->FragmentBuffer, len);
- data = databuf;
- socket->tftp_dataptr = data;
+ socket->tftp_dataptr = socket->tcp_databuf;
socket->tftp_filepos += len;
socket->tftp_bytesleft = len;
More information about the Syslinux
mailing list