[syslinux] [PATCH] EFI TCP buffer reuse bug

Joshua.Weage at dell.com Joshua.Weage at dell.com
Tue Nov 21 13:55:40 PST 2017 

The attached patch resolves a buffer reuse bug in the efi/tcp.c code. The bug can be triggered when multiple TCP connections are opened when using the EFI bootloader. 

Signed-off-by: Joshua Weage <joshua.weage at dell.com>

---
--- master/core/fs/pxe/pxe.h	2017-07-22 14:45:46.561674329 -0500
+++ jw/core/fs/pxe/pxe.h	2017-07-23 19:44:46.466498950 -0500
@@ -144,6 +144,7 @@ struct pxe_pvt_inode {
     uint8_t  tftp_goteof;         /* 1 if the EOF packet received */
     uint8_t  tftp_unused[3];      /* Currently unused */
     char    *tftp_pktbuf;         /* Packet buffer */
+    char     tcp_databuf[8192];   /* data buffer */
     struct inode *ctl;	          /* Control connection (for FTP) */
     const struct pxe_conn_ops *ops;
 };
--- master/efi/tcp.c	2017-07-22 14:45:46.628674366 -0500
+++ jw/efi/tcp.c	2017-07-24 09:24:37.072922478 -0500
@@ -199,8 +199,6 @@ void core_tcp_close_file(struct inode *i
     socket->net.efi.binding = NULL;
 }
 
-static char databuf[8192];
-
 void core_tcp_fill_buffer(struct inode *inode)
 {
     struct pxe_pvt_inode *socket = PVT(inode);
@@ -210,7 +208,6 @@ void core_tcp_fill_buffer(struct inode *
     EFI_TCP4_FRAGMENT_DATA *frag;
     EFI_STATUS status;
     EFI_TCP4 *tcp = (EFI_TCP4 *)b->this;
-    void *data;
     size_t len;
 
     memset(&iotoken, 0, sizeof(iotoken));
@@ -223,10 +220,10 @@ void core_tcp_fill_buffer(struct inode *
 
     iotoken.Packet.RxData = &rxdata;
     rxdata.FragmentCount = 1;
-    rxdata.DataLength = sizeof(databuf);
+    rxdata.DataLength = sizeof(socket->tcp_databuf);
     frag = &rxdata.FragmentTable[0];
-    frag->FragmentBuffer = databuf;
-    frag->FragmentLength = sizeof(databuf);
+    frag->FragmentBuffer = socket->tcp_databuf;
+    frag->FragmentLength = sizeof(socket->tcp_databuf);
 
     status = uefi_call_wrapper(tcp->Receive, 2, tcp, &iotoken);
     if (status == EFI_CONNECTION_FIN) {
@@ -244,10 +241,8 @@ void core_tcp_fill_buffer(struct inode *
     cb_status = -1;
 
     len = frag->FragmentLength;
-    memcpy(databuf, frag->FragmentBuffer, len);
-    data = databuf;
 
-    socket->tftp_dataptr = data;
+    socket->tftp_dataptr = socket->tcp_databuf;
     socket->tftp_filepos += len;
     socket->tftp_bytesleft = len;

More information about the Syslinux mailing list