At 16:02 -0800 12/7/00, Jim Browne wrote:
>When TFTP tries to open a file, it is expecting struct open_file
>member f_devdata to be a pointer to a socket number. When currdev
>is "pxe", that assumption is correct. When currdev is "disk*", that
>assumption is incorrect. Specifically, tftp.c does:
>
>tftpfile->iodesc = io = socktodesc(*(int *) (f->f_devdata));
>
>In my case, that often winds up making tftpfile->iodesc = 0. That
>parameter is later passed in tftp_makereq to sendrecv as the iodesc,
>which via sendudp (and possibly the ARP functions) winds up calling
>netif_put. netif_put derefs the bogus iodesc to get a function
>pointer for the put function of the network interface and calls it.
>WHAM. QED. :)
How does this look?
*** tftp.c Thu Dec 7 16:20:02 2000
--- tftp2.c Thu Dec 7 16:20:55 2000
*************** tftp_open(path, f)
*** 257,260 ****
--- 257,262 ----
tftpfile->iodesc = io = socktodesc(*(int *) (f->f_devdata));
+ if (io == NULL)
+ return (EINVAL);
io->destip = servip;
tftpfile->off = 0;
(I suppose I could have included this earlier. Ugh.)
Jim Browne [EMAIL PROTECTED]
"We lost our lease. You lose culture" - sign on SF Arts Comission Bldg
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
