Module Name: src
Committed By: rin
Date: Thu Mar 25 03:44:25 UTC 2021
Modified Files:
src/sys/arch/sandpoint/stand/altboot: rge.c
Log Message:
Fix tftp boot with RTL8169/8110.
When sending frame shorter than 60 octets, we add trailing \0's to
payload to construct 60-octet frame.
rge.c rev 1.4--1.7 did this tail-padding on buffer provided by caller,
which results in memory corruption if buffer is shorter than 60 bytes.
Instead, allocate temporary buffer on stack, and work on it.
This bug affects tftp_getnextblock() compiled by GCC8 and later, by
which stack layout has drastically changed. However, even with GCC7,
if tftp.c is compiled with -O0, the bug becomes tangible.
To generate a diff of this commit:
cvs rdiff -u -r1.7 -r1.8 src/sys/arch/sandpoint/stand/altboot/rge.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/sys/arch/sandpoint/stand/altboot/rge.c
diff -u src/sys/arch/sandpoint/stand/altboot/rge.c:1.7 src/sys/arch/sandpoint/stand/altboot/rge.c:1.8
--- src/sys/arch/sandpoint/stand/altboot/rge.c:1.7 Tue Dec 25 17:07:06 2012
+++ src/sys/arch/sandpoint/stand/altboot/rge.c Thu Mar 25 03:44:25 2021
@@ -1,4 +1,4 @@
-/* $NetBSD: rge.c,v 1.7 2012/12/25 17:07:06 phx Exp $ */
+/* $NetBSD: rge.c,v 1.8 2021/03/25 03:44:25 rin Exp $ */
/*-
* Copyright (c) 2007 The NetBSD Foundation, Inc.
@@ -235,11 +235,15 @@ rge_send(void *dev, char *buf, unsigned
struct local *l = dev;
volatile struct desc *txd;
unsigned loop, ret;
+ char tmp[60];
ret = len;
+ /* RTL does not stretch <60 Tx frame */
if (len < 60) {
+ memcpy(tmp, buf, len);
+ buf = tmp;
memset(buf + len, 0, 60 - len);
- len = 60; /* RTL does not stretch <60 Tx frame */
+ len = 60;
}
wbinv(buf, len);
txd = &l->txd[l->tx];
