WinPE's pxeboot.n12 takes the BufferLimit returned by gPXE (indicating the size of gPXE's internal DHCP packet buffers) and erroneously passes it in as BufferSize (indicating the size of pxeboot.n12's DHCP packet buffer). If these don't match, then pxeboot.n12 ends up instructing gPXE to overwrite parts of its data segment. Change gPXE's internal DHCP packet buffers to be exactly sizeof(BOOTPLAYER_t) bytes to work around this problem.

16年前 · 1dd3f88964
--- a/src/interface/pxe/pxe_preboot.c
+++ b/src/interface/pxe/pxe_preboot.c
@@ -51,8 +51,18 @@ enum pxe_cached_info_indices {
 
				
				 /** A cached DHCP packet */
			
 
				
				 union pxe_cached_info {
			
 
				
				 	struct dhcphdr dhcphdr;
			
 
				
				-	char raw[ETH_FRAME_LEN];
			
 
				
				-};
			
 
				
				+	/* This buffer must be *exactly* the size of a BOOTPLAYER_t
			
 
				
				+	 * structure, otherwise WinPE will die horribly.  It takes the
			
 
				
				+	 * size of *our* buffer and feeds it in to us as the size of
			
 
				
				+	 * one of *its* buffers.  If our buffer is larger than it
			
 
				
				+	 * expects, we therefore end up overwriting part of its data
			
 
				
				+	 * segment, since it tells us to do so.  (D'oh!)
			
 
				
				+	 *
			
 
				
				+	 * Note that a BOOTPLAYER_t is not necessarily large enough to
			
 
				
				+	 * hold a DHCP packet; this is a flaw in the PXE spec.
			
 
				
				+	 */
			
 
				
				+	BOOTPLAYER_t packet;
			
 
				
				+} __attribute__ (( packed ));
			
 
				
				 
			
 
				
				 /* The case in which the caller doesn't supply a buffer is really
			
 
				
				  * awkward to support given that we have multiple sources of options,