Browse Source

[PXE] Work around a buffer-size bug in WinPE

WinPE's pxeboot.n12 takes the BufferLimit returned by gPXE (indicating
the size of gPXE's internal DHCP packet buffers) and erroneously passes
it in as BufferSize (indicating the size of pxeboot.n12's DHCP packet
buffer).  If these don't match, then pxeboot.n12 ends up instructing gPXE
to overwrite parts of its data segment.

Change gPXE's internal DHCP packet buffers to be exactly
sizeof(BOOTPLAYER_t) bytes to work around this problem.
tags/v0.9.4
Michael Brown 17 years ago
parent
commit
1dd3f88964
1 changed files with 12 additions and 2 deletions
  1. 12
    2
      src/interface/pxe/pxe_preboot.c

+ 12
- 2
src/interface/pxe/pxe_preboot.c View File

@@ -51,8 +51,18 @@ enum pxe_cached_info_indices {
51 51
 /** A cached DHCP packet */
52 52
 union pxe_cached_info {
53 53
 	struct dhcphdr dhcphdr;
54
-	char raw[ETH_FRAME_LEN];
55
-};
54
+	/* This buffer must be *exactly* the size of a BOOTPLAYER_t
55
+	 * structure, otherwise WinPE will die horribly.  It takes the
56
+	 * size of *our* buffer and feeds it in to us as the size of
57
+	 * one of *its* buffers.  If our buffer is larger than it
58
+	 * expects, we therefore end up overwriting part of its data
59
+	 * segment, since it tells us to do so.  (D'oh!)
60
+	 *
61
+	 * Note that a BOOTPLAYER_t is not necessarily large enough to
62
+	 * hold a DHCP packet; this is a flaw in the PXE spec.
63
+	 */
64
+	BOOTPLAYER_t packet;
65
+} __attribute__ (( packed ));
56 66
 
57 67
 /* The case in which the caller doesn't supply a buffer is really
58 68
  * awkward to support given that we have multiple sources of options,

Loading…
Cancel
Save