Date: Thu, 7 Dec 2000 16:29:49 -0800 From: Jim Browne <jbrowne@jbrowne.com> To: Mike Smith <msmith@FreeBSD.ORG>, Matt Dillon <dillon@earth.backplane.com> Cc: freebsd-stable@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: More on BTX halted / crashes trying to use -stable /boot/loader Message-ID: <v04205507b655db9586be@[216.39.8.88]> In-Reply-To: <v04205506b655ce747067@[216.39.8.88]> References: <200012070813.eB78D7F00560@mass.osd.bsdi.com> <v04205506b655ce747067@[216.39.8.88]>
next in thread | previous in thread | raw e-mail | index | archive | help
At 16:02 -0800 12/7/00, Jim Browne wrote:
>When TFTP tries to open a file, it is expecting struct open_file
>member f_devdata to be a pointer to a socket number. When currdev
>is "pxe", that assumption is correct. When currdev is "disk*", that
>assumption is incorrect. Specifically, tftp.c does:
>
>tftpfile->iodesc = io = socktodesc(*(int *) (f->f_devdata));
>
>In my case, that often winds up making tftpfile->iodesc = 0. That
>parameter is later passed in tftp_makereq to sendrecv as the iodesc,
>which via sendudp (and possibly the ARP functions) winds up calling
>netif_put. netif_put derefs the bogus iodesc to get a function
>pointer for the put function of the network interface and calls it.
>WHAM. QED. :)
How does this look?
*** tftp.c Thu Dec 7 16:20:02 2000
--- tftp2.c Thu Dec 7 16:20:55 2000
*************** tftp_open(path, f)
*** 257,260 ****
--- 257,262 ----
tftpfile->iodesc = io = socktodesc(*(int *) (f->f_devdata));
+ if (io == NULL)
+ return (EINVAL);
io->destip = servip;
tftpfile->off = 0;
(I suppose I could have included this earlier. Ugh.)
Jim Browne jbrowne@jbrowne.com
"We lost our lease. You lose culture" - sign on SF Arts Comission Bldg
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?v04205507b655db9586be>