From owner-freebsd-stable  Thu Dec  7 16:30:42 2000
From owner-freebsd-stable@FreeBSD.ORG  Thu Dec  7 16:30:38 2000
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from spoon.alink.net (spoon.alink.net [207.135.127.97])
	by hub.freebsd.org (Postfix) with ESMTP
	id ED5E737B400; Thu,  7 Dec 2000 16:30:37 -0800 (PST)
Received: from [216.39.8.88] (netility88.hq.netility.com [216.39.8.88])
	by spoon.alink.net (8.9.3/8.9.3) with ESMTP id QAA07928;
	Thu, 7 Dec 2000 16:30:33 -0800 (PST)
Mime-Version: 1.0
X-Sender: jbrowne@pop.alink.net
Message-Id: <v04205507b655db9586be@[216.39.8.88]>
In-Reply-To: <v04205506b655ce747067@[216.39.8.88]>
References: <200012070813.eB78D7F00560@mass.osd.bsdi.com>
 <v04205506b655ce747067@[216.39.8.88]>
Date: Thu, 7 Dec 2000 16:29:49 -0800
To: Mike Smith <msmith@FreeBSD.ORG>,
	Matt Dillon <dillon@earth.backplane.com>
From: Jim Browne <jbrowne@jbrowne.com>
Subject: Re: More on BTX halted / crashes trying to use -stable 
 /boot/loader
Cc: freebsd-stable@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG
Content-Type: text/plain; charset="us-ascii" ; format="flowed"
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

At 16:02 -0800 12/7/00, Jim Browne wrote:
>When TFTP tries to open a file, it is expecting struct open_file 
>member f_devdata to be a pointer to a socket number.  When currdev 
>is "pxe", that assumption is correct.  When currdev is "disk*", that 
>assumption is incorrect.  Specifically, tftp.c does:
>
>tftpfile->iodesc = io = socktodesc(*(int *) (f->f_devdata));
>
>In my case, that often winds up making tftpfile->iodesc = 0.  That 
>parameter is later passed in tftp_makereq to sendrecv as the iodesc, 
>which via sendudp (and possibly the ARP functions) winds up calling 
>netif_put.  netif_put derefs the bogus iodesc to get a function 
>pointer for the put function of the network interface and calls it. 
>WHAM.  QED. :)

How does this look?

*** tftp.c      Thu Dec  7 16:20:02 2000
--- tftp2.c     Thu Dec  7 16:20:55 2000
*************** tftp_open(path, f)
*** 257,260 ****
--- 257,262 ----
 
         tftpfile->iodesc = io = socktodesc(*(int *) (f->f_devdata));
+       if (io == NULL)
+               return (EINVAL);
         io->destip = servip;
         tftpfile->off = 0;

(I suppose I could have included this earlier.  Ugh.)

Jim Browne                                                jbrowne@jbrowne.com
    "We lost our lease.  You lose culture" - sign on SF Arts Comission Bldg


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message