On 08-Dec-00 Jim Browne wrote:
> At 16:02 -0800 12/7/00, Jim Browne wrote:
>>When TFTP tries to open a file, it is expecting struct open_file
>>member f_devdata to be a pointer to a socket number. When currdev
>>is "pxe", that assumption is correct. When currdev is "disk*", that
>>assumption is incorrect. Specifically, tftp.c does:
>>
>>tftpfile->iodesc = io = socktodesc(*(int *) (f->f_devdata));
>>
>>In my case, that often winds up making tftpfile->iodesc = 0. That
>>parameter is later passed in tftp_makereq to sendrecv as the iodesc,
>>which via sendudp (and possibly the ARP functions) winds up calling
>>netif_put. netif_put derefs the bogus iodesc to get a function
>>pointer for the put function of the network interface and calls it.
>>WHAM. QED. :)
>
> How does this look?
>
> *** tftp.c Thu Dec 7 16:20:02 2000
> --- tftp2.c Thu Dec 7 16:20:55 2000
> *************** tftp_open(path, f)
> *** 257,260 ****
> --- 257,262 ----
>
> tftpfile->iodesc = io = socktodesc(*(int *) (f->f_devdata));
> + if (io == NULL)
> + return (EINVAL);
> io->destip = servip;
> tftpfile->off = 0;
>
> (I suppose I could have included this earlier. Ugh.)
Looks fine to me..
--
John Baldwin <[EMAIL PROTECTED]> -- http://www.FreeBSD.org/~jhb/
PGP Key: http://www.baldwin.cx/~john/pgpkey.asc
"Power Users Use the Power to Serve!" - http://www.FreeBSD.org/
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
