From mboxrd@z Thu Jan 1 00:00:00 1970 From: Robin Farine To: Fabrice Gautier Cc: "'Jonathan Larmour'" , "Ecos-List (E-mail)" Subject: Re: [ECOS] Redboot network setup Date: Fri, 14 Sep 2001 00:17:00 -0000 Message-id: <864rq6uu5l.fsf@halftrack.hq.acn-group.ch> References: X-SW-Source: 2001-09/msg00340.html Shouldn't the error case call eth_drv_msg_put(ð_msg_free, msg)? + if(msg->len > len || msg->len < 14){ + diag_printf("ETHERNET PACKET ERROR: msg->len <0 or > len\n"); + eth_drv_msg_put(ð_msg_free, msg); + return 0; + } Robin Fabrice Gautier writes: > > From: Jonathan Larmour [ mailto:jlarmour@redhat.com ] > > Subject: Re: [ECOS] Redboot network setup > > > > There shouldn't be anything needing a timeout on a > > non-blocking read. In the other ports you're looking at it's only the > non-virtual > > vector blocking read functions that have these timeouts. > > Right, > > I think I found another problem which caused Redboot to hang. It seems that > the size of the Ethernet packets are not checked before being used as > arguments for memcopy in eth_drv_read. There is also a "len" argument in > this function which is not used. I did this modification: > > Index: eth_drv.c > =================================================================== > RCS file: /cvs/ecos/ecos/packages/io/eth/current/src/stand_alone/eth_drv.c,v > retrieving revision 1.10 > diff -u -r1.10 eth_drv.c > --- eth_drv.c 2001/08/17 16:37:36 1.10 > +++ eth_drv.c 2001/09/14 01:59:47 > @@ -341,6 +341,10 @@ > msg = eth_drv_msg_get(ð_msg_full); > if (msg) { > memcpy(eth_hdr, msg->data, 14); > + if(msg->len > len || msg->len < 14){ > + diag_printf("ETHERNET PACKET ERROR: msg->len <0 or > > len\n"); > + return 0; > + } > memcpy(buf, &msg->data[14], msg->len-14); > eth_drv_msg_put(ð_msg_free, msg); > res = msg->len; > > > and it seems to works somewhat...