X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=net%2Fnfs.c;h=aca0ca55f3f76749c8ff3d663b5d05eb68517b7e;hb=19096aba4f90d064e0f6327eeedce6b90f0aefd6;hp=83ed0a7c37c9af87b918f15e018853d70fb63d17;hpb=a73588fe481ffe39e3021decdc73a5b358f0776c;p=oweals%2Fu-boot.git diff --git a/net/nfs.c b/net/nfs.c index 83ed0a7c37..aca0ca55f3 100644 --- a/net/nfs.c +++ b/net/nfs.c @@ -196,10 +196,10 @@ static void rpc_req(int rpc_prog, int rpc_proc, uint32_t *data, int datalen) rpc_pkt.u.call.vers = htonl(2); /* portmapper is version 2 */ } rpc_pkt.u.call.proc = htonl(rpc_proc); - p = (uint32_t *)&(rpc_pkt.u.call.data); + p = rpc_pkt.u.call.data; if (datalen) - memcpy((char *)p, (char *)data, datalen*sizeof(uint32_t)); + memcpy(p, data, datalen * sizeof(uint32_t)); pktlen = (char *)p + datalen * sizeof(uint32_t) - (char *)&rpc_pkt; @@ -533,7 +533,7 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len) switch (ntohl(rpc_pkt.u.reply.data[0])) { /* Minimal supported NFS version */ case 3: - debug("*** Waring: NFS version not supported: Requested: V%d, accepted: min V%d - max V%d\n", + debug("*** Warning: NFS version not supported: Requested: V%d, accepted: min V%d - max V%d\n", (supported_nfs_versions & NFSV2_FLAG) ? 2 : 3, ntohl(rpc_pkt.u.reply.data[0]), @@ -566,11 +566,15 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len) } if (supported_nfs_versions & NFSV2_FLAG) { + if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + NFS_FHSIZE) > len) + return -NFS_RPC_DROP; memcpy(filefh, rpc_pkt.u.reply.data + 1, NFS_FHSIZE); } else { /* NFSV3_FLAG */ filefh3_length = ntohl(rpc_pkt.u.reply.data[1]); if (filefh3_length > NFS3_FHSIZE) filefh3_length = NFS3_FHSIZE; + if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + filefh3_length) > len) + return -NFS_RPC_DROP; memcpy(filefh, rpc_pkt.u.reply.data + 2, filefh3_length); } @@ -579,7 +583,7 @@ static int nfs_lookup_reply(uchar *pkt, unsigned len) static int nfs3_get_attributes_offset(uint32_t *data) { - if (ntohl(data[1]) != 0) { + if (data[1]) { /* 'attributes_follow' flag is TRUE, * so we have attributes on 21 dwords */ /* Skip unused values : @@ -634,6 +638,9 @@ static int nfs_readlink_reply(uchar *pkt, unsigned len) /* new path length */ rlen = ntohl(rpc_pkt.u.reply.data[1 + nfsv3_data_offset]); + if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + rlen) > len) + return -NFS_RPC_DROP; + if (*((char *)&(rpc_pkt.u.reply.data[2 + nfsv3_data_offset])) != '/') { int pathlen; @@ -701,6 +708,9 @@ static int nfs_read_reply(uchar *pkt, unsigned len) &(rpc_pkt.u.reply.data[4 + nfsv3_data_offset]); } + if (((uchar *)&(rpc_pkt.u.reply.data[0]) - (uchar *)(&rpc_pkt) + rlen) > len) + return -9999; + if (store_block(data_ptr, nfs_offset, rlen)) return -9999; @@ -732,6 +742,9 @@ static void nfs_handler(uchar *pkt, unsigned dest, struct in_addr sip, debug("%s\n", __func__); + if (len > sizeof(struct rpc_t)) + return; + if (dest != nfs_our_port) return; @@ -822,6 +835,8 @@ static void nfs_handler(uchar *pkt, unsigned dest, struct in_addr sip, case STATE_READ_REQ: rlen = nfs_read_reply(pkt, len); + if (rlen == -NFS_RPC_DROP) + break; net_set_timeout_handler(nfs_timeout, nfs_timeout_handler); if (rlen > 0) { nfs_offset += rlen; @@ -853,40 +868,29 @@ void nfs_start(void) if (nfs_path == NULL) { net_set_state(NETLOOP_FAIL); - debug("*** ERROR: Fail allocate memory\n"); + printf("*** ERROR: Fail allocate memory\n"); return; } - if (net_boot_file_name[0] == '\0') { + if (!net_parse_bootfile(&nfs_server_ip, nfs_path, + sizeof(nfs_path_buff))) { sprintf(nfs_path, "/nfsroot/%02X%02X%02X%02X.img", net_ip.s_addr & 0xFF, (net_ip.s_addr >> 8) & 0xFF, (net_ip.s_addr >> 16) & 0xFF, (net_ip.s_addr >> 24) & 0xFF); - debug("*** Warning: no boot file name; using '%s'\n", - nfs_path); - } else { - char *p = net_boot_file_name; - - p = strchr(p, ':'); - - if (p != NULL) { - nfs_server_ip = string_to_ip(net_boot_file_name); - ++p; - strcpy(nfs_path, p); - } else { - strcpy(nfs_path, net_boot_file_name); - } + printf("*** Warning: no boot file name; using '%s'\n", + nfs_path); } nfs_filename = basename(nfs_path); nfs_path = dirname(nfs_path); - debug("Using %s device\n", eth_get_name()); + printf("Using %s device\n", eth_get_name()); - debug("File transfer via NFS from server %pI4; our IP address is %pI4", - &nfs_server_ip, &net_ip); + printf("File transfer via NFS from server %pI4; our IP address is %pI4", + &nfs_server_ip, &net_ip); /* Check if we need to send across this subnet */ if (net_gateway.s_addr && net_netmask.s_addr) { @@ -894,19 +898,19 @@ void nfs_start(void) struct in_addr server_net; our_net.s_addr = net_ip.s_addr & net_netmask.s_addr; - server_net.s_addr = net_server_ip.s_addr & net_netmask.s_addr; + server_net.s_addr = nfs_server_ip.s_addr & net_netmask.s_addr; if (our_net.s_addr != server_net.s_addr) - debug("; sending through gateway %pI4", - &net_gateway); + printf("; sending through gateway %pI4", + &net_gateway); } - debug("\nFilename '%s/%s'.", nfs_path, nfs_filename); + printf("\nFilename '%s/%s'.", nfs_path, nfs_filename); if (net_boot_file_expected_size_in_blocks) { - debug(" Size is 0x%x Bytes = ", - net_boot_file_expected_size_in_blocks << 9); + printf(" Size is 0x%x Bytes = ", + net_boot_file_expected_size_in_blocks << 9); print_size(net_boot_file_expected_size_in_blocks << 9, ""); } - debug("\nLoad address: 0x%lx\nLoading: *\b", load_addr); + printf("\nLoad address: 0x%lx\nLoading: *\b", load_addr); net_set_timeout_handler(nfs_timeout, nfs_timeout_handler); net_set_udp_handler(nfs_handler);