[syslinux:master] pxe: don't corrupt the length of an RRQ packet on retry

[syslinux-bot for H. Peter Anvin]

Commit-ID:  d61a4a879b6a6a875b06e3cb461470b82b0ecb41
Gitweb:     http://syslinux.zytor.com/commit/d61a4a879b6a6a875b06e3cb461470b82b0ecb41
Author:     H. Peter Anvin <hpa at linux.intel.com>
AuthorDate: Fri, 25 Jun 2010 13:13:11 -0700
Committer:  H. Peter Anvin <hpa at linux.intel.com>
CommitDate: Fri, 25 Jun 2010 13:13:11 -0700

pxe: don't corrupt the length of an RRQ packet on retry

Due to double use of the variable "buf", we would end up corrupting
the length, but not the contents, of an RRQ packet if we ended up
having to re-send.  Some TFTP servers ignored the extra garbage
(including tftp-hpa), others would refuse to accept the RRQ, causing
failures.

Signed-off-by: H. Peter Anvin <hpa at linux.intel.com>


---
 core/fs/pxe/pxe.c |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/core/fs/pxe/pxe.c b/core/fs/pxe/pxe.c
index 369af5d..dd209fc 100644
--- a/core/fs/pxe/pxe.c
+++ b/core/fs/pxe/pxe.c
@@ -659,6 +659,7 @@ static void pxe_searchdir(const char *filename, struct file *file)
     int i = 0;
     int err;
     int buffersize;
+    int rrq_len;
     const uint8_t  *timeout_ptr;
     uint32_t timeout;
     uint32_t oldtime;
@@ -743,6 +744,8 @@ static void pxe_searchdir(const char *filename, struct file *file)
     memcpy(buf, rrq_tail, sizeof rrq_tail);
     buf += sizeof rrq_tail;
 
+    rrq_len = buf - rrq_packet_buf;
+
     inode = allocate_socket(fs);
     if (!inode)
 	return;			/* Allocation failure */
@@ -787,7 +790,7 @@ sendreq:
     udp_write.gw        = gateway(udp_write.ip);
     udp_write.src_port  = tid;
     udp_write.dst_port  = server_port;
-    udp_write.buffer_size = buf - rrq_packet_buf;
+    udp_write.buffer_size = rrq_len;
     pxe_call(PXENV_UDP_WRITE, &udp_write);
 
     /* If the WRITE call fails, we let the timeout take care of it... */