From 37883e99fd791571c6771c9d1d8721a11e7e8a8f Mon Sep 17 00:00:00 2001
From: Stefan Hajnoczi
Date: Tue, 5 Jan 2010 08:05:32 +0000
Subject: [sanboot] Prevent leaking a stack reference for "keep-san" AoE

When the "keep-san" option is used, the function is exited without
unregistering the stack allocated int13h drive.  To prevent a dangling
pointer to the stack, these structs should be heap allocated.

Signed-off-by: Stefan Hajnoczi <stefanha@gmail.com>
Signed-off-by: Marty Connor <mdc@etherboot.org>
---
 src/arch/i386/interface/pcbios/aoeboot.c | 54 +++++++++++++++++++-------------
 1 file changed, 33 insertions(+), 21 deletions(-)

diff --git a/src/arch/i386/interface/pcbios/aoeboot.c b/src/arch/i386/interface/pcbios/aoeboot.c
index 8446c15f..2670b15d 100644
--- a/src/arch/i386/interface/pcbios/aoeboot.c
+++ b/src/arch/i386/interface/pcbios/aoeboot.c
@@ -1,11 +1,11 @@
 #include <stdint.h>
 #include <string.h>
+#include <stdlib.h>
 #include <stdio.h>
-#include <byteswap.h>
+#include <errno.h>
 #include <gpxe/aoe.h>
 #include <gpxe/ata.h>
 #include <gpxe/netdevice.h>
-#include <gpxe/settings.h>
 #include <gpxe/sanboot.h>
 #include <gpxe/abft.h>
 #include <int13.h>
@@ -13,50 +13,62 @@
 FILE_LICENCE ( GPL2_OR_LATER );
 
 static int aoeboot ( const char *root_path ) {
-	struct ata_device ata;
-	struct int13_drive drive;
+	struct ata_device *ata;
+	struct int13_drive *drive;
 	int rc;
 
-	memset ( &ata, 0, sizeof ( ata ) );
-	memset ( &drive, 0, sizeof ( drive ) );
+	ata = zalloc ( sizeof ( *ata ) );
+	if ( ! ata ) {
+		rc = -ENOMEM;
+		goto err_alloc_ata;
+	}
+	drive = zalloc ( sizeof ( *drive ) );
+	if ( ! drive ) {
+		rc = -ENOMEM;
+		goto err_alloc_drive;
+	}
 
 	/* FIXME: ugly, ugly hack */
 	struct net_device *netdev = last_opened_netdev();
 
-	if ( ( rc = aoe_attach ( &ata, netdev, root_path ) ) != 0 ) {
+	if ( ( rc = aoe_attach ( ata, netdev, root_path ) ) != 0 ) {
 		printf ( "Could not attach AoE device: %s\n",
 			 strerror ( rc ) );
-		goto error_attach;
+		goto err_attach;
 	}
-	if ( ( rc = init_atadev ( &ata ) ) != 0 ) {
+	if ( ( rc = init_atadev ( ata ) ) != 0 ) {
 		printf ( "Could not initialise AoE device: %s\n",
 			 strerror ( rc ) );
-		goto error_init;
+		goto err_init;
 	}
 
 	/* FIXME: ugly, ugly hack */
 	struct aoe_session *aoe =
-		container_of ( ata.backend, struct aoe_session, refcnt );
+		container_of ( ata->backend, struct aoe_session, refcnt );
 	abft_fill_data ( aoe );
 
-	drive.blockdev = &ata.blockdev;
+	drive->blockdev = &ata->blockdev;
 
-	register_int13_drive ( &drive );
-	printf ( "Registered as BIOS drive %#02x\n", drive.drive );
-	printf ( "Booting from BIOS drive %#02x\n", drive.drive );
-	rc = int13_boot ( drive.drive );
+	register_int13_drive ( drive );
+	printf ( "Registered as BIOS drive %#02x\n", drive->drive );
+	printf ( "Booting from BIOS drive %#02x\n", drive->drive );
+	rc = int13_boot ( drive->drive );
 	printf ( "Boot failed\n" );
 
 	/* Leave drive registered, if instructed to do so */
 	if ( keep_san() )
 		return rc;
 
-	printf ( "Unregistering BIOS drive %#02x\n", drive.drive );
-	unregister_int13_drive ( &drive );
+	printf ( "Unregistering BIOS drive %#02x\n", drive->drive );
+	unregister_int13_drive ( drive );
 
- error_init:
-	aoe_detach ( &ata );
- error_attach:
+ err_init:
+	aoe_detach ( ata );
+ err_attach:
+	free ( drive );
+ err_alloc_drive:
+	free ( ata );
+ err_alloc_ata:
 	return rc;
 }
 
-- 
cgit v1.2.3-55-g7522