From: Keir Fraser <keir.fraser@citrix.com>
Date: Wed, 9 Apr 2008 12:52:34 +0000 (+0100)
Subject: hvmloader: Fix parsing Etherboot roms to avoid an infinite loop.
X-Git-Tag: 3.3.0-rc1~243^2~51
X-Git-Url: http://xenbits.xensource.com/gitweb?a=commitdiff_plain;h=472f532c1d3d3aded20219a5adf9c245ecf9f61c;p=xen.git

hvmloader: Fix parsing Etherboot roms to avoid an infinite loop.

Signed-off-by: Yosuke Iwamatsu <y-iwamatsu@ab.jp.nec.com>
Signed-off-by: Keir Fraser <keir.fraser@citrix.com>
---

diff --git a/tools/firmware/hvmloader/hvmloader.c b/tools/firmware/hvmloader/hvmloader.c
index 240185449e..361c5c190a 100644
--- a/tools/firmware/hvmloader/hvmloader.c
+++ b/tools/firmware/hvmloader/hvmloader.c
@@ -374,30 +374,31 @@ static int scan_etherboot_nic(void *copy_rom_dest)
             /* Check the PCI PnP header (if any) for a match. */
             pcih = (struct option_rom_pci_header *)
                 ((char *)rom + rom->pci_header_offset);
-            if ( (rom->pci_header_offset == 0) ||
-                 strncmp(pcih->signature, "PCIR", 4) ||
-                 (pcih->vendor_id != vendor_id) ||
-                 (pcih->device_id != device_id) )
-                continue;
-
-            /* Find the PnP expansion header (if any). */
-            pnph = ((rom->expansion_header_offset != 0)
-                    ? ((struct option_rom_pnp_header *)
-                       ((char *)rom + rom->expansion_header_offset))
-                    : ((struct option_rom_pnp_header *)NULL));
-            while ( (pnph != NULL) && strncmp(pnph->signature, "$PnP", 4) )
-                pnph = ((pnph->next_header_offset != 0)
-                        ? ((struct option_rom_pnp_header *)
-                           ((char *)rom + pnph->next_header_offset))
-                        : ((struct option_rom_pnp_header *)NULL));
-
-            goto found;
+            if ( (rom->pci_header_offset != 0) &&
+                 !strncmp(pcih->signature, "PCIR", 4) &&
+                 (pcih->vendor_id == vendor_id) &&
+                 (pcih->device_id == device_id) )
+                goto found;
+
+            rom = (struct option_rom_header *)
+                ((char *)rom + rom->rom_size * 512);
         }
     }
 
     return 0;
 
  found:
+    /* Find the PnP expansion header (if any). */
+    pnph = ((rom->expansion_header_offset != 0)
+            ? ((struct option_rom_pnp_header *)
+               ((char *)rom + rom->expansion_header_offset))
+            : ((struct option_rom_pnp_header *)NULL));
+    while ( (pnph != NULL) && strncmp(pnph->signature, "$PnP", 4) )
+        pnph = ((pnph->next_header_offset != 0)
+                ? ((struct option_rom_pnp_header *)
+                   ((char *)rom + pnph->next_header_offset))
+                : ((struct option_rom_pnp_header *)NULL));
+
     printf("Loading PXE ROM ...\n");
     if ( (pnph != NULL) && (pnph->manufacturer_name_offset != 0) )
         printf(" - Manufacturer: %s\n",