The reason for this is that initrd_filesize is constantly equal to zero or more specifically, potentially uninitialized memory.
I believe this was introduced in 085cbdafca9c3d7bc2f27523a343f61db82f2ccb ("pxe: simplify label_boot()"), diff here:
diff --git a/boot/pxe_utils.c b/boot/pxe_utils.c index b08aee9896..defbe465e4 100644 --- a/boot/pxe_utils.c +++ b/boot/pxe_utils.c @@ -532,11 +532,10 @@ static int label_boot(struct pxe_context *ctx, struct pxe_label *label) }
initrd_addr_str = env_get("ramdisk_addr_r"); - strcpy(initrd_filesize, simple_xtoa(size)); - - strncpy(initrd_str, initrd_addr_str, 18); - strcat(initrd_str, ":"); - strncat(initrd_str, initrd_filesize, 9); + size = snprintf(initrd_str, sizeof(initrd_str), "%s:%lx", + initrd_addr_str, size); + if (size >= sizeof(initrd_str)) + return 1; }
if (get_relfile_envaddr(ctx, label->kernel, "kernel_addr_r",
The initrd_filesize completely disappears.
We re-copy the size information inside initrd_filesize, maybe, too naively, something may have to be done to reduce the overflow potential if it exist at all.
pxe_utils.c | 2 ++ 1 file changed, 2 insertions(+)