home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Network Supervisor's Toolkit
/
Network Supervisor's Toolkit.iso
/
patches
/
_310ptch
/
logpatch
/
logpatch.asc
< prev
next >
Wrap
Text File
|
1996-07-10
|
6KB
|
174 lines
BUG IN NETWARE 386 V3.1 LOGIN.EXE AND EXIT COMMAND:
The version of LOGIN.EXE shipped with NetWare 3.1 (VERSION
reports 3.08, 96171 bytes, 5/29/90, 1:52pm), has a bug in
processing the login script "EXIT" command, which can cause
system hangups with programs and device drivers that expand or
modify the keyboard buffer.
Examples of programs that conflict with the new LOGIN are certain
versions of IRMA's E78 program (specifically the KYBDDRV.SYS
device driver) and the public domain program KBDBUFF.COM which
was published in a recent Microsoft Systems Journal.
Typically, if there is a conflict, it will appear after a
workstation logs into the network. After the user presses a few
keys, unpredictable results will occur as the keyboard buffer
overwrites BIOS variables (overwriting the video parameters can
cause some real neat effects).
TECHNICAL INFORMATION:
In the BIOS data segment at segment 40h, the BIOS allocates
several variables related to the keyboard buffer.
The keyboard buffer is a 16-byte circular buffer within this
segment at offset 1Eh. Different BIOS variables define the
physical start (word at offset 80h) and end (word at offset 82h)
of the buffer, as well as the current logical head (word at
offset 1Ah) and tail (word at offset 1Ch) within the circular
buffer.
Programs that expand the keyboard buffer typically move the
physical buffer to another larger location in memory. This is
done by modifying the physical start and end offsets of the
buffer, and then initializing the head and tail pointers to the
start of the buffer.
However, the LOGIN.EXE program's EXIT command assumes that the
keyboard buffer is located at offset 1Eh within the BIOS data
area.
When the EXIT command is processed, the text string that follows
the EXIT command is stuffed into the buffer, and the head pointer
is initialized to 1Eh, and the tail to the end of the stuffed
string. If the BIOS variables define a different physical
keyboard buffer, the BIOS data area will be filled with somewhat
random information from the keyboard.
WHAT THE PATCH DOES
Fortunately, LOGIN.EXE can be patched to prevent this problem.
The following excerpt is the troublesome code within LOGIN.EXE:
1.) MOV BX,40h
MOV ES,BX
2.) MOV BX,1Ch
3.) MOV AX,WORD PTR [BP-6]
SHL AX,1
4.) ADD AX,1Eh
MOV WORD PTR ES:[BX],AX
5.) MOV BX,1Ah
MOV WORD PTR ES:[BX],1Eh
6.) MOV WORD PTR [BP-0Ah],1Eh
What's this code doing?
1.) The ES segment register is initialized to point to the BIOS
data area at segment 40h.
2.) BX is initialized to be a pointer to the logical tail of the
keyboard buffer (1Ch).
3.) The word at BP-6 is the length of the character string being
passed to the EXIT command. Since characters are stored as
two bytes in the keyboard buffer (ASCII code and scan code),
shifting this value to the left by one (same as multiplying
by two), produces the length of the string being stored in
the keyboard buffer.
4.) LOGIN.EXE assumes that the keyboard buffer begins at offset
1Eh within this segment. (This is the BIOS default.) To
compute the new tail of the buffer, the length of the string
being stored in the buffer is added to this assumed starting
offset. The computed tail of the buffer is stored in the
appropriate BIOS variable.
5.) The logical head of the keyboard (offset 1Ah) is initialized
to 1Eh (the assumed start of the keyboard buffer).
6.) Some other variable used within LOGIN.EXE is also
initialized to 1Eh, the assumed start of the keyboard
buffer.
So, we must patch LOGIN.EXE to read the physical starting
location of the keyboard buffer from the BIOS data area. The
offset of the start of the physical keyboard buffer is a word at
offset 80h of segment 40h.
The following replacement code, which is carefully constructed to
be the same size, does the trick:
1.) MOV BX,40h
MOV ES,BX
2.) MOV BL,1Ch
3.) MOV AX,WORD PTR [BP-6]
SHL AX,1
4.) ADD AX,WORD PTR ES:[80]
MOV WORD PTR ES:[BX],AX
5.) DEC BX
DEC BX
6.) MOV AX,WORD PTR ES:[80]
MOV WORD PTR ES:[BX],AX
7.) MOV WORD PTR [BP-0Ah],AX
1.) No change...included for clarity.
2.) To conserve a byte, only the lower byte of BL is initialized
to 1Ch. The high byte is already zero from instruction
sequence 1.
3.) No change.
4.) Rather than assuming the starting address of the keyboard
buffer, we use the physical starting offset defined by the
word at offset 80h. To compute the new tail of the buffer,
the length of the string being stored in the buffer is added
to this assumed starting offset. The computed tail of the
buffer is stored in the appropriate BIOS variable.
5.) Since BX already equals 1Ch, we can save a byte in setting
BX to 1Ah by issuing two DEC BX commands.
6.) We move the BIOS defined start of the physical keyboard
buffer to the AX register for easier retrieval. The logical
head of the buffer is then initialized to this same value.
7.) Same as 6 above, except that we use the BIOS defined start
of the buffer rather than the assumed start.
OK, SO HOW DO I ACTUALLY APPLY THE PATCH
The patch is applied using the PATCH.EXE program found in other
patches here on NetWire. Hopefully Novell doesn't object to my
using it here.
The patch file, LOGPATCH, simply instructs PATCH.EXE to search
and replace the code as outlined above.
To apply the patch:
1.) Make a backup copy of LOGIN.EXE.
2.) Execute PATCH LOGIN.EXE LOGPATCH.
3.) Test it and make sure that it works for you.
DISCLAIMERS
This is not a Novell supplied or supported patch, although I hope
that Novell will take notice and correct this problem in future
releases.
Also, you're trying the patch at your own risk. I'm not aware of
any potential side effects, and this document describes the patch
to the best of my knowledge.
Brett Warthen
(the original LAN Shark)