summaryrefslogtreecommitdiff
path: root/net/tftp.c
diff options
context:
space:
mode:
authorGrant Likely <grant.likely@secretlab.ca>2007-08-29 18:26:24 -0600
committerWolfgang Denk <wd@denx.de>2007-08-30 09:16:16 +0200
commit8f1bc28408ded213418d9bc0780c7d8fb8a03774 (patch)
treefbc2ccfd74de779645192fdcafd1a1e09f92bb85 /net/tftp.c
parentd4a68f40a0389bb688477acfd23e957cb19443ad (diff)
downloadu-boot-8f1bc28408ded213418d9bc0780c7d8fb8a03774.tar.gz
tftp: don't implicity trust the format of recevied packets
The TFTP OACK code trusts that the incoming packet is formated as ASCII text and can be processed by string functions. It also has a loop limit overflow bug where if the packet length is less than 8, it ends up looping over *all* of memory to find the 'blksize' string. This patch solves the problem by forcing the packet to be null terminated and using strstr() to search for the sub string. Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
Diffstat (limited to 'net/tftp.c')
-rw-r--r--net/tftp.c20
1 files changed, 10 insertions, 10 deletions
diff --git a/net/tftp.c b/net/tftp.c
index fb2f50564e..27f5e88be8 100644
--- a/net/tftp.c
+++ b/net/tftp.c
@@ -238,9 +238,9 @@ TftpSend (void)
static void
TftpHandler (uchar * pkt, unsigned dest, unsigned src, unsigned len)
{
+ char * blksize;
ushort proto;
ushort *s;
- int i;
if (dest != TftpOurPort) {
#ifdef CONFIG_MCAST_TFTP
@@ -272,22 +272,22 @@ TftpHandler (uchar * pkt, unsigned dest, unsigned src, unsigned len)
case TFTP_OACK:
#ifdef ET_DEBUG
- printf("Got OACK: %s %s\n", pkt, pkt+strlen(pkt)+1);
+ printf("Got OACK:\n");
+ print_buffer (0, pkt, 1, len, 16);
#endif
TftpState = STATE_OACK;
TftpServerPort = src;
+
/* Check for 'blksize' option */
- for (i=0;i<len-8;i++) {
- if (strcmp ((char*)pkt+i,"blksize") == 0) {
- TftpBlkSize = (unsigned short)
- simple_strtoul((char*)pkt+i+8,NULL,10);
+ pkt[len] = 0; /* NULL terminate so string ops work */
+ blksize = strstr((char*)pkt, "blksize");
+ if ((blksize) && (blksize + 8 < (char*)pkt + len)) {
+ TftpBlkSize = simple_strtoul(blksize + 8, NULL, 10);
#ifdef ET_DEBUG
- printf ("Blocksize ack: %s, %d\n",
- (char*)pkt+i+8,TftpBlkSize);
+ printf("Blocksize ack: %d\n", TftpBlkSize);
#endif
- break;
- }
}
+
#ifdef CONFIG_MCAST_TFTP
parse_multicast_oack((char *)pkt,len-1);
if ((Multicast) && (!MasterClient))