1
0
mirror of https://xff.cz/git/u-boot/ synced 2025-10-22 10:31:56 +02:00

tftp: don't implicity trust the format of recevied packets

The TFTP OACK code trusts that the incoming packet is formated as
ASCII text and can be processed by string functions. It also has a
loop limit overflow bug where if the packet length is less than 8, it
ends up looping over *all* of memory to find the 'blksize' string.

This patch solves the problem by forcing the packet to be null
terminated and using strstr() to search for the sub string.

Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
This commit is contained in:
Grant Likely
2007-08-29 18:26:24 -06:00
committed by Wolfgang Denk
parent d4a68f40a0
commit 8f1bc28408

View File

@@ -238,9 +238,9 @@ TftpSend (void)
static void static void
TftpHandler (uchar * pkt, unsigned dest, unsigned src, unsigned len) TftpHandler (uchar * pkt, unsigned dest, unsigned src, unsigned len)
{ {
char * blksize;
ushort proto; ushort proto;
ushort *s; ushort *s;
int i;
if (dest != TftpOurPort) { if (dest != TftpOurPort) {
#ifdef CONFIG_MCAST_TFTP #ifdef CONFIG_MCAST_TFTP
@@ -272,22 +272,22 @@ TftpHandler (uchar * pkt, unsigned dest, unsigned src, unsigned len)
case TFTP_OACK: case TFTP_OACK:
#ifdef ET_DEBUG #ifdef ET_DEBUG
printf("Got OACK: %s %s\n", pkt, pkt+strlen(pkt)+1); printf("Got OACK:\n");
print_buffer (0, pkt, 1, len, 16);
#endif #endif
TftpState = STATE_OACK; TftpState = STATE_OACK;
TftpServerPort = src; TftpServerPort = src;
/* Check for 'blksize' option */ /* Check for 'blksize' option */
for (i=0;i<len-8;i++) { pkt[len] = 0; /* NULL terminate so string ops work */
if (strcmp ((char*)pkt+i,"blksize") == 0) { blksize = strstr((char*)pkt, "blksize");
TftpBlkSize = (unsigned short) if ((blksize) && (blksize + 8 < (char*)pkt + len)) {
simple_strtoul((char*)pkt+i+8,NULL,10); TftpBlkSize = simple_strtoul(blksize + 8, NULL, 10);
#ifdef ET_DEBUG #ifdef ET_DEBUG
printf ("Blocksize ack: %s, %d\n", printf("Blocksize ack: %d\n", TftpBlkSize);
(char*)pkt+i+8,TftpBlkSize);
#endif #endif
break;
}
} }
#ifdef CONFIG_MCAST_TFTP #ifdef CONFIG_MCAST_TFTP
parse_multicast_oack((char *)pkt,len-1); parse_multicast_oack((char *)pkt,len-1);
if ((Multicast) && (!MasterClient)) if ((Multicast) && (!MasterClient))