tftp: don't implicity trust the format of recevied packets
authorGrant Likely <grant.likely@secretlab.ca>
Thu, 30 Aug 2007 00:26:24 +0000 (18:26 -0600)
committerWolfgang Denk <wd@denx.de>
Thu, 30 Aug 2007 07:16:16 +0000 (09:16 +0200)
The TFTP OACK code trusts that the incoming packet is formated as
ASCII text and can be processed by string functions. It also has a
loop limit overflow bug where if the packet length is less than 8, it
ends up looping over *all* of memory to find the 'blksize' string.

This patch solves the problem by forcing the packet to be null
terminated and using strstr() to search for the sub string.

Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
net/tftp.c

index fb2f50564e9d0bda8760c3cb6cfd047d54c65c76..27f5e88be830f6dfb1873deca9e3605d3a9b34b1 100644 (file)
@@ -238,9 +238,9 @@ TftpSend (void)
 static void
 TftpHandler (uchar * pkt, unsigned dest, unsigned src, unsigned len)
 {
+       char * blksize;
        ushort proto;
        ushort *s;
-       int i;
 
        if (dest != TftpOurPort) {
 #ifdef CONFIG_MCAST_TFTP
@@ -272,22 +272,22 @@ TftpHandler (uchar * pkt, unsigned dest, unsigned src, unsigned len)
 
        case TFTP_OACK:
 #ifdef ET_DEBUG
-               printf("Got OACK: %s %s\n", pkt, pkt+strlen(pkt)+1);
+               printf("Got OACK:\n");
+               print_buffer (0, pkt, 1, len, 16);
 #endif
                TftpState = STATE_OACK;
                TftpServerPort = src;
+
                /* Check for 'blksize' option */
-               for (i=0;i<len-8;i++) {
-                       if (strcmp ((char*)pkt+i,"blksize") == 0) {
-                               TftpBlkSize = (unsigned short)
-                                       simple_strtoul((char*)pkt+i+8,NULL,10);
+               pkt[len] = 0; /* NULL terminate so string ops work */
+               blksize = strstr((char*)pkt, "blksize");
+               if ((blksize) && (blksize + 8 < (char*)pkt + len)) {
+                       TftpBlkSize = simple_strtoul(blksize + 8, NULL, 10);
 #ifdef ET_DEBUG
-                               printf ("Blocksize ack: %s, %d\n",
-                                       (char*)pkt+i+8,TftpBlkSize);
+                       printf("Blocksize ack: %d\n", TftpBlkSize);
 #endif
-                               break;
-                       }
                }
+
 #ifdef CONFIG_MCAST_TFTP
                parse_multicast_oack((char *)pkt,len-1);
                if ((Multicast) && (!MasterClient))