Parcourir la source

[tftp] Guard against invalid data block numbers

A TFTP DATA packet with a block number of zero (representing a
negative offset within the file) could potentially cause problems.
Fixed by explicitly rejecting such packets.

Identified by Stefan Hajnoczi <stefanha@gmail.com>.
tags/v0.9.7
Michael Brown il y a 16 ans
Parent
révision
6711ce18a7
1 fichiers modifiés avec 5 ajouts et 0 suppressions
  1. 5
    0
      src/net/udp/tftp.c

+ 5
- 0
src/net/udp/tftp.c Voir le fichier

@@ -741,6 +741,11 @@ static int tftp_rx_data ( struct tftp_request *tftp,
741 741
 		rc = -EINVAL;
742 742
 		goto done;
743 743
 	}
744
+	if ( data->block == 0 ) {
745
+		DBGC ( tftp, "TFTP %p received data block 0\n", tftp );
746
+		rc = -EINVAL;
747
+		goto done;
748
+	}
744 749
 
745 750
 	/* Extract data */
746 751
 	block = ( ntohs ( data->block ) - 1 );

Chargement…
Annuler
Enregistrer