[tftp] Guard against invalid data block numbers
A TFTP DATA packet with a block number of zero (representing a negative offset within the file) could potentially cause problems. Fixed by explicitly rejecting such packets. Identified by Stefan Hajnoczi <stefanha@gmail.com>.
This commit is contained in:
parent
e65afc4b10
commit
6711ce18a7
|
@ -741,6 +741,11 @@ static int tftp_rx_data ( struct tftp_request *tftp,
|
||||||
rc = -EINVAL;
|
rc = -EINVAL;
|
||||||
goto done;
|
goto done;
|
||||||
}
|
}
|
||||||
|
if ( data->block == 0 ) {
|
||||||
|
DBGC ( tftp, "TFTP %p received data block 0\n", tftp );
|
||||||
|
rc = -EINVAL;
|
||||||
|
goto done;
|
||||||
|
}
|
||||||
|
|
||||||
/* Extract data */
|
/* Extract data */
|
||||||
block = ( ntohs ( data->block ) - 1 );
|
block = ( ntohs ( data->block ) - 1 );
|
||||||
|
|
Reference in New Issue