Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
[tftp] Guard against invalid data block numbers
A TFTP DATA packet with a block number of zero (representing a
negative offset within the file) could potentially cause problems.
Fixed by explicitly rejecting such packets.

Identified by Stefan Hajnoczi <stefanha@gmail.com>.
  • Loading branch information
Michael Brown committed Feb 1, 2009
1 parent e65afc4 commit 6711ce1
Showing 1 changed file with 5 additions and 0 deletions.
5 changes: 5 additions & 0 deletions src/net/udp/tftp.c
Expand Up @@ -741,6 +741,11 @@ static int tftp_rx_data ( struct tftp_request *tftp,
rc = -EINVAL;
goto done;
}
if ( data->block == 0 ) {
DBGC ( tftp, "TFTP %p received data block 0\n", tftp );
rc = -EINVAL;
goto done;
}

/* Extract data */
block = ( ntohs ( data->block ) - 1 );
Expand Down

0 comments on commit 6711ce1

Please sign in to comment.