diff options
| author | Michael Brown | 2009-02-01 14:07:17 +0100 |
|---|---|---|
| committer | Michael Brown | 2009-02-01 14:07:17 +0100 |
| commit | 6711ce18a7fa134eb1322adb1d547a5ad02f86cf (patch) | |
| tree | 8abb6d1eb5d7d7ebf9d9d2168000bcd5b8a9b41b | |
| parent | [dhcp] Split PXE menuing code out of dhcp.c (diff) | |
| download | ipxe-6711ce18a7fa134eb1322adb1d547a5ad02f86cf.tar.gz ipxe-6711ce18a7fa134eb1322adb1d547a5ad02f86cf.tar.xz ipxe-6711ce18a7fa134eb1322adb1d547a5ad02f86cf.zip | |
[tftp] Guard against invalid data block numbers
A TFTP DATA packet with a block number of zero (representing a
negative offset within the file) could potentially cause problems.
Fixed by explicitly rejecting such packets.
Identified by Stefan Hajnoczi <stefanha@gmail.com>.
| -rw-r--r-- | src/net/udp/tftp.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/src/net/udp/tftp.c b/src/net/udp/tftp.c index 889362a16..13734b0f5 100644 --- a/src/net/udp/tftp.c +++ b/src/net/udp/tftp.c @@ -741,6 +741,11 @@ static int tftp_rx_data ( struct tftp_request *tftp, rc = -EINVAL; goto done; } + if ( data->block == 0 ) { + DBGC ( tftp, "TFTP %p received data block 0\n", tftp ); + rc = -EINVAL; + goto done; + } /* Extract data */ block = ( ntohs ( data->block ) - 1 ); |