[tftp] Guard against invalid data block numbers

A TFTP DATA packet with a block number of zero (representing a negative offset within the file) could potentially cause problems. Fixed by explicitly rejecting such packets. Identified by Stefan Hajnoczi <stefanha@gmail.com>.
author: Michael Brown 2009-02-01 14:07:17 +0100
committer: Michael Brown 2009-02-01 14:07:17 +0100
commit: 6711ce18a7fa134eb1322adb1d547a5ad02f86cf (patch)
tree: 8abb6d1eb5d7d7ebf9d9d2168000bcd5b8a9b41b /src/net/udp/tftp.c
parent: [dhcp] Split PXE menuing code out of dhcp.c (diff)
download: ipxe-6711ce18a7fa134eb1322adb1d547a5ad02f86cf.tar.gz
ipxe-6711ce18a7fa134eb1322adb1d547a5ad02f86cf.tar.xz
ipxe-6711ce18a7fa134eb1322adb1d547a5ad02f86cf.zip
1 files changed, 5 insertions, 0 deletions
diff --git a/src/net/udp/tftp.c b/src/net/udp/tftp.c
index 889362a1..13734b0f 100644
--- a/src/net/udp/tftp.c
+++ b/src/net/udp/tftp.c
@@ -741,6 +741,11 @@ static int tftp_rx_data ( struct tftp_request *tftp,
 		rc = -EINVAL;
 		goto done;
 	}
+	if ( data->block == 0 ) {
+		DBGC ( tftp, "TFTP %p received data block 0\n", tftp );
+		rc = -EINVAL;
+		goto done;
+	}
 
 	/* Extract data */
 	block = ( ntohs ( data->block ) - 1 );
author	Michael Brown	2009-02-01 14:07:17 +0100
committer	Michael Brown	2009-02-01 14:07:17 +0100
commit	6711ce18a7fa134eb1322adb1d547a5ad02f86cf (patch)
tree	8abb6d1eb5d7d7ebf9d9d2168000bcd5b8a9b41b /src/net/udp/tftp.c
parent	[dhcp] Split PXE menuing code out of dhcp.c (diff)
download	ipxe-6711ce18a7fa134eb1322adb1d547a5ad02f86cf.tar.gz ipxe-6711ce18a7fa134eb1322adb1d547a5ad02f86cf.tar.xz ipxe-6711ce18a7fa134eb1322adb1d547a5ad02f86cf.zip