[tftp] Guard against invalid data block numbers
authorMichael Brown <mcb30@etherboot.org>
Sun, 1 Feb 2009 13:07:17 +0000 (13:07 +0000)
committerMichael Brown <mcb30@etherboot.org>
Sun, 1 Feb 2009 13:07:17 +0000 (13:07 +0000)
A TFTP DATA packet with a block number of zero (representing a
negative offset within the file) could potentially cause problems.
Fixed by explicitly rejecting such packets.

Identified by Stefan Hajnoczi <stefanha@gmail.com>.

src/net/udp/tftp.c

index 889362a..13734b0 100644 (file)
@@ -741,6 +741,11 @@ static int tftp_rx_data ( struct tftp_request *tftp,
                rc = -EINVAL;
                goto done;
        }
+       if ( data->block == 0 ) {
+               DBGC ( tftp, "TFTP %p received data block 0\n", tftp );
+               rc = -EINVAL;
+               goto done;
+       }
 
        /* Extract data */
        block = ( ntohs ( data->block ) - 1 );