[tftp] Guard against invalid data block numbers

A TFTP DATA packet with a block number of zero (representing a
negative offset within the file) could potentially cause problems.
Fixed by explicitly rejecting such packets.

Identified by Stefan Hajnoczi <stefanha@gmail.com>.

diff --git a/src/net/udp/tftp.c b/src/net/udp/tftp.c
index 889362a..13734b0 100644 (file)
--- a/src/net/udp/tftp.c
+++ b/src/net/udp/tftp.c
@@ -741,6 +741,11 @@ static int tftp_rx_data ( struct tftp_request *tftp,
                rc = -EINVAL;
                goto done;
        }
                rc = -EINVAL;
                goto done;
        }

+       if ( data->block == 0 ) {
+               DBGC ( tftp, "TFTP %p received data block 0\n", tftp );
+               rc = -EINVAL;
+               goto done;
+       }

 
        /* Extract data */
        block = ( ntohs ( data->block ) - 1 );
 
        /* Extract data */
        block = ( ntohs ( data->block ) - 1 );