From: Michael Brown <mcb30@etherboot.org>
Date: Sun, 1 Feb 2009 13:07:17 +0000 (+0000)
Subject: [tftp] Guard against invalid data block numbers
X-Git-Tag: v0.9.7~59
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6711ce18a7fa134eb1322adb1d547a5ad02f86cf;p=thirdparty%2Fipxe.git

[tftp] Guard against invalid data block numbers

A TFTP DATA packet with a block number of zero (representing a
negative offset within the file) could potentially cause problems.
Fixed by explicitly rejecting such packets.

Identified by Stefan Hajnoczi <stefanha@gmail.com>.
---

diff --git a/src/net/udp/tftp.c b/src/net/udp/tftp.c
index 889362a16..13734b0f5 100644
--- a/src/net/udp/tftp.c
+++ b/src/net/udp/tftp.c
@@ -741,6 +741,11 @@ static int tftp_rx_data ( struct tftp_request *tftp,
 		rc = -EINVAL;
 		goto done;
 	}
+	if ( data->block == 0 ) {
+		DBGC ( tftp, "TFTP %p received data block 0\n", tftp );
+		rc = -EINVAL;
+		goto done;
+	}
 
 	/* Extract data */
 	block = ( ntohs ( data->block ) - 1 );