From: Andrew Goodbody <andrew.goodbody@linaro.org>
Date: Wed, 14 Jan 2026 15:12:09 +0000 (+0000)
Subject: net: lwip: tftp: Do not write past buffer end
X-Git-Tag: v2026.04-rc2~23^2~9
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=8df6b78746ee1f4f0bb750aec9c4da2fb31d3e33;p=thirdparty%2Fu-boot.git

net: lwip: tftp: Do not write past buffer end

sprintf will add a trailing \0 so manually adding a trailing \0 will
result in an extra unaccounted for character being written. This
overwrote the first byte of the following allocation block resulting in
unexpected behavior.

This was found by Running 'pxe get' with no available file resulting in
multiple attempts, using the default algorithm, to attempt to find a file.
Eventually there would be a failed assert when free() was called.
Failing the assert would result in a system reset.

Fixes: 27d7ccda94fa ("net: lwip: tftp: add support of blksize option to client")
Reported-by: Michal Simek <michal.simek@amd.com>
Tested-by: Michal Simek <michal.simek@amd.com>

Signed-off-by: Andrew Goodbody <andrew.goodbody@linaro.org>
Tested-by: Tom Rini <trini@konsulko.com> # Pine64+
Reviewed-by: Jerome Forissier <jerome.forissier@arm.com>
Reviewed-by: Jerome Forissier <jerome.forissier@arm.com>
---

diff --git a/lib/lwip/lwip/src/apps/tftp/tftp.c b/lib/lwip/lwip/src/apps/tftp/tftp.c
index ecb6c55ae11..25da952e925 100644
--- a/lib/lwip/lwip/src/apps/tftp/tftp.c
+++ b/lib/lwip/lwip/src/apps/tftp/tftp.c
@@ -191,7 +191,7 @@ send_request(const ip_addr_t *addr, u16_t port, u16_t opcode, const char* fname,
   MEMCPY(payload+2,              fname, fname_length);
   MEMCPY(payload+2+fname_length, mode,  mode_length);
   if (tftp_state.blksize)
-    sprintf(payload+2+fname_length+mode_length, "blksize%c%d%c", 0, tftp_state.blksize, 0);
+    sprintf(payload+2+fname_length+mode_length, "blksize%c%d", 0, tftp_state.blksize);
 
   tftp_state.wait_oack = true;
   ret = udp_sendto(tftp_state.upcb, p, addr, port);