From: Daniel Stenberg <daniel@haxx.se>
Date: Tue, 13 Jan 2026 07:02:19 +0000 (+0100)
Subject: tftp: correct the filename length check
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=db86f2de9bd36e981e4962babf0ec979cf72d91f;p=thirdparty%2Fcurl.git

tftp: correct the filename length check

Reported-by: z2_
Bug: https://hackerone.com/reports/3508321
Closes #20283
---

diff --git a/lib/tftp.c b/lib/tftp.c
index 0c65c57c59..634f3006f0 100644
--- a/lib/tftp.c
+++ b/lib/tftp.c
@@ -697,16 +697,16 @@ static CURLcode tftp_send_first(struct tftp_conn *state,
     if(result)
       return result;
 
-    if(strlen(filename) > (state->blksize - strlen(mode) - 4)) {
+    if(strlen(filename) + strlen(mode) + 4 > state->blksize) {
       failf(data, "TFTP filename too long");
       curlx_free(filename);
       return CURLE_TFTP_ILLEGAL; /* too long filename field */
     }
 
-    curl_msnprintf((char *)state->spacket.data + 2,
-                   state->blksize,
-                   "%s%c%s%c", filename, '\0', mode, '\0');
-    sbytes = 4 + strlen(filename) + strlen(mode);
+    sbytes = 2 +
+      curl_msnprintf((char *)state->spacket.data + 2,
+                     state->blksize,
+                     "%s%c%s%c", filename, '\0', mode, '\0');
     curlx_free(filename);
 
     /* optional addition of TFTP options */