From 8df6b78746ee1f4f0bb750aec9c4da2fb31d3e33 Mon Sep 17 00:00:00 2001 From: Andrew Goodbody Date: Wed, 14 Jan 2026 15:12:09 +0000 Subject: [PATCH] net: lwip: tftp: Do not write past buffer end sprintf will add a trailing \0 so manually adding a trailing \0 will result in an extra unaccounted for character being written. This overwrote the first byte of the following allocation block resulting in unexpected behavior. This was found by Running 'pxe get' with no available file resulting in multiple attempts, using the default algorithm, to attempt to find a file. Eventually there would be a failed assert when free() was called. Failing the assert would result in a system reset. Fixes: 27d7ccda94fa ("net: lwip: tftp: add support of blksize option to client") Reported-by: Michal Simek Tested-by: Michal Simek Signed-off-by: Andrew Goodbody Tested-by: Tom Rini # Pine64+ Reviewed-by: Jerome Forissier Reviewed-by: Jerome Forissier --- lib/lwip/lwip/src/apps/tftp/tftp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/lwip/lwip/src/apps/tftp/tftp.c b/lib/lwip/lwip/src/apps/tftp/tftp.c index ecb6c55ae11..25da952e925 100644 --- a/lib/lwip/lwip/src/apps/tftp/tftp.c +++ b/lib/lwip/lwip/src/apps/tftp/tftp.c @@ -191,7 +191,7 @@ send_request(const ip_addr_t *addr, u16_t port, u16_t opcode, const char* fname, MEMCPY(payload+2, fname, fname_length); MEMCPY(payload+2+fname_length, mode, mode_length); if (tftp_state.blksize) - sprintf(payload+2+fname_length+mode_length, "blksize%c%d%c", 0, tftp_state.blksize, 0); + sprintf(payload+2+fname_length+mode_length, "blksize%c%d", 0, tftp_state.blksize); tftp_state.wait_oack = true; ret = udp_sendto(tftp_state.upcb, p, addr, port); -- 2.47.3