tftp: stricter option name checks

author Daniel Stenberg <daniel@haxx.se>

Tue, 12 May 2026 07:20:31 +0000 (09:20 +0200)

committer Daniel Stenberg <daniel@haxx.se>

Tue, 12 May 2026 08:26:20 +0000 (10:26 +0200)
author Daniel Stenberg <daniel@haxx.se>
Tue, 12 May 2026 07:20:31 +0000 (09:20 +0200)
committer Daniel Stenberg <daniel@haxx.se>
Tue, 12 May 2026 08:26:20 +0000 (10:26 +0200)
diff --git a/lib/tftp.c b/lib/tftp.c

index 6cc672d447bf22cbfde7a0124d0935662fb8a958..a088cd90466e4b25626b034a76f1cf73be2fb430 100644 (file)
--- a/lib/tftp.c
+++ b/lib/tftp.c
@@ -266,16 +266,19 @@ static CURLcode tftp_parse_option_ack(struct tftp_conn *state,
  
    while(tmp < ptr + len) {
      const char *option, *value;
+    size_t olen;
  
      tmp = tftp_option_get(tmp, ptr + len - tmp, &option, &value);
      if(!tmp) {
        failf(data, "Malformed ACK packet, rejecting");
        return CURLE_TFTP_ILLEGAL;
      }
+    olen = strlen(option);
  
      infof(data, "got option=(%s) value=(%s)", option, value);
  
-    if(checkprefix(TFTP_OPTION_BLKSIZE, option)) {
+    if((strlen(TFTP_OPTION_BLKSIZE) == olen) &&
+       checkprefix(TFTP_OPTION_BLKSIZE, option)) {
        curl_off_t blksize;
        if(curlx_str_number(&value, &blksize, TFTP_BLKSIZE_MAX)) {
          failf(data, "%s (%d)", "blksize is larger than max supported",
@@ -304,7 +307,8 @@ static CURLcode tftp_parse_option_ack(struct tftp_conn *state,
        infof(data, "blksize parsed from OACK (%u) requested (%u)",
              state->blksize, state->requested_blksize);
      }
-    else if(checkprefix(TFTP_OPTION_TSIZE, option)) {
+    else if((strlen(TFTP_OPTION_TSIZE) == olen) &&
+            checkprefix(TFTP_OPTION_TSIZE, option)) {
        curl_off_t tsize = 0;
        /* tsize should be ignored on upload: Who cares about the size of the
           remote file? */
author	Daniel Stenberg <daniel@haxx.se>
	Tue, 12 May 2026 07:20:31 +0000 (09:20 +0200)
committer	Daniel Stenberg <daniel@haxx.se>
	Tue, 12 May 2026 08:26:20 +0000 (10:26 +0200)