aboutsummaryrefslogtreecommitdiff
path: root/networking/tftp.c
diff options
context:
space:
mode:
Diffstat (limited to 'networking/tftp.c')
-rw-r--r--networking/tftp.c21
1 files changed, 16 insertions, 5 deletions
diff --git a/networking/tftp.c b/networking/tftp.c
index 630fdaf9a..7c0ee58d7 100644
--- a/networking/tftp.c
+++ b/networking/tftp.c
@@ -117,8 +117,10 @@ struct globals {
117 /* u16 TFTP_ERROR; u16 reason; both network-endian, then error text: */ 117 /* u16 TFTP_ERROR; u16 reason; both network-endian, then error text: */
118 uint8_t error_pkt[4 + 32]; 118 uint8_t error_pkt[4 + 32];
119 struct passwd *pw; 119 struct passwd *pw;
120 /* used in tftpd_main(), a bit big for stack: */ 120 /* Used in tftpd_main() for initial packet */
121 char block_buf[TFTP_BLKSIZE_DEFAULT]; 121 /* Some HP PA-RISC firmware always sends fixed 516-byte requests */
122 char block_buf[516];
123 char block_buf_tail[1];
122#if ENABLE_FEATURE_TFTP_PROGRESS_BAR 124#if ENABLE_FEATURE_TFTP_PROGRESS_BAR
123 off_t pos; 125 off_t pos;
124 off_t size; 126 off_t size;
@@ -793,14 +795,16 @@ int tftpd_main(int argc UNUSED_PARAM, char **argv)
793 xchroot(argv[0]); 795 xchroot(argv[0]);
794 } 796 }
795 797
796 result = recv_from_to(STDIN_FILENO, G.block_buf, sizeof(G.block_buf), 798 result = recv_from_to(STDIN_FILENO,
799 G.block_buf, sizeof(G.block_buf) + 1,
800 /* ^^^ sizeof+1 to reliably detect oversized input */
797 0 /* flags */, 801 0 /* flags */,
798 &peer_lsa->u.sa, &our_lsa->u.sa, our_lsa->len); 802 &peer_lsa->u.sa, &our_lsa->u.sa, our_lsa->len);
799 803
800 error_msg = "malformed packet"; 804 error_msg = "malformed packet";
801 opcode = ntohs(*(uint16_t*)G.block_buf); 805 opcode = ntohs(*(uint16_t*)G.block_buf);
802 if (result < 4 || result >= sizeof(G.block_buf) 806 if (result < 4 || result > sizeof(G.block_buf)
803 || G.block_buf[result-1] != '\0' 807 /*|| G.block_buf[result-1] != '\0' - bug compatibility, see below */
804 || (IF_FEATURE_TFTP_PUT(opcode != TFTP_RRQ) /* not download */ 808 || (IF_FEATURE_TFTP_PUT(opcode != TFTP_RRQ) /* not download */
805 IF_GETPUT(&&) 809 IF_GETPUT(&&)
806 IF_FEATURE_TFTP_GET(opcode != TFTP_WRQ) /* not upload */ 810 IF_FEATURE_TFTP_GET(opcode != TFTP_WRQ) /* not upload */
@@ -808,6 +812,13 @@ int tftpd_main(int argc UNUSED_PARAM, char **argv)
808 ) { 812 ) {
809 goto err; 813 goto err;
810 } 814 }
815 /* Some HP PA-RISC firmware always sends fixed 516-byte requests,
816 * with trailing garbage.
817 * Support that by not requiring NUL to be the last byte (see above).
818 * To make strXYZ() ops safe, force NUL termination:
819 */
820 G.block_buf_tail[0] = '\0';
821
811 local_file = G.block_buf + 2; 822 local_file = G.block_buf + 2;
812 if (local_file[0] == '.' || strstr(local_file, "/.")) { 823 if (local_file[0] == '.' || strstr(local_file, "/.")) {
813 error_msg = "dot in file name"; 824 error_msg = "dot in file name";