abc/lwip
1
0
Fork 0
mirror of https://git.savannah.nongnu.org/git/lwip.git synced 2025-08-05 05:54:37 +08:00
Code Issues Packages Projects Releases Wiki Activity

Fix bug #50534: TFTP server does not copy terminating null of filename

Browse Source 
Patch by David Rodgers
This commit is contained in:
Dirk Ziegelmeier 2017-03-13 21:26:06 +01:00
parent cb1a271c61
commit 59973c96e4
1 changed files with 417 additions and 417 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/apps/tftp/tftp_server.c
View File

@ -226,8 +226,8 @@ recv(void *arg, struct udp_pcb *upcb, struct pbuf *p, const ip_addr_t *addr, u16
case PP_HTONS(TFTP_WRQ): case PP_HTONS(TFTP_WRQ):
{ {
const char tftp_null = 0; const char tftp_null = 0;
char filename[TFTP_MAX_FILENAME_LEN]; char filename[TFTP_MAX_FILENAME_LEN+1];
char mode[TFTP_MAX_MODE_LEN]; char mode[TFTP_MAX_MODE_LEN+1];
u16_t filename_end_offset; u16_t filename_end_offset;
u16_t mode_end_offset; u16_t mode_end_offset;
@ -240,11 +240,11 @@ recv(void *arg, struct udp_pcb *upcb, struct pbuf *p, const ip_addr_t *addr, u16
/* find \0 in pbuf -> end of filename string */ /* find \0 in pbuf -> end of filename string */
filename_end_offset = pbuf_memfind(p, &tftp_null, sizeof(tftp_null), 2); filename_end_offset = pbuf_memfind(p, &tftp_null, sizeof(tftp_null), 2);
if((u16_t)(filename_end_offset-2) > sizeof(filename)) { if((u16_t)(filename_end_offset-1) > sizeof(filename)) {
send_error(addr, port, TFTP_ERROR_ACCESS_VIOLATION, "Filename too long/not NULL terminated"); send_error(addr, port, TFTP_ERROR_ACCESS_VIOLATION, "Filename too long/not NULL terminated");
break; break;
} }
pbuf_copy_partial(p, filename, filename_end_offset-2, 2); pbuf_copy_partial(p, filename, filename_end_offset-1, 2);
/* find \0 in pbuf -> end of mode string */ /* find \0 in pbuf -> end of mode string */
mode_end_offset = pbuf_memfind(p, &tftp_null, sizeof(tftp_null), filename_end_offset+1); mode_end_offset = pbuf_memfind(p, &tftp_null, sizeof(tftp_null), filename_end_offset+1);