Fixed a bug whereby a received file whose length was a multiple of
512 bytes could have random garbage appended. Also, stop processing TFTP packets which are too short to be legal.
This commit is contained in:
Dan Fandrich
10
lib/tftp.c
10
lib/tftp.c
@@ -656,11 +656,20 @@ CURLcode Curl_tftp(struct connectdata *conn, bool *done)
|
|||||||
state->remote_addrlen = fromlen;
|
state->remote_addrlen = fromlen;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Sanity check packet length */
|
||||||
|
if (state->rbytes < 4)
|
||||||
|
{
|
||||||
|
failf(conn->data, "Received too short packet\n");
|
||||||
|
/* Not a timeout, but how best to handle it? */
|
||||||
|
event = TFTP_EVENT_TIMEOUT;
|
||||||
|
} else {
|
||||||
|
|
||||||
/* The event is given by the TFTP packet time */
|
/* The event is given by the TFTP packet time */
|
||||||
event = (tftp_event_t)ntohs(state->rpacket.event);
|
event = (tftp_event_t)ntohs(state->rpacket.event);
|
||||||
|
|
||||||
switch(event) {
|
switch(event) {
|
||||||
case TFTP_EVENT_DATA:
|
case TFTP_EVENT_DATA:
|
||||||
|
if (state->rbytes > 4)
|
||||||
Curl_client_write(data, CLIENTWRITE_BODY,
|
Curl_client_write(data, CLIENTWRITE_BODY,
|
||||||
(char *)state->rpacket.u.data.data, state->rbytes-4);
|
(char *)state->rpacket.u.data.data, state->rbytes-4);
|
||||||
break;
|
break;
|
||||||
@@ -681,6 +690,7 @@ CURLcode Curl_tftp(struct connectdata *conn, bool *done)
|
|||||||
Curl_pgrsUpdate(conn);
|
Curl_pgrsUpdate(conn);
|
||||||
|
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
/* Check for transfer timeout every 10 blocks, or after timeout */
|
/* Check for transfer timeout every 10 blocks, or after timeout */
|
||||||
if(check_time%10==0) {
|
if(check_time%10==0) {
|
||||||
|
|||||||
Reference in New Issue
Block a user