Fixed a bug whereby a received file whose length was a multiple of

512 bytes could have random garbage appended.  Also, stop processing TFTP
packets which are too short to be legal.

lib/tftp.c

@@ -656,11 +656,20 @@ CURLcode Curl_tftp(struct connectdata *conn, bool *done)
         state->remote_addrlen = fromlen;
       }
 
+      /* Sanity check packet length */
+      if (state->rbytes < 4)
+      {
+        failf(conn->data, "Received too short packet\n");
+        /* Not a timeout, but how best to handle it? */
+        event = TFTP_EVENT_TIMEOUT;
+      } else {
+
 	/* The event is given by the TFTP packet time */
 	event = (tftp_event_t)ntohs(state->rpacket.event);
 
 	switch(event) {
 	case TFTP_EVENT_DATA:
+	  if (state->rbytes > 4)
 	    Curl_client_write(data, CLIENTWRITE_BODY,
 			  (char *)state->rpacket.u.data.data, state->rbytes-4);
 	  break;
@@ -681,6 +690,7 @@ CURLcode Curl_tftp(struct connectdata *conn, bool *done)
 	Curl_pgrsUpdate(conn);
 
       }
+    }
 
     /* Check for transfer timeout every 10 blocks, or after timeout */
     if(check_time%10==0) {