Pi-Hole/dnsmasq
1
0
Fork 0
mirror of https://github.com/pi-hole/dnsmasq.git synced 2025-12-19 10:18:25 +00:00
Code Issues Packages Projects Releases Wiki Activity

Revert 368ceff6e0 and fix correct problem.

Browse Source 
The next() function is broken for any TFTP packet with padding
which doesn't end with a zero.

Rewrite to handle such packets.

Thanks to Helge Deller <deller@gmx.de> for persisting in finding the
actual problem and proposing a solution. This patch is modelled on his,
but rewritten for personal preference by Simon Kelley, who is
responsible for all bugs.
This commit is contained in:
Simon Kelley
2025-03-01 22:43:23 +00:00
parent 5990074ab0
commit 9df1bd0cc1
1 changed files with 9 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/tftp.c
View File

@@ -360,7 +360,7 @@ void tftp_request(struct listener *listen, time_t now)
} }
p = packet + 2; p = packet + 2;
end = packet + 2 + len; end = packet + len;
if (ntohs(*((unsigned short *)packet)) != OP_RRQ || if (ntohs(*((unsigned short *)packet)) != OP_RRQ ||
!(filename = next(&p, end)) || !(filename = next(&p, end)) ||
@@ -742,15 +742,16 @@ static void free_transfer(struct tftp_transfer *transfer)
static char *next(char **p, char *end) static char *next(char **p, char *end)
{ {
char *ret = *p; char *n, *ret = *p;
size_t len;
if (*(end-1) != 0 || /* Look for end of string, without running off the end of the packet. */
*p == end || for (n = *p; n < end && *n != 0; n++);
(len = strlen(ret)) == 0)
/* ran off the end or zero length string - failed */
if (n == end || n == ret)
return NULL; return NULL;
*p += len + 1; *p = n + 1;
return ret; return ret;
} }