RIOT-OS/RIOT
RIOT-OS/RIOT
1
0
Fork 0
mirror of https://github.com/RIOT-OS/RIOT.git synced 2024-12-29 04:50:03 +01:00
Code Releases Activity

Merge pull request #11737 from nmeum/pr/gnrc_tftp_mode_compare

Browse Source 
gnrc_tftp: Fix out-of-bounds memory access when comparing modes
This commit is contained in:
Sebastian Meiling 2019-07-01 09:26:03 +02:00 committed by GitHub
commit 57361470dd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 8 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
sys/net/gnrc/application_layer/tftp/gnrc_tftp.c
View File

@ -233,7 +233,7 @@ static tftp_state _tftp_send_error(tftp_context_t *ctxt, gnrc_pktsnip_t *buf, tf
static tftp_state _tftp_send(gnrc_pktsnip_t *buf, tftp_context_t *ctxt, size_t len);
/* decode the default TFTP start packet */
static int _tftp_decode_start(tftp_context_t *ctxt, uint8_t *buf, gnrc_pktsnip_t *outbuf);
static int _tftp_decode_start(tftp_context_t *ctxt, gnrc_pktsnip_t *inpkt, gnrc_pktsnip_t *outbuf);
/* decode the TFTP option extensions */
static int _tftp_decode_options(tftp_context_t *ctxt, gnrc_pktsnip_t *buf, uint32_t start);
@ -629,7 +629,7 @@ tftp_state _tftp_state_processes(tftp_context_t *ctxt, msg_t *m)
ctxt->dst_port = byteorder_ntohs(udp->src_port);
DEBUG("tftp: client's port is %" PRIu16 "\n", ctxt->dst_port);
int offset = _tftp_decode_start(ctxt, data, outbuf);
int offset = _tftp_decode_start(ctxt, pkt, outbuf);
DEBUG("tftp: offset after decode start = %i\n", offset);
if (offset < 0) {
DEBUG("tftp: there is no data?\n");
@ -1022,10 +1022,10 @@ bool _tftp_validate_ack(tftp_context_t *ctxt, uint8_t *buf)
return ctxt->block_nr == byteorder_ntohs(pkt->block_nr);
}
int _tftp_decode_start(tftp_context_t *ctxt, uint8_t *buf, gnrc_pktsnip_t *outbuf)
int _tftp_decode_start(tftp_context_t *ctxt, gnrc_pktsnip_t *inpkt, gnrc_pktsnip_t *outbuf)
{
/* decode the packet */
tftp_header_t *hdr = (tftp_header_t *)buf;
tftp_header_t *hdr = (tftp_header_t *)inpkt->data;
/* get the file name and copy terminating byte */
size_t fnlen = strlen((char *)hdr->data) + 1;
@ -1047,6 +1047,10 @@ int _tftp_decode_start(tftp_context_t *ctxt, uint8_t *buf, gnrc_pktsnip_t *outbu
/* decode the TFTP transfer mode */
for (uint32_t idx = 0; idx < ARRAY_LEN(_tftp_modes); ++idx) {
if (_tftp_modes[idx].len > (inpkt->size - sizeof(*hdr) - fnlen)) {
continue;
}
if (memcmp(_tftp_modes[idx].name, str_mode, _tftp_modes[idx].len) == 0) {
ctxt->mode = (tftp_mode_t)idx;
return (str_mode + _tftp_modes[idx].len) - (char *)hdr->data;