From a63f9887b9523a5d73ed9348539919c175c1756a Mon Sep 17 00:00:00 2001 From: Dan Fandrich Date: Mon, 20 Mar 2006 22:15:22 +0000 Subject: Fixed a bug whereby a received file whose length was a multiple of 512 bytes could have random garbage appended. Also, stop processing TFTP packets which are too short to be legal. --- lib/tftp.c | 56 +++++++++++++++++++++++++++++++++----------------------- 1 file changed, 33 insertions(+), 23 deletions(-) diff --git a/lib/tftp.c b/lib/tftp.c index 6560a484d..9af1cf9b5 100644 --- a/lib/tftp.c +++ b/lib/tftp.c @@ -656,30 +656,40 @@ CURLcode Curl_tftp(struct connectdata *conn, bool *done) state->remote_addrlen = fromlen; } - /* The event is given by the TFTP packet time */ - event = (tftp_event_t)ntohs(state->rpacket.event); - - switch(event) { - case TFTP_EVENT_DATA: - Curl_client_write(data, CLIENTWRITE_BODY, - (char *)state->rpacket.u.data.data, state->rbytes-4); - break; - case TFTP_EVENT_ERROR: - state->error = (tftp_error_t)ntohs(state->rpacket.u.error.code); - infof(conn->data, "%s\n", (char *)state->rpacket.u.error.data); - break; - case TFTP_EVENT_ACK: - break; - case TFTP_EVENT_RRQ: - case TFTP_EVENT_WRQ: - default: - failf(conn->data, "%s\n", "Internal error: Unexpected packet"); - break; - } - - /* Update the progress meter */ - Curl_pgrsUpdate(conn); + /* Sanity check packet length */ + if (state->rbytes < 4) + { + failf(conn->data, "Received too short packet\n"); + /* Not a timeout, but how best to handle it? */ + event = TFTP_EVENT_TIMEOUT; + } else { + + /* The event is given by the TFTP packet time */ + event = (tftp_event_t)ntohs(state->rpacket.event); + + switch(event) { + case TFTP_EVENT_DATA: + if (state->rbytes > 4) + Curl_client_write(data, CLIENTWRITE_BODY, + (char *)state->rpacket.u.data.data, state->rbytes-4); + break; + case TFTP_EVENT_ERROR: + state->error = (tftp_error_t)ntohs(state->rpacket.u.error.code); + infof(conn->data, "%s\n", (char *)state->rpacket.u.error.data); + break; + case TFTP_EVENT_ACK: + break; + case TFTP_EVENT_RRQ: + case TFTP_EVENT_WRQ: + default: + failf(conn->data, "%s\n", "Internal error: Unexpected packet"); + break; + } + + /* Update the progress meter */ + Curl_pgrsUpdate(conn); + } } /* Check for transfer timeout every 10 blocks, or after timeout */ -- cgit v1.2.3