From 5975229919b54c0a780bdc8d1bdd5baf6d5959bf Mon Sep 17 00:00:00 2001 From: Daniel Stenberg Date: Mon, 20 Mar 2006 07:32:50 +0000 Subject: fixed tftp packet overflow risk --- lib/tftp.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) (limited to 'lib') diff --git a/lib/tftp.c b/lib/tftp.c index da250fca8..6560a484d 100644 --- a/lib/tftp.c +++ b/lib/tftp.c @@ -5,7 +5,7 @@ * | (__| |_| | _ <| |___ * \___|\___/|_| \_\_____| * - * Copyright (C) 1998 - 2005, Daniel Stenberg, , et al. + * Copyright (C) 1998 - 2006, Daniel Stenberg, , et al. * * This software is licensed as described in the file COPYING, which * you should have received as part of this distribution. The terms @@ -271,8 +271,9 @@ static void tftp_send_first(tftp_state_data_t *state, tftp_event_t event) /* If we are downloading, send an RRQ */ state->spacket.event = htons(TFTP_EVENT_RRQ); } - sprintf((char *)state->spacket.u.request.data, "%s%c%s%c", - filename, '\0', mode, '\0'); + snprintf((char *)state->spacket.u.request.data, + sizeof(state->spacket.u.request.data), + "%s%c%s%c", filename, '\0', mode, '\0'); sbytes = 4 + (int)strlen(filename) + (int)strlen(mode); sbytes = sendto(state->sockfd, (void *)&state->spacket, sbytes, 0, @@ -533,7 +534,7 @@ CURLcode Curl_tftp_connect(struct connectdata *conn, bool *done) * The TFTP code is not portable because it sends C structs directly over * the wire. Since C gives compiler writers a wide latitude in padding and * aligning structs, this fails on many architectures (e.g. ARM). - * + * * The only portable way to fix this is to copy each struct item into a * flat buffer and send the flat buffer instead of the struct. The * alternative, trying to get the compiler to eliminate padding bytes -- cgit v1.2.3