tftp: reject file name lengths that don't fit

author Daniel Stenberg <daniel@haxx.se>

Tue, 1 Aug 2017 15:16:46 +0000 (17:16 +0200)

committer Daniel Stenberg <daniel@haxx.se>

Mon, 7 Aug 2017 07:24:30 +0000 (09:24 +0200)
author Daniel Stenberg <daniel@haxx.se>
Tue, 1 Aug 2017 15:16:46 +0000 (17:16 +0200)
committer Daniel Stenberg <daniel@haxx.se>
Mon, 7 Aug 2017 07:24:30 +0000 (09:24 +0200)
diff --git a/lib/tftp.c b/lib/tftp.c

index 02bd842427a2c32c997f9c4ac66454c46ebead88..f6f4bce5b1f8b033b79a2f0e928aafcacad84b2a 100644 (file)
--- a/lib/tftp.c
+++ b/lib/tftp.c
@@ -5,7 +5,7 @@
   *                            | (__| |_| |  _ <| |___
   *                             \___|\___/|_| \_\_____|
   *
- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
   *
   * This software is licensed as described in the file COPYING, which
   * you should have received as part of this distribution. The terms
@@ -491,6 +491,11 @@ static CURLcode tftp_send_first(tftp_state_data_t *state, tftp_event_t event)
      if(result)
        return result;
  
+    if(strlen(filename) > (state->blksize - strlen(mode) - 4)) {
+      failf(data, "TFTP file name too long\n");
+      return CURLE_TFTP_ILLEGAL; /* too long file name field */
+    }
+
      snprintf((char *)state->spacket.data+2,
               state->blksize,
               "%s%c%s%c", filename, '\0',  mode, '\0');
author	Daniel Stenberg <daniel@haxx.se>
	Tue, 1 Aug 2017 15:16:46 +0000 (17:16 +0200)
committer	Daniel Stenberg <daniel@haxx.se>
	Mon, 7 Aug 2017 07:24:30 +0000 (09:24 +0200)