[Bug 200500] libstand/tftp.c recvtftp() is broken for large files

bugzilla-noreply at freebsd.org bugzilla-noreply at freebsd.org
Thu May 28 19:50:15 UTC 2015


            Bug ID: 200500
           Summary: libstand/tftp.c recvtftp() is broken for large files
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs at FreeBSD.org
          Reporter: tsoome at me.com

The tftp th_block is unsigned short, but tftp code in libstand is tracking
transaction id's with struct iodesc field xid, which is long. In case of large
files, the transaction id will reset to 0 but current code will miss it as it
does compare short int with long int.

the fix is simple:

--- a/libstand/tftp.c
+++ b/libstand/tftp.c
@@ -200,7 +200,7 @@ recvtftp(struct tftp_handle *h, void *pkt, ssize_t len,
time_t tleft,
        case DATA: {
                int got;

-               if (htons(t->th_block) != d->xid) {
+               if (htons(t->th_block) != (u_short) d->xid) {
                         * Expected block?

You are receiving this mail because:
You are the assignee for the bug.

More information about the freebsd-bugs mailing list