romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-05-16 16:36:20 +03:00
Code Issues Projects Releases Packages Wiki Activity

tftp: stricter option name checks

Browse source 
Previously, the use of checkprefix() alone allowed the code to match not
only on "blksize" but also (mistakenly) on "blksizeFOO" etc.

Reported-by: Andrew Nesbit
Closes #21560
This commit is contained in:
Daniel Stenberg 2026-05-12 09:20:31 +02:00
parent 7eb0b30934
commit 2256162fa7
No known key found for this signature in database
GPG key ID: 5CC908FDB71E12C2
1 changed files with 6 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

8
lib/tftp.c
View file

@ -266,16 +266,19 @@ static CURLcode tftp_parse_option_ack(struct tftp_conn *state,
while(tmp < ptr + len) {
const char *option, *value;
size_t olen;
tmp = tftp_option_get(tmp, ptr + len - tmp, &option, &value);
if(!tmp) {
failf(data, "Malformed ACK packet, rejecting");
return CURLE_TFTP_ILLEGAL;
}
olen = strlen(option);
infof(data, "got option=(%s) value=(%s)", option, value);
if(checkprefix(TFTP_OPTION_BLKSIZE, option)) {
if((strlen(TFTP_OPTION_BLKSIZE) == olen) &&
checkprefix(TFTP_OPTION_BLKSIZE, option)) {
curl_off_t blksize;
if(curlx_str_number(&value, &blksize, TFTP_BLKSIZE_MAX)) {
failf(data, "%s (%d)", "blksize is larger than max supported",
@ -304,7 +307,8 @@ static CURLcode tftp_parse_option_ack(struct tftp_conn *state,
infof(data, "blksize parsed from OACK (%u) requested (%u)",
state->blksize, state->requested_blksize);
}
else if(checkprefix(TFTP_OPTION_TSIZE, option)) {
else if((strlen(TFTP_OPTION_TSIZE) == olen) &&
checkprefix(TFTP_OPTION_TSIZE, option)) {
curl_off_t tsize = 0;
/* tsize should be ignored on upload: Who cares about the size of the
remote file? */