romenskiy2012/curl
1
0
Fork 0
mirror of https://github.com/curl/curl.git synced 2026-05-15 05:56:19 +03:00
Code Issues Projects Releases Packages Wiki Activity

tftp: correct the filename length check

Browse source 
Reported-by: z2_
Bug: https://hackerone.com/reports/3508321
Closes #20283
This commit is contained in:
Daniel Stenberg 2026-01-13 08:02:19 +01:00
parent 8582ecf5bb
commit db86f2de9b
No known key found for this signature in database
GPG key ID: 5CC908FDB71E12C2
1 changed files with 5 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

10
lib/tftp.c
View file

@ -697,16 +697,16 @@ static CURLcode tftp_send_first(struct tftp_conn *state,
if(result)
return result;
if(strlen(filename) > (state->blksize - strlen(mode) - 4)) {
if(strlen(filename) + strlen(mode) + 4 > state->blksize) {
failf(data, "TFTP filename too long");
curlx_free(filename);
return CURLE_TFTP_ILLEGAL; /* too long filename field */
}
curl_msnprintf((char *)state->spacket.data + 2,
state->blksize,
"%s%c%s%c", filename, '\0', mode, '\0');
sbytes = 4 + strlen(filename) + strlen(mode);
sbytes = 2 +
curl_msnprintf((char *)state->spacket.data + 2,
state->blksize,
"%s%c%s%c", filename, '\0', mode, '\0');
curlx_free(filename);
/* optional addition of TFTP options */