From dced91d8f3c525ce50e8b61814028cfd393c983f Mon Sep 17 00:00:00 2001 From: sobomax Date: Thu, 20 Nov 2003 13:36:31 +0000 Subject: [PATCH] Fix a bug which causes wrong filename being written into the syslog in the case when client sends request with RFC2347 options. Approved by: re MFC After: 2 weeks --- libexec/tftpd/tftpd.c | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/libexec/tftpd/tftpd.c b/libexec/tftpd/tftpd.c index bc247533466c..6435e8b276f3 100644 --- a/libexec/tftpd/tftpd.c +++ b/libexec/tftpd/tftpd.c @@ -364,8 +364,9 @@ tftp(struct tftphdr *tp, int size) int i, first = 1, has_options = 0, ecode; struct formats *pf; char *filename, *mode, *option, *ccp; + char fnbuf[MAXPATHLEN]; - filename = cp = tp->th_stuff; + cp = tp->th_stuff; again: while (cp < buf + size) { if (*cp == '\0') @@ -376,6 +377,14 @@ tftp(struct tftphdr *tp, int size) nak(EBADOP); exit(1); } + i = cp - tp->th_stuff; + if (i >= sizeof(fnbuf)) { + nak(EBADOP); + exit(1); + } + memcpy(fnbuf, tp->th_stuff, i); + fnbuf[i] = '\0'; + filename = fnbuf; if (first) { mode = ++cp; first = 0;