tftp: reject file name lengths that don't fit

... and thereby avoid telling send() to send off more bytes than the size of the buffer! CVE-2017-1000100 Bug: https://curl.haxx.se/docs/adv_20170809B.html Reported-by: Even Rouault Credit to OSS-Fuzz for the discovery
2024-12-21 23:58:49 -05:00 · 2017-08-01 17:16:46 +02:00 · 2017-08-01 17:16:46 +02:00 · 358b2b131a
commit 358b2b131a
parent c9332fa5e8
1 changed files with 6 additions and 1 deletions
--- a/lib/tftp.c
+++ b/lib/tftp.c
@ -5,7 +5,7 @@
 *                            | (__| |_| |  _ <| |___
 *                             \___|\___/|_| \_\_____|
 *
- * Copyright (C) 1998 - 2016, Daniel Stenberg, <daniel@haxx.se>, et al.
+ * Copyright (C) 1998 - 2017, Daniel Stenberg, <daniel@haxx.se>, et al.
 *
 * This software is licensed as described in the file COPYING, which
 * you should have received as part of this distribution. The terms
@ -491,6 +491,11 @@ static CURLcode tftp_send_first(tftp_state_data_t *state, tftp_event_t event)
    if(result)
      return result;

+    if(strlen(filename) > (state->blksize - strlen(mode) - 4)) {
+      failf(data, "TFTP file name too long\n");
+      return CURLE_TFTP_ILLEGAL; /* too long file name field */
+    }
+
    snprintf((char *)state->spacket.data+2,
             state->blksize,
             "%s%c%s%c", filename, '\0',  mode, '\0');