1
0
mirror of https://github.com/moparisthebest/curl synced 2025-01-11 05:58:01 -05:00

tftp: Alloc maximum blksize, and use default unless OACK is received

Fixes potential buffer overflow from 'recvfrom()', should the server
return an OACK without blksize.

Bug: https://curl.haxx.se/docs/CVE-2019-5482.html
CVE-2019-5482
This commit is contained in:
Thomas Vegas 2019-08-31 17:30:51 +02:00 committed by Daniel Stenberg
parent 82f3ba3806
commit facb0e4662
No known key found for this signature in database
GPG Key ID: 5CC908FDB71E12C2

View File

@ -985,6 +985,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
{ {
tftp_state_data_t *state; tftp_state_data_t *state;
int blksize; int blksize;
int need_blksize;
blksize = TFTP_BLKSIZE_DEFAULT; blksize = TFTP_BLKSIZE_DEFAULT;
@ -999,15 +1000,20 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
return CURLE_TFTP_ILLEGAL; return CURLE_TFTP_ILLEGAL;
} }
need_blksize = blksize;
/* default size is the fallback when no OACK is received */
if(need_blksize < TFTP_BLKSIZE_DEFAULT)
need_blksize = TFTP_BLKSIZE_DEFAULT;
if(!state->rpacket.data) { if(!state->rpacket.data) {
state->rpacket.data = calloc(1, blksize + 2 + 2); state->rpacket.data = calloc(1, need_blksize + 2 + 2);
if(!state->rpacket.data) if(!state->rpacket.data)
return CURLE_OUT_OF_MEMORY; return CURLE_OUT_OF_MEMORY;
} }
if(!state->spacket.data) { if(!state->spacket.data) {
state->spacket.data = calloc(1, blksize + 2 + 2); state->spacket.data = calloc(1, need_blksize + 2 + 2);
if(!state->spacket.data) if(!state->spacket.data)
return CURLE_OUT_OF_MEMORY; return CURLE_OUT_OF_MEMORY;
@ -1021,7 +1027,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done)
state->sockfd = state->conn->sock[FIRSTSOCKET]; state->sockfd = state->conn->sock[FIRSTSOCKET];
state->state = TFTP_STATE_START; state->state = TFTP_STATE_START;
state->error = TFTP_ERR_NONE; state->error = TFTP_ERR_NONE;
state->blksize = blksize; state->blksize = TFTP_BLKSIZE_DEFAULT; /* Unless updated by OACK response */
state->requested_blksize = blksize; state->requested_blksize = blksize;
((struct sockaddr *)&state->local_addr)->sa_family = ((struct sockaddr *)&state->local_addr)->sa_family =