Changeset 3621 in MondoRescue for branches/3.3/mindi-busybox/networking/tftp.c
- Timestamp:
- Dec 20, 2016, 4:07:32 PM (7 years ago)
- Location:
- branches/3.3
- Files:
-
- 1 edited
- 1 copied
Legend:
- Unmodified
- Added
- Removed
-
branches/3.3/mindi-busybox/networking/tftp.c
r3232 r3621 52 52 53 53 #include "libbb.h" 54 #include "common_bufsiz.h" 54 55 #include <syslog.h> 55 56 … … 118 119 uint8_t error_pkt[4 + 32]; 119 120 struct passwd *pw; 120 /* used in tftpd_main(), a bit big for stack: */ 121 char block_buf[TFTP_BLKSIZE_DEFAULT]; 121 /* Used in tftpd_main() for initial packet */ 122 /* Some HP PA-RISC firmware always sends fixed 516-byte requests */ 123 char block_buf[516]; 124 char block_buf_tail[1]; 122 125 #if ENABLE_FEATURE_TFTP_PROGRESS_BAR 123 126 off_t pos; … … 127 130 #endif 128 131 } FIX_ALIASING; 129 #define G (*(struct globals*) &bb_common_bufsiz1)130 struct BUG_G_too_big { 131 char BUG_G_too_big[sizeof(G) <= COMMON_BUFSIZE ? 1 : -1];132 }; 133 #define INIT_G() do {} while (0)132 #define G (*(struct globals*)bb_common_bufsiz1) 133 #define INIT_G() do { \ 134 setup_common_bufsiz(); \ 135 BUILD_BUG_ON(sizeof(G) > COMMON_BUFSIZE); \ 136 } while (0) 134 137 135 138 #define G_error_pkt_reason (G.error_pkt[3]) … … 347 350 block_nr = 0; 348 351 } 349 350 352 } else { /* tftp */ 351 353 /* Open file (must be after changing user) */ … … 758 760 len_and_sockaddr *our_lsa; 759 761 len_and_sockaddr *peer_lsa; 760 char *local_file, *mode, *user_opt; 762 char *mode, *user_opt; 763 char *local_file = local_file; 761 764 const char *error_msg; 762 765 int opt, result, opcode; … … 794 797 } 795 798 796 result = recv_from_to(STDIN_FILENO, G.block_buf, sizeof(G.block_buf), 799 result = recv_from_to(STDIN_FILENO, 800 G.block_buf, sizeof(G.block_buf) + 1, 801 /* ^^^ sizeof+1 to reliably detect oversized input */ 797 802 0 /* flags */, 798 803 &peer_lsa->u.sa, &our_lsa->u.sa, our_lsa->len); … … 800 805 error_msg = "malformed packet"; 801 806 opcode = ntohs(*(uint16_t*)G.block_buf); 802 if (result < 4 || result > =sizeof(G.block_buf)803 || G.block_buf[result-1] != '\0'807 if (result < 4 || result > sizeof(G.block_buf) 808 /*|| G.block_buf[result-1] != '\0' - bug compatibility, see below */ 804 809 || (IF_FEATURE_TFTP_PUT(opcode != TFTP_RRQ) /* not download */ 805 810 IF_GETPUT(&&) … … 809 814 goto err; 810 815 } 816 /* Some HP PA-RISC firmware always sends fixed 516-byte requests, 817 * with trailing garbage. 818 * Support that by not requiring NUL to be the last byte (see above). 819 * To make strXYZ() ops safe, force NUL termination: 820 */ 821 G.block_buf_tail[0] = '\0'; 822 811 823 local_file = G.block_buf + 2; 812 824 if (local_file[0] == '.' || strstr(local_file, "/.")) {
Note:
See TracChangeset
for help on using the changeset viewer.