Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/usr.bin/tftp make sure we do not overrun tp->th_msg on ERROR...
details: https://anonhg.NetBSD.org/src/rev/f1e8fc2fde32
branches: trunk
changeset: 499519:f1e8fc2fde32
user: itojun <itojun%NetBSD.org@localhost>
date: Tue Nov 21 14:58:21 2000 +0000
description:
make sure we do not overrun tp->th_msg on ERROR packet.
correct ERROR length to include terminating \0 (RFC1350 page 8).
diffstat:
usr.bin/tftp/tftp.c | 17 ++++++++++-------
1 files changed, 10 insertions(+), 7 deletions(-)
diffs (50 lines):
diff -r 10195132087b -r f1e8fc2fde32 usr.bin/tftp/tftp.c
--- a/usr.bin/tftp/tftp.c Tue Nov 21 14:28:54 2000 +0000
+++ b/usr.bin/tftp/tftp.c Tue Nov 21 14:58:21 2000 +0000
@@ -1,4 +1,4 @@
-/* $NetBSD: tftp.c,v 1.13 2000/10/22 01:42:15 dogcow Exp $ */
+/* $NetBSD: tftp.c,v 1.14 2000/11/21 14:58:21 itojun Exp $ */
/*
* Copyright (c) 1983, 1993
@@ -38,7 +38,7 @@
#if 0
static char sccsid[] = "@(#)tftp.c 8.1 (Berkeley) 6/6/93";
#else
-__RCSID("$NetBSD: tftp.c,v 1.13 2000/10/22 01:42:15 dogcow Exp $");
+__RCSID("$NetBSD: tftp.c,v 1.14 2000/11/21 14:58:21 itojun Exp $");
#endif
#endif /* not lint */
@@ -387,23 +387,26 @@
const struct errmsg *pe;
struct tftphdr *tp;
int length;
+ size_t msglen;
tp = (struct tftphdr *)ackbuf;
tp->th_opcode = htons((u_short)ERROR);
+ msglen = sizeof(ackbuf) - (&tp->th_msg[0] - ackbuf);
for (pe = errmsgs; pe->e_code >= 0; pe++)
if (pe->e_code == error)
break;
if (pe->e_code < 0) {
tp->th_code = EUNDEF;
- strcpy(tp->th_msg, strerror(error - 100));
+ strlcpy(tp->th_msg, strerror(error - 100), msglen);
} else {
tp->th_code = htons((u_short)error);
- strcpy(tp->th_msg, pe->e_msg);
+ strlcpy(tp->th_msg, pe->e_msg, msglen);
}
- length = strlen(pe->e_msg) + 4;
+ length = strlen(tp->th_msg);
+ msglen = &tp->th_msg[length + 1] - ackbuf;
if (trace)
- tpacket("sent", tp, length);
- if (sendto(f, ackbuf, length, 0, peer, peer->sa_len) != length)
+ tpacket("sent", tp, (int)msglen);
+ if (sendto(f, ackbuf, msglen, 0, peer, peer->sa_len) != length)
warn("nak");
}
Home |
Main Index |
Thread Index |
Old Index