Page MenuHomeFreeBSD

tftpd: Fix data corruption bug with netascii
ClosedPublic

Authored by asomers on Aug 22 2018, 10:30 PM.
Tags
None
Referenced Files
F106650156: D16853.diff
Fri, Jan 3, 9:16 AM
Unknown Object (File)
Nov 27 2024, 6:05 AM
Unknown Object (File)
Nov 27 2024, 6:02 AM
Unknown Object (File)
Nov 27 2024, 6:02 AM
Unknown Object (File)
Nov 27 2024, 6:01 AM
Unknown Object (File)
Nov 27 2024, 5:46 AM
Unknown Object (File)
Nov 24 2024, 4:15 PM
Unknown Object (File)
Nov 23 2024, 6:19 PM
Subscribers
None

Details

Summary

tftpd: Fix data corruption bug with netascii

Transferring files in netascii format requires, among other things, translating
all CR characters to a CR,NUL pair. tftpd does this correctly except when the
CR occurs as the last octet of a packet. In that case, it erroneously drops
the NUL which should be part of the following packet. The bug was caused by
using 0 as a sentinel value in a variable that could legitimately hold 0. Fix
it by switching the sentinel value to -1.

PR: 178055

Test Plan

Manually tested with the example file from the PR.

Diff Detail

Repository
rS FreeBSD src repository - subversion
Lint
Lint Passed
Unit
No Test Coverage
Build Status
Buildable 19074
Build 18705: arc lint + arc unit

Event Timeline

libexec/tftpd/tftp-file.c
162โ€“167

Is buffer sized such that this does not overflow?

164

typo -- alllowed

asomers added inline comments.
libexec/tftpd/tftp-file.c
162โ€“167

Yes. The buffer is fixed at the maximum segment size + 4 (in tftpd-utils.h). count will never be greater than the maximum segment size.

164

I"ll fix.

asomers marked 2 inline comments as done.

Fix an old typo in a comment

This revision is now accepted and ready to land.Aug 22 2018, 11:23 PM

Thanks @cem. I know I can always count on you for a good review.

This revision was automatically updated to reflect the committed changes.