Commit 60174746c668b309378a91488dded898e9553eae
1 parent
ff13ac8c7b
Exists in
master
and in
54 other branches
Fix TFTP OACK code for short packets.
The old code had a loop limit overflow bug which caused a semi- infinite loop for small packets, because in "i<len-8", "i" was signed, but "len" was unsigned, and "len-8" became a huge number for small values of "len". This is a workaround which replaces broken commit 8f1bc284. Signed-off-by: Wolfgang Denk <wd@denx.de>
Showing 1 changed file with 6 additions and 2 deletions Side-by-side Diff
net/tftp.c
... | ... | @@ -276,8 +276,12 @@ |
276 | 276 | #endif |
277 | 277 | TftpState = STATE_OACK; |
278 | 278 | TftpServerPort = src; |
279 | - /* Check for 'blksize' option */ | |
280 | - for (i=0;i<len-8;i++) { | |
279 | + /* | |
280 | + * Check for 'blksize' option. | |
281 | + * Careful: "i" is signed, "len" is unsigned, thus | |
282 | + * something like "len-8" may give a *huge* number | |
283 | + */ | |
284 | + for (i=0; i+8<len; i++) { | |
281 | 285 | if (strcmp ((char*)pkt+i,"blksize") == 0) { |
282 | 286 | TftpBlkSize = (unsigned short) |
283 | 287 | simple_strtoul((char*)pkt+i+8,NULL,10); |