Fix TFTP OACK code for short packets.

The old code had a loop limit overflow bug which caused a semi- infinite loop for small packets, because in "i<len-8", "i" was signed, but "len" was unsigned, and "len-8" became a huge number for small values of "len". This is a workaround which replaces broken commit 8f1bc284. Signed-off-by: Wolfgang Denk <wd@denx.de>

Fix TFTP OACK code for short packets.
The old code had a loop limit overflow bug which caused a semi- infinite loop for small packets, because in "i<len-8", "i" was signed, but "len" was unsigned, and "len-8" became a huge number for small values of "len". This is a workaround which replaces broken commit 8f1bc284. Signed-off-by: Wolfgang Denk <wd@denx.de>
Wolfgang Denk
1 parent ff13ac8c7b
Showing 1 changed file with 6 additions and 2 deletions Side-by-side Diff
net/tftp.c
@@ -276,8 +276,12 @@
 #endif
 		TftpState = STATE_OACK;
 		TftpServerPort = src;
-		/* Check for 'blksize' option */
-		for (i=0;i<len-8;i++) {
+		/*
+		 * Check for 'blksize' option.
+		 * Careful: "i" is signed, "len" is unsigned, thus
+		 * something like "len-8" may give a *huge* number
+		 */
+		for (i=0; i+8<len; i++) {
 			if (strcmp ((char*)pkt+i,"blksize") == 0) {
 				TftpBlkSize = (unsigned short)
 					simple_strtoul((char*)pkt+i+8,NULL,10);
...	...	@@ -276,8 +276,12 @@
276	276	#endif
277	277	TftpState = STATE_OACK;
278	278	TftpServerPort = src;
279		- /* Check for 'blksize' option */
280		- for (i=0;i<len-8;i++) {
	279	+ /*
	280	+ * Check for 'blksize' option.
	281	+ * Careful: "i" is signed, "len" is unsigned, thus
	282	+ * something like "len-8" may give a huge number
	283	+ */
	284	+ for (i=0; i+8<len; i++) {
281	285	if (strcmp ((char*)pkt+i,"blksize") == 0) {
282	286	TftpBlkSize = (unsigned short)
283	287	simple_strtoul((char*)pkt+i+8,NULL,10);