Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

[src/trunk]: src/usr.bin/tftp make sure we do not overrun tp->th_msg on ERROR...

details:   https://anonhg.NetBSD.org/src/rev/f1e8fc2fde32
branches:  trunk
changeset: 499519:f1e8fc2fde32
user:      itojun <itojun%NetBSD.org@localhost>
date:      Tue Nov 21 14:58:21 2000 +0000

description:
make sure we do not overrun tp->th_msg on ERROR packet.
correct ERROR length to include terminating \0 (RFC1350 page 8).

diffstat:

 usr.bin/tftp/tftp.c |  17 ++++++++++-------
 1 files changed, 10 insertions(+), 7 deletions(-)

diffs (50 lines):

diff -r 10195132087b -r f1e8fc2fde32 usr.bin/tftp/tftp.c
--- a/usr.bin/tftp/tftp.c       Tue Nov 21 14:28:54 2000 +0000
+++ b/usr.bin/tftp/tftp.c       Tue Nov 21 14:58:21 2000 +0000
@@ -1,4 +1,4 @@
-/*     $NetBSD: tftp.c,v 1.13 2000/10/22 01:42:15 dogcow Exp $ */
+/*     $NetBSD: tftp.c,v 1.14 2000/11/21 14:58:21 itojun Exp $ */
 
 /*
  * Copyright (c) 1983, 1993
@@ -38,7 +38,7 @@
 #if 0
 static char sccsid[] = "@(#)tftp.c     8.1 (Berkeley) 6/6/93";
 #else
-__RCSID("$NetBSD: tftp.c,v 1.13 2000/10/22 01:42:15 dogcow Exp $");
+__RCSID("$NetBSD: tftp.c,v 1.14 2000/11/21 14:58:21 itojun Exp $");
 #endif
 #endif /* not lint */
 
@@ -387,23 +387,26 @@
        const struct errmsg *pe;
        struct tftphdr *tp;
        int length;
+       size_t msglen;
 
        tp = (struct tftphdr *)ackbuf;
        tp->th_opcode = htons((u_short)ERROR);
+       msglen = sizeof(ackbuf) - (&tp->th_msg[0] - ackbuf);
        for (pe = errmsgs; pe->e_code >= 0; pe++)
                if (pe->e_code == error)
                        break;
        if (pe->e_code < 0) {
                tp->th_code = EUNDEF;
-               strcpy(tp->th_msg, strerror(error - 100));
+               strlcpy(tp->th_msg, strerror(error - 100), msglen);
        } else {
                tp->th_code = htons((u_short)error);
-               strcpy(tp->th_msg, pe->e_msg);
+               strlcpy(tp->th_msg, pe->e_msg, msglen);
        }
-       length = strlen(pe->e_msg) + 4;
+       length = strlen(tp->th_msg);
+       msglen = &tp->th_msg[length + 1] - ackbuf;
        if (trace)
-               tpacket("sent", tp, length);
-       if (sendto(f, ackbuf, length, 0, peer, peer->sa_len) != length)
+               tpacket("sent", tp, (int)msglen);
+       if (sendto(f, ackbuf, msglen, 0, peer, peer->sa_len) != length)
                warn("nak");
 }
Home | Main Index | Thread Index | Old Index