[PATCH v2 01/13] net: tftp: Increase TFTP pkt string length to include null character
Sverdlin, Alexander
alexander.sverdlin at siemens.com
Wed Feb 19 19:49:18 CET 2025
Hi Chintan!
On Wed, 2025-02-19 at 16:18 +0530, Chintan Vankar wrote:
> To append a string to a tftp pkt, "tftp_send()" API invokes "sprintf()"
> function which copies a string excluding a null character causing TFTP
> not-null terminated string error. Increase TFTP pkt string by 1 to avoid
Is this error visible somehow? How did you stop this problem?
> this error.
>
> Signed-off-by: Chintan Vankar <c-vankar at ti.com>
> ---
>
> Link to v1:
> https://lore.kernel.org/r/20250107093840.2211381-2-c-vankar@ti.com/
>
> Changes from v1 to v2:
> -> Updated commit message.
>
> net/tftp.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/net/tftp.c b/net/tftp.c
> index fd9c9492929..420ea9ecf6c 100644
> --- a/net/tftp.c
> +++ b/net/tftp.c
> @@ -347,11 +347,11 @@ static void tftp_send(void)
> pkt += strlen((char *)pkt) + 1;
> #ifdef CONFIG_TFTP_TSIZE
> pkt += sprintf((char *)pkt, "tsize%c%u%c",
> - 0, net_boot_file_size, 0);
> + 0, net_boot_file_size, 0) + 1;
But it does indeed produce \000 octets, because of %c with "0" argument, doesn't it?
> #endif
> /* try for more effic. blk size */
> pkt += sprintf((char *)pkt, "blksize%c%d%c",
> - 0, tftp_block_size_option, 0);
> + 0, tftp_block_size_option, 0) + 1;
>
> /* try for more effic. window size.
> * Implemented only for tftp get.
> @@ -359,7 +359,7 @@ static void tftp_send(void)
> */
> if (tftp_state == STATE_SEND_RRQ && tftp_window_size_option > 1)
> pkt += sprintf((char *)pkt, "windowsize%c%d%c",
> - 0, tftp_window_size_option, 0);
> + 0, tftp_window_size_option, 0) + 1;
> len = pkt - xp;
> break;
--
Alexander Sverdlin
Siemens AG
www.siemens.com
More information about the U-Boot
mailing list