[PATCH] net: lwip: tftp: Do not write past buffer end

[Michal Simek]

On 1/9/26 16:56, Andrew Goodbody wrote:
> sprintf will add a trailing \0 so manually adding a trailing \0 will
> result in an extra unaccounted for character being written. This
> overwrote the first byte of the following allocation block resulting in
> unexpected behaviour.

behavior

I think it would be also good to say how that issue was found.
That calling pxe get multiple times was the first symptom which was able to 
stuck bootloader.

> 
> Fixes: 27d7ccda94fa ("net: lwip: tftp: add support of blksize option to client")

Origin Jerome's patch wasn't merged upstream. Do you have any plan to send v3 of it?

https://savannah.nongnu.org/patch/index.php?10462

> 
> Signed-off-by: Andrew Goodbody <andrew.goodbody at linaro.org>
> ---
>   lib/lwip/lwip/src/apps/tftp/tftp.c | 2 +-
>   1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/lib/lwip/lwip/src/apps/tftp/tftp.c b/lib/lwip/lwip/src/apps/tftp/tftp.c
> index ecb6c55ae1100779187e7b138d098a0ef1e48ca1..25da952e92566cbca1c64bc89c89102e74d0a42c 100644
> --- a/lib/lwip/lwip/src/apps/tftp/tftp.c
> +++ b/lib/lwip/lwip/src/apps/tftp/tftp.c
> @@ -191,7 +191,7 @@ send_request(const ip_addr_t *addr, u16_t port, u16_t opcode, const char* fname,
>     MEMCPY(payload+2,              fname, fname_length);
>     MEMCPY(payload+2+fname_length, mode,  mode_length);
>     if (tftp_state.blksize)
> -    sprintf(payload+2+fname_length+mode_length, "blksize%c%d%c", 0, tftp_state.blksize, 0);
> +    sprintf(payload+2+fname_length+mode_length, "blksize%c%d", 0, tftp_state.blksize);
>   
>     tftp_state.wait_oack = true;
>     ret = udp_sendto(tftp_state.upcb, p, addr, port);
> 
> ---
> base-commit: c05dba22f1f2b0b2655ee3971644acf1936cd07a
> change-id: 20260109-tftp_fix-3ab9bd66a6ad
> 
> Best regards,


With above commit message fix feel free to add
Reported-by: Michal Simek <michal.simek at amd.com>
Tested-by: Michal Simek <michal.simek at amd.com>

Thanks,
Michal