[PATCH v2 1/2] net: lwip: tftp: Do not write past buffer end
Andrew Goodbody
andrew.goodbody at linaro.org
Wed Jan 14 16:12:09 CET 2026
sprintf will add a trailing \0 so manually adding a trailing \0 will
result in an extra unaccounted for character being written. This
overwrote the first byte of the following allocation block resulting in
unexpected behavior.
This was found by Running 'pxe get' with no available file resulting in
multiple attempts, using the default algorithm, to attempt to find a file.
Eventually there would be a failed assert when free() was called.
Failing the assert would result in a system reset.
Fixes: 27d7ccda94fa ("net: lwip: tftp: add support of blksize option to client")
Reported-by: Michal Simek <michal.simek at amd.com>
Tested-by: Michal Simek <michal.simek at amd.com>
Signed-off-by: Andrew Goodbody <andrew.goodbody at linaro.org>
---
lib/lwip/lwip/src/apps/tftp/tftp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/lwip/lwip/src/apps/tftp/tftp.c b/lib/lwip/lwip/src/apps/tftp/tftp.c
index ecb6c55ae1100779187e7b138d098a0ef1e48ca1..25da952e92566cbca1c64bc89c89102e74d0a42c 100644
--- a/lib/lwip/lwip/src/apps/tftp/tftp.c
+++ b/lib/lwip/lwip/src/apps/tftp/tftp.c
@@ -191,7 +191,7 @@ send_request(const ip_addr_t *addr, u16_t port, u16_t opcode, const char* fname,
MEMCPY(payload+2, fname, fname_length);
MEMCPY(payload+2+fname_length, mode, mode_length);
if (tftp_state.blksize)
- sprintf(payload+2+fname_length+mode_length, "blksize%c%d%c", 0, tftp_state.blksize, 0);
+ sprintf(payload+2+fname_length+mode_length, "blksize%c%d", 0, tftp_state.blksize);
tftp_state.wait_oack = true;
ret = udp_sendto(tftp_state.upcb, p, addr, port);
--
2.47.3
More information about the U-Boot
mailing list