[PATCH v2 1/2] net: lwip: tftp: Do not write past buffer end
Tom Rini
trini at konsulko.com
Wed Jan 14 17:28:27 CET 2026
On Wed, Jan 14, 2026 at 03:12:09PM +0000, Andrew Goodbody wrote:
> sprintf will add a trailing \0 so manually adding a trailing \0 will
> result in an extra unaccounted for character being written. This
> overwrote the first byte of the following allocation block resulting in
> unexpected behavior.
>
> This was found by Running 'pxe get' with no available file resulting in
> multiple attempts, using the default algorithm, to attempt to find a file.
> Eventually there would be a failed assert when free() was called.
> Failing the assert would result in a system reset.
>
> Fixes: 27d7ccda94fa ("net: lwip: tftp: add support of blksize option to client")
> Reported-by: Michal Simek <michal.simek at amd.com>
> Tested-by: Michal Simek <michal.simek at amd.com>
>
> Signed-off-by: Andrew Goodbody <andrew.goodbody at linaro.org>
Tested-by: Tom Rini <trini at konsulko.com> # Pine64+
--
Tom
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 228 bytes
Desc: not available
URL: <https://lists.denx.de/pipermail/u-boot/attachments/20260114/9f9b7107/attachment.sig>
More information about the U-Boot
mailing list