[PATCH v2 1/2] net: lwip: tftp: Do not write past buffer end

[Jerome Forissier]

On 14/01/2026 16:12, Andrew Goodbody wrote:
> sprintf will add a trailing \0 so manually adding a trailing \0 will
> result in an extra unaccounted for character being written. This
> overwrote the first byte of the following allocation block resulting in
> unexpected behavior.
> 
> This was found by Running 'pxe get' with no available file resulting in
> multiple attempts, using the default algorithm, to attempt to find a file.
> Eventually there would be a failed assert when free() was called.
> Failing the assert would result in a system reset.
> 
> Fixes: 27d7ccda94fa ("net: lwip: tftp: add support of blksize option to client")
> Reported-by: Michal Simek <michal.simek at amd.com>
> Tested-by: Michal Simek <michal.simek at amd.com>
> 
> Signed-off-by: Andrew Goodbody <andrew.goodbody at linaro.org>
> ---
>  lib/lwip/lwip/src/apps/tftp/tftp.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/lib/lwip/lwip/src/apps/tftp/tftp.c b/lib/lwip/lwip/src/apps/tftp/tftp.c
> index ecb6c55ae1100779187e7b138d098a0ef1e48ca1..25da952e92566cbca1c64bc89c89102e74d0a42c 100644
> --- a/lib/lwip/lwip/src/apps/tftp/tftp.c
> +++ b/lib/lwip/lwip/src/apps/tftp/tftp.c
> @@ -191,7 +191,7 @@ send_request(const ip_addr_t *addr, u16_t port, u16_t opcode, const char* fname,
>    MEMCPY(payload+2,              fname, fname_length);
>    MEMCPY(payload+2+fname_length, mode,  mode_length);
>    if (tftp_state.blksize)
> -    sprintf(payload+2+fname_length+mode_length, "blksize%c%d%c", 0, tftp_state.blksize, 0);
> +    sprintf(payload+2+fname_length+mode_length, "blksize%c%d", 0, tftp_state.blksize);
>  
>    tftp_state.wait_oack = true;
>    ret = udp_sendto(tftp_state.upcb, p, addr, port);
> 

Reviewed-by: Jerome Forissier <jerome.forissier at arm.com>

Thanks,
-- 
Jerome