1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
From 9cf799c40738722001552618518279e9f0ef62e5 Mon Sep 17 00:00:00 2001
From: Simon Rettberg <simon.rettberg@rz.uni-freiburg.de>
Date: Wed, 10 Jan 2018 17:01:20 +0100
Subject: [PATCH] options.c: Proper fix for the read-past-end-of-array
This properly fixes what commit:b3e36dd tried to do.
CVE: CVE-2021-46671
Upstream-Status: Backport [https://github.com/madmartin/atftp/commit/9cf799c40738722001552618518279e9f0ef62e5.patch]
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
---
options.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/options.c b/options.c
index ee419c6..c716994 100644
--- a/options.c
+++ b/options.c
@@ -43,6 +43,12 @@ int opt_parse_request(char *data, int data_size, struct tftp_opt *options)
struct tftphdr *tftp_data = (struct tftphdr *)data;
size_t size = data_size - sizeof(tftp_data->th_opcode);
+ /* sanity check - requests always end in a null byte,
+ * check to prevent argz_next from reading past the end of
+ * data, as it doesn't do bounds checks */
+ if (data_size == 0 || data[data_size-1] != '\0')
+ return ERR;
+
/* read filename */
entry = argz_next(tftp_data->th_stuff, size, entry);
if (!entry)
@@ -79,6 +85,12 @@ int opt_parse_options(char *data, int data_size, struct tftp_opt *options)
struct tftphdr *tftp_data = (struct tftphdr *)data;
size_t size = data_size - sizeof(tftp_data->th_opcode);
+ /* sanity check - options always end in a null byte,
+ * check to prevent argz_next from reading past the end of
+ * data, as it doesn't do bounds checks */
+ if (data_size == 0 || data[data_size-1] != '\0')
+ return ERR;
+
while ((entry = argz_next(tftp_data->th_stuff, size, entry)))
{
tmp = entry;
--
2.17.1
|