Overview

File atftp-CVE-2021-46671.patch of Package atftp.22713

--- a/options.c
+++ b/options.c
@@ -42,6 +42,12 @@
      char *tmp;
      struct tftphdr *tftp_data = (struct tftphdr *)data;
      size_t size = data_size - sizeof(tftp_data->th_opcode);
+
+     /* sanity check - requests always end in a null byte,
+      * check to prevent argz_next from reading past the end of
+      * data, as it doesn't do bounds checks */
+     if (data_size == 0 || data[data_size-1] != '\0')
+          return ERR;
 
      /* read filename */
      entry = argz_next(tftp_data->th_stuff, size, entry);
@@ -79,6 +85,12 @@
      struct tftphdr *tftp_data = (struct tftphdr *)data;
      size_t size = data_size - sizeof(tftp_data->th_opcode);
 
+     /* sanity check - options always end in a null byte,
+      * check to prevent argz_next from reading past the end of
+      * data, as it doesn't do bounds checks */
+     if (data_size == 0 || data[data_size-1] != '\0')
+          return ERR;
+
      while ((entry = argz_next(tftp_data->th_stuff, size, entry)))
      {
           tmp = entry;
openSUSE Build Service is sponsored by
Places