]> git.dujemihanovic.xyz Git - u-boot.git/commitdiff
Fix TFTP OACK code for short packets.
authorWolfgang Denk <wd@denx.de>
Fri, 31 Aug 2007 08:01:51 +0000 (10:01 +0200)
committerWolfgang Denk <wd@denx.de>
Fri, 31 Aug 2007 08:01:51 +0000 (10:01 +0200)
The old code had a loop limit overflow bug which caused a semi-
infinite loop for small packets, because in "i<len-8", "i" was signed,
but "len" was unsigned, and "len-8" became a huge number for small
values of "len".

This is a workaround which replaces broken commit 8f1bc284.

Signed-off-by: Wolfgang Denk <wd@denx.de>
net/tftp.c

index fb2f50564e9d0bda8760c3cb6cfd047d54c65c76..5ee7676466925cafcdde9a8eee38f7a4b13282f5 100644 (file)
@@ -276,8 +276,12 @@ TftpHandler (uchar * pkt, unsigned dest, unsigned src, unsigned len)
 #endif
                TftpState = STATE_OACK;
                TftpServerPort = src;
-               /* Check for 'blksize' option */
-               for (i=0;i<len-8;i++) {
+               /*
+                * Check for 'blksize' option.
+                * Careful: "i" is signed, "len" is unsigned, thus
+                * something like "len-8" may give a *huge* number
+                */
+               for (i=0; i+8<len; i++) {
                        if (strcmp ((char*)pkt+i,"blksize") == 0) {
                                TftpBlkSize = (unsigned short)
                                        simple_strtoul((char*)pkt+i+8,NULL,10);