[riot-notifications] [RIOT-OS/RIOT] gnrc_tftp: Fix out-of-bounds memory access when comparing modes (#11737)

Sebastian Meiling notifications at github.com
Fri Jun 28 14:24:03 CEST 2019


smlng requested changes on this pull request.

I read in the RFC and found something

> @@ -1047,6 +1047,10 @@ int _tftp_decode_start(tftp_context_t *ctxt, uint8_t *buf, gnrc_pktsnip_t *outbu
 
     /* decode the TFTP transfer mode */
     for (uint32_t idx = 0; idx < ARRAY_LEN(_tftp_modes); ++idx) {
+        if (_tftp_modes[idx].len > (inpkt->size - sizeof(*hdr) - fnlen)) {

according to the header format in [RFC](https://tools.ietf.org/html/rfc1350#appendix-I) all strings are 0 terminated so this can be simplified to (and also be more readable):

```
if (_tftp_modes[idx].len > strlen(str_mode) {
```

do you agree?

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/RIOT-OS/RIOT/pull/11737#pullrequestreview-255737801
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riot-os.org/pipermail/notifications/attachments/20190628/5b9d94d7/attachment.html>


More information about the notifications mailing list