diff options
author | Sascha Hauer <s.hauer@pengutronix.de> | 2012-10-23 10:14:20 +0200 |
---|---|---|
committer | Sascha Hauer <s.hauer@pengutronix.de> | 2012-10-24 09:57:51 +0200 |
commit | 975d6a0130758b32b07968f61b4c32a970af9cd9 (patch) | |
tree | 4f8f42996b4e7cc5377e1cef7583fc8f0c05e99f /fs | |
parent | d2606de353cc60b0c7a9db054bca991670ebc9b0 (diff) | |
download | barebox-975d6a0130758b32b07968f61b4c32a970af9cd9.tar.gz |
fs tftp: Fix possible fifo overflow
In tftp_read we send a request for a new packet without checking if we
have enough space in the FIFO. This can lead to a FIFO overflow and a
corrupt file. Add a check for it.
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Reported-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Tested-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/tftp.c | 6 |
1 files changed, 5 insertions, 1 deletions
@@ -62,6 +62,7 @@ #define STATE_DONE 8 #define TFTP_BLOCK_SIZE 512 /* default TFTP block size */ +#define TFTP_FIFO_SIZE 4096 #define TFTP_ERR_RESEND 1 @@ -399,7 +400,7 @@ static struct file_priv *tftp_do_open(struct device_d *dev, priv->blocksize = TFTP_BLOCK_SIZE; priv->block_requested = -1; - priv->fifo = kfifo_alloc(4096); + priv->fifo = kfifo_alloc(TFTP_FIFO_SIZE); if (!priv->fifo) { ret = -ENOMEM; goto out; @@ -558,6 +559,9 @@ static int tftp_read(struct device_d *dev, FILE *f, void *buf, size_t insize) outsize += now; buf += now; insize -= now; + } + + if (TFTP_FIFO_SIZE - kfifo_len(priv->fifo) >= priv->blocksize) { tftp_send(priv); tftp_timer_reset(priv); } |