From 7830dc62c88e890ae8e5324793bbec407334626f Mon Sep 17 00:00:00 2001
From: Sascha Hauer <s.hauer@pengutronix.de>
Date: Wed, 15 Mar 2023 10:53:00 +0100
Subject: fs: tftp: Fix NULL pointer deref in file upload

With TFTP upload the window cache is unused, but still freed in
tftp_do_close(). To avoid iterating on the uninitialized list,
initialize it unconditionally and not only for the download case.

Fixes: 3f1ea0ffcf8b ("tftp: implement UDP reorder cache using lists")
Link: https://lore.barebox.org/20230315095300.2914980-1-s.hauer@pengutronix.de
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
---
 fs/tftp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'fs')

diff --git a/fs/tftp.c b/fs/tftp.c
index a63b133caa..c6edc9969f 100644
--- a/fs/tftp.c
+++ b/fs/tftp.c
@@ -384,10 +384,10 @@ static int tftp_allocate_transfer(struct file_priv *priv)
 			priv->fifo = NULL;
 			goto err;
 		}
-	} else {
-		INIT_LIST_HEAD(&priv->cache.blocks);
 	}
 
+	INIT_LIST_HEAD(&priv->cache.blocks);
+
 	return 0;
 
 err:
-- 
cgit v1.2.1