From 38319e0717844c32464a6c7630de9be226f1c6f4 Mon Sep 17 00:00:00 2001 From: Thomas Vegas <> Date: Sat, 31 Aug 2019 17:30:51 +0200 Subject: [PATCH] tftp: Alloc maximum blksize, and use default unless OACK is received Reply-To: muislam@microsoft.com Fixes potential buffer overflow from 'recvfrom()', should the server return an OACK without blksize. Bug: https://curl.haxx.se/docs/CVE-2019-5482.html CVE: CVE-2019-5482 Upstream-Status: Backport Signed-off-by: Muminul Islam --- lib/tftp.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/lib/tftp.c b/lib/tftp.c index 064eef318..2c148e3e1 100644 --- a/lib/tftp.c +++ b/lib/tftp.c @@ -969,6 +969,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done) { tftp_state_data_t *state; int blksize; + int need_blksize; blksize = TFTP_BLKSIZE_DEFAULT; @@ -983,15 +984,20 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done) return CURLE_TFTP_ILLEGAL; } + need_blksize = blksize; + /* default size is the fallback when no OACK is received */ + if(need_blksize < TFTP_BLKSIZE_DEFAULT) + need_blksize = TFTP_BLKSIZE_DEFAULT; + if(!state->rpacket.data) { - state->rpacket.data = calloc(1, blksize + 2 + 2); + state->rpacket.data = calloc(1, need_blksize + 2 + 2); if(!state->rpacket.data) return CURLE_OUT_OF_MEMORY; } if(!state->spacket.data) { - state->spacket.data = calloc(1, blksize + 2 + 2); + state->spacket.data = calloc(1, need_blksize + 2 + 2); if(!state->spacket.data) return CURLE_OUT_OF_MEMORY; @@ -1005,7 +1011,7 @@ static CURLcode tftp_connect(struct connectdata *conn, bool *done) state->sockfd = state->conn->sock[FIRSTSOCKET]; state->state = TFTP_STATE_START; state->error = TFTP_ERR_NONE; - state->blksize = blksize; + state->blksize = TFTP_BLKSIZE_DEFAULT; /* Unless updated by OACK response */ state->requested_blksize = blksize; ((struct sockaddr *)&state->local_addr)->sa_family = -- 2.23.0