From facb0e4662415b5f28163e853dc6742ac5fafb3d Mon Sep 17 00:00:00 2001
From: Thomas Vegas <>
Date: Sat, 31 Aug 2019 17:30:51 +0200
Subject: [PATCH] tftp: Alloc maximum blksize, and use default unless OACK is
 received

Fixes potential buffer overflow from 'recvfrom()', should the server
return an OACK without blksize.

Bug: https://curl.haxx.se/docs/CVE-2019-5482.html
CVE-2019-5482

Upstream-Status: Backport
CVE: CVE-2019-5482

Signed-off-by: Armin Kuster <akuster@mvista.com>

---
 lib/tftp.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

Index: curl-7.64.1/lib/tftp.c
===================================================================
--- curl-7.64.1.orig/lib/tftp.c
+++ curl-7.64.1/lib/tftp.c
@@ -973,6 +973,7 @@ static CURLcode tftp_connect(struct conn
 {
   tftp_state_data_t *state;
   int blksize;
+  int need_blksize;
 
   blksize = TFTP_BLKSIZE_DEFAULT;
 
@@ -987,15 +988,20 @@ static CURLcode tftp_connect(struct conn
       return CURLE_TFTP_ILLEGAL;
   }
 
+  need_blksize = blksize;
+  /* default size is the fallback when no OACK is received */
+  if(need_blksize < TFTP_BLKSIZE_DEFAULT)
+    need_blksize = TFTP_BLKSIZE_DEFAULT;
+
   if(!state->rpacket.data) {
-    state->rpacket.data = calloc(1, blksize + 2 + 2);
+    state->rpacket.data = calloc(1, need_blksize + 2 + 2);
 
     if(!state->rpacket.data)
       return CURLE_OUT_OF_MEMORY;
   }
 
   if(!state->spacket.data) {
-    state->spacket.data = calloc(1, blksize + 2 + 2);
+    state->spacket.data = calloc(1, need_blksize + 2 + 2);
 
     if(!state->spacket.data)
       return CURLE_OUT_OF_MEMORY;
@@ -1009,7 +1015,7 @@ static CURLcode tftp_connect(struct conn
   state->sockfd = state->conn->sock[FIRSTSOCKET];
   state->state = TFTP_STATE_START;
   state->error = TFTP_ERR_NONE;
-  state->blksize = blksize;
+  state->blksize = TFTP_BLKSIZE_DEFAULT; /* Unless updated by OACK response */
   state->requested_blksize = blksize;
 
   ((struct sockaddr *)&state->local_addr)->sa_family =