diff options
author | Wolfgang Denk <wd@denx.de> | 2007-08-31 10:01:51 +0200 |
---|---|---|
committer | Wolfgang Denk <wd@denx.de> | 2007-08-31 10:01:51 +0200 |
commit | 60174746c668b309378a91488dded898e9553eae (patch) | |
tree | fe5a75a822a2dc269ba8b927b0c681126ead93d9 /net | |
parent | ff13ac8c7bbebb238e339592de765c546dba1073 (diff) |
Fix TFTP OACK code for short packets.
The old code had a loop limit overflow bug which caused a semi-
infinite loop for small packets, because in "i<len-8", "i" was signed,
but "len" was unsigned, and "len-8" became a huge number for small
values of "len".
This is a workaround which replaces broken commit 8f1bc284.
Signed-off-by: Wolfgang Denk <wd@denx.de>
Diffstat (limited to 'net')
-rw-r--r-- | net/tftp.c | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/net/tftp.c b/net/tftp.c index fb2f50564e..5ee7676466 100644 --- a/net/tftp.c +++ b/net/tftp.c @@ -276,8 +276,12 @@ TftpHandler (uchar * pkt, unsigned dest, unsigned src, unsigned len) #endif TftpState = STATE_OACK; TftpServerPort = src; - /* Check for 'blksize' option */ - for (i=0;i<len-8;i++) { + /* + * Check for 'blksize' option. + * Careful: "i" is signed, "len" is unsigned, thus + * something like "len-8" may give a *huge* number + */ + for (i=0; i+8<len; i++) { if (strcmp ((char*)pkt+i,"blksize") == 0) { TftpBlkSize = (unsigned short) simple_strtoul((char*)pkt+i+8,NULL,10); |