[PATCH 4/4] fs: tftp: use bounded format for TFTP error message debug print
Sascha Hauer
s.hauer at pengutronix.de
Thu Apr 2 00:21:22 PDT 2026
The pr_debug for TFTP_ERROR uses %s to print the server's error
message, but the message may not be null-terminated. This causes
pr_debug to read past the packet data into uninitialized buffer
memory.
Use %.*s with the remaining packet length to bound the read. This
is only relevant in debug builds but is still worth fixing for
correctness.
Signed-off-by: Sascha Hauer <s.hauer at pengutronix.de>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply at anthropic.com>
---
fs/tftp.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/tftp.c b/fs/tftp.c
index 6dd4829184..8f01754fc0 100644
--- a/fs/tftp.c
+++ b/fs/tftp.c
@@ -631,7 +631,9 @@ static void tftp_recv(struct file_priv *priv,
break;
case TFTP_ERROR:
- pr_debug("error: '%s' (%d)\n", pkt + 2, ntohs(*(uint16_t *)pkt));
+ pr_debug("error: '%.*s' (%d)\n",
+ len > 2 ? len - 2 : 0, pkt + 2,
+ ntohs(*(uint16_t *)pkt));
switch (ntohs(*(uint16_t *)pkt)) {
case 1:
priv->err = -ENOENT;
--
2.47.3
More information about the barebox
mailing list