[PATCH 3/4] fs: tftp: reject OACK with blocksize of zero
Sascha Hauer
s.hauer at pengutronix.de
Thu Apr 2 00:21:21 PDT 2026
tftp_parse_oack() validates that windowsize is non-zero but does not
check blocksize. A malicious TFTP server sending 'blksize\0000\0' in
the OACK sets priv->blocksize to 0, which causes:
- kfifo_alloc(0 * ...) allocating a zero-sized fifo
- tftp_write() entering an infinite loop on
'while (kfifo_len(fifo) >= 0)', spinning on kfifo_get with size 0
- tftp_put_data() rejecting all data packets as oversized
Add blocksize == 0 to the existing OACK validation check.
Signed-off-by: Sascha Hauer <s.hauer at pengutronix.de>
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply at anthropic.com>
---
fs/tftp.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/tftp.c b/fs/tftp.c
index 03e9d552aa..6dd4829184 100644
--- a/fs/tftp.c
+++ b/fs/tftp.c
@@ -382,7 +382,8 @@ static int tftp_parse_oack(struct file_priv *priv, unsigned char *pkt, int len)
s = val + strlen(val) + 1;
}
- if (priv->blocksize > TFTP_MTU_SIZE ||
+ if (priv->blocksize == 0 ||
+ priv->blocksize > TFTP_MTU_SIZE ||
priv->windowsize > TFTP_MAX_WINDOW_SIZE ||
priv->windowsize == 0) {
pr_warn("tftp: invalid oack response\n");
--
2.47.3
More information about the barebox
mailing list