[PATCH 3/4] fs: tftp: reject OACK with blocksize of zero
Ahmad Fatoum
a.fatoum at pengutronix.de
Fri Apr 17 02:32:41 PDT 2026
Hi,
On 4/2/26 9:21 AM, Sascha Hauer wrote:
> tftp_parse_oack() validates that windowsize is non-zero but does not
> check blocksize. A malicious TFTP server sending 'blksize\0000\0' in
> the OACK sets priv->blocksize to 0, which causes:
>
> - kfifo_alloc(0 * ...) allocating a zero-sized fifo
> - tftp_write() entering an infinite loop on
> 'while (kfifo_len(fifo) >= 0)', spinning on kfifo_get with size 0
> - tftp_put_data() rejecting all data packets as oversized
>
> Add blocksize == 0 to the existing OACK validation check.
>
> Signed-off-by: Sascha Hauer <s.hauer at pengutronix.de>
> Co-Authored-By: Claude Opus 4.6 (1M context) <noreply at anthropic.com>
Reviewed-by: Ahmad Fatoum <a.fatoum at pengutronix.de>
> ---
> fs/tftp.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/fs/tftp.c b/fs/tftp.c
> index 03e9d552aa..6dd4829184 100644
> --- a/fs/tftp.c
> +++ b/fs/tftp.c
> @@ -382,7 +382,8 @@ static int tftp_parse_oack(struct file_priv *priv, unsigned char *pkt, int len)
> s = val + strlen(val) + 1;
> }
>
> - if (priv->blocksize > TFTP_MTU_SIZE ||
> + if (priv->blocksize == 0 ||
> + priv->blocksize > TFTP_MTU_SIZE ||
> priv->windowsize > TFTP_MAX_WINDOW_SIZE ||
> priv->windowsize == 0) {
> pr_warn("tftp: invalid oack response\n");
>
--
Pengutronix e.K. | |
Steuerwalder Str. 21 | http://www.pengutronix.de/ |
31137 Hildesheim, Germany | Phone: +49-5121-206917-0 |
Amtsgericht Hildesheim, HRA 2686 | Fax: +49-5121-206917-5555 |
More information about the barebox
mailing list