These packets are valid in certain points of the transfer only and accepting them too early or too late can corrupt internal states.
Reject them when they are unexpected. Signed-off-by: Enrico Scholz <[email protected]> --- fs/tftp.c | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/fs/tftp.c b/fs/tftp.c index 610483d23c40..fb6c368b3a64 100644 --- a/fs/tftp.c +++ b/fs/tftp.c @@ -690,6 +690,12 @@ static void tftp_recv(struct file_priv *priv, break; case TFTP_OACK: + if (priv->state != STATE_RRQ && priv->state != STATE_WRQ) { + pr_warn("OACK packet in %s state\n", + tftp_states[priv->state]); + break; + } + priv->tftp_con->udp->uh_dport = uh_sport; if (tftp_parse_oack(priv, pkt, len) < 0) { @@ -713,6 +719,12 @@ static void tftp_recv(struct file_priv *priv, tftp_window_cache_reset(&priv->cache); } + if (priv->state != STATE_RDATA) { + pr_warn("DATA packet in %s state\n", + tftp_states[priv->state]); + break; + } + tftp_handle_data(priv, block, pkt + 2, len); break; -- 2.37.2
