On 1/9/26 16:56, Andrew Goodbody wrote:
sprintf will add a trailing \0 so manually adding a trailing \0 will
result in an extra unaccounted for character being written. This
overwrote the first byte of the following allocation block resulting in
unexpected behaviour.
behavior
I think it would be also good to say how that issue was found.
That calling pxe get multiple times was the first symptom which was able to
stuck bootloader.
Fixes: 27d7ccda94fa ("net: lwip: tftp: add support of blksize option to client")
Origin Jerome's patch wasn't merged upstream. Do you have any plan to send v3
of it?
https://savannah.nongnu.org/patch/index.php?10462
Signed-off-by: Andrew Goodbody <[email protected]>
---
lib/lwip/lwip/src/apps/tftp/tftp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/lib/lwip/lwip/src/apps/tftp/tftp.c
b/lib/lwip/lwip/src/apps/tftp/tftp.c
index
ecb6c55ae1100779187e7b138d098a0ef1e48ca1..25da952e92566cbca1c64bc89c89102e74d0a42c
100644
--- a/lib/lwip/lwip/src/apps/tftp/tftp.c
+++ b/lib/lwip/lwip/src/apps/tftp/tftp.c
@@ -191,7 +191,7 @@ send_request(const ip_addr_t *addr, u16_t port, u16_t
opcode, const char* fname,
MEMCPY(payload+2, fname, fname_length);
MEMCPY(payload+2+fname_length, mode, mode_length);
if (tftp_state.blksize)
- sprintf(payload+2+fname_length+mode_length, "blksize%c%d%c", 0,
tftp_state.blksize, 0);
+ sprintf(payload+2+fname_length+mode_length, "blksize%c%d", 0,
tftp_state.blksize);
tftp_state.wait_oack = true;
ret = udp_sendto(tftp_state.upcb, p, addr, port);
---
base-commit: c05dba22f1f2b0b2655ee3971644acf1936cd07a
change-id: 20260109-tftp_fix-3ab9bd66a6ad
Best regards,
With above commit message fix feel free to add
Reported-by: Michal Simek <[email protected]>
Tested-by: Michal Simek <[email protected]>
Thanks,
Michal
