On Thu, Oct 19, 2017 at 08:58:12PM +0200, Jan Klemkow wrote:
>
> Index: tftpd.c
> ===================================================================
> RCS file: /mount/openbsd/cvs/src/usr.sbin/tftpd/tftpd.c,v
> retrieving revision 1.39
> diff -u -p -r1.39 tftpd.c
> --- tftpd.c 26 May 2017 17:38:46 -0000 1.39
> +++ tftpd.c 19 Oct 2017 18:27:24 -0000
> @@ -903,8 +903,17 @@ again:
>
> if (rwmap != NULL)
> rewrite_map(client, filename);
> - else
> - tftp_open(client, filename);
> + else {
> + char nfilename[PATH_MAX];
> +
> + snprintf(nfilename, sizeof nfilename, "%s/%s",
> + getip(&client->ss), filename);
- filename has PATH_MAX length
- getip(&client->ss) could have NI_MAXHOST length
so nfilename could be larger than PATH_MAX (sizeof nfilename).
I assume the return of snprintf() need to be checked. if truncation
occured, a warning should be issued and nfilename discarded (just
calling tftp_open(client, filename)) ?
> +
> + if (access(nfilename, R_OK) == 0)
> + tftp_open(client, nfilename);
> + else
> + tftp_open(client, filename);
> + }
>
> return;
>
>
thanks
--
Sebastien Marie
