Hi Rasmus, On Fri, Oct 14, 2022 at 2:44 PM Rasmus Villemoes <rasmus.villem...@prevas.dk> wrote: > > tl;dr: b85d130ea0ca didn't fix the CVE(s), but did break tftp of > certain file sizes - which is somewhat lucky, since that's how I > noticed in the first place. > > What I at first hoped would be a one-liner trivial fix turned out to > be much more complicated and led me down a rabbit hole of related > fixes. And this isn't even complete, I'm afraid. Details in 3/6. > > 1 and 4 are independent of all the others. 5 is a trivial preparation > for 6; otherwise those are also independent of the others. Finally, 2 > and 3 are my attempts at actually fixing CVE-2022-{30790,30552}, with > 2 essentially lifting the "ensure the payload has non-negative size" > to the first place we can check that instead of relying on that check > to happen in several places.
Thanks for the fix: Reviewed-by: Fabio Estevam <feste...@denx.de>