In tftp_read we send a request for a new packet without checking if we have enough space in the FIFO. This can lead to a FIFO overflow and a corrupt file. Add a check for it. Signed-off-by: Sascha Hauer <s.hauer@xxxxxxxxxxxxxx> Reported-by: Uwe Kleine-König <u.kleine-koenig@xxxxxxxxxxxxxx> Tested-by: Uwe Kleine-König <u.kleine-koenig@xxxxxxxxxxxxxx> --- fs/tftp.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/fs/tftp.c b/fs/tftp.c index d89272e..dff41e9 100644 --- a/fs/tftp.c +++ b/fs/tftp.c @@ -62,6 +62,7 @@ #define STATE_DONE 8 #define TFTP_BLOCK_SIZE 512 /* default TFTP block size */ +#define TFTP_FIFO_SIZE 4096 #define TFTP_ERR_RESEND 1 @@ -399,7 +400,7 @@ static struct file_priv *tftp_do_open(struct device_d *dev, priv->blocksize = TFTP_BLOCK_SIZE; priv->block_requested = -1; - priv->fifo = kfifo_alloc(4096); + priv->fifo = kfifo_alloc(TFTP_FIFO_SIZE); if (!priv->fifo) { ret = -ENOMEM; goto out; @@ -558,6 +559,9 @@ static int tftp_read(struct device_d *dev, FILE *f, void *buf, size_t insize) outsize += now; buf += now; insize -= now; + } + + if (TFTP_FIFO_SIZE - kfifo_len(priv->fifo) >= priv->blocksize) { tftp_send(priv); tftp_timer_reset(priv); } -- 1.7.10.4 _______________________________________________ barebox mailing list barebox@xxxxxxxxxxxxxxxxxxx http://lists.infradead.org/mailman/listinfo/barebox