These packets are valid in certain points of the transfer only and
accepting them too early or too late can corrupt internal states.
Reject them when they are unexpected.
Signed-off-by: Enrico Scholz <enrico.scholz@xxxxxxxxxxxxxxxxx>
---
fs/tftp.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/fs/tftp.c b/fs/tftp.c
index a9cc0ff3b118..2bffae2bf36e 100644
--- a/fs/tftp.c
+++ b/fs/tftp.c
@@ -713,6 +713,12 @@ static void tftp_recv(struct file_priv *priv,
break;
case TFTP_OACK:
+ if (priv->state != STATE_RRQ && priv->state != STATE_WRQ) {
+ pr_warn("OACK packet in %s state\n",
+ tftp_states[priv->state]);
+ break;
+ }
+
priv->tftp_con->udp->uh_dport = uh_sport;
if (tftp_parse_oack(priv, pkt, len) < 0) {
@@ -741,6 +747,12 @@ static void tftp_recv(struct file_priv *priv,
break;
}
+ if (priv->state != STATE_RDATA) {
+ pr_warn("DATA packet in %s state\n",
+ tftp_states[priv->state]);
+ break;
+ }
+
tftp_handle_data(priv, block, pkt + 2, len);
break;
--
2.37.2
