tftp: check tftp_input buffer size

Fixes: CVE-2021-3595
Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/46



Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>

src/tftp.c

@@ -446,7 +446,11 @@ static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas,
 
 void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m)
 {
-    struct tftp_t *tp = (struct tftp_t *)m->m_data;
+    struct tftp_t *tp = mtod_check(m, offsetof(struct tftp_t, x.tp_buf));
+
+    if (tp == NULL) {
+        return;
+    }
 
     switch (ntohs(tp->tp_op)) {
     case TFTP_RRQ: