tftp: check tftp_input buffer size

Fixes: CVE-2021-3595 Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/46 Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>

tftp: check tftp_input buffer size
Fixes: CVE-2021-3595 Fixes: https://gitlab.freedesktop.org/slirp/libslirp/-/issues/46 Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com>
3f179481 · Marc-André Lureau · de71c15d · 3f179481
Commit 3f179481 authored Jun 04, 2021 by Marc-André Lureau
Hide whitespace changes
Inline Side-by-side

Showing with 5 additions and 1 deletion

src/tftp.c src/tftp.c +5 -1

No files found.
--- a/src/tftp.c
+++ b/src/tftp.c
@@ -446,7 +446,11 @@ static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas,

 void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m)
 {
-    struct tftp_t *tp = (struct tftp_t *)m->m_data;
+    struct tftp_t *tp = mtod_check(m, offsetof(struct tftp_t, x.tp_buf));
+
+    if (tp == NULL) {
+        return;
+    }

    switch (ntohs(tp->tp_op)) {
    case TFTP_RRQ: