[Dnsmasq-discuss] [PATCH] Fix off-by-2 of end pointer in the tftp server

Helge Deller deller at gmx.de
Sat Jun 22 21:01:48 UTC 2024 

There is a off-by-2 in the tftp code, since the "end" variable
is actually pointing to the second last byte of a received package,
instead of the first byte after the package.

The problem can be seen with the following package which is sent
by a few of my UNIX machines:

76 6d 6c 69 6e 75 78 00 6f 63 74 65 74 00 12 74 10 3c 00 00 00 00 00 01 a9 24 00 00 00 00 00 00 1e 38 00 00 00 00 00 00 1c a0 00 00 00 00 00 00 1d 08 00 00 00 00 00 00 1d 28 00 00 00 00 00 00 08 00 00 00 00 00 00 00 03 d8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1d 30 00 00 00 02 ff e0 00 00 00 00 03 60 a8 49 55 93 00 00 00 01 f0 d4 21 e4 00 00 00 00 00 00 1d 78 00 00 00 f0 f0 d8 51 38 00 00 00 f0 f0 d4 21 c0 00 00 00 00 00 00 00 00 00 00 00 00 00 01 aa b8 00 00 00 f0 f0 e9 62 7c 00 00 00 00 00 00 03 01 ff ff ff ff ff ff 03 00 ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 04 ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff 00 00 00 00 00 00 00 05 00 00 00 00 00 00 1e 38 00 00 00 00 00 00 00 60 00 00 00 00 00 01 a6 68 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 ff 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 f0 f0 d8 4f 30 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 01 ae ec 00 00 00 00 00 00 1f 70 00 00 00 00 00 00 1e b8 00 00 03 60 a8 49 55 93 00 00 00 02 18 71 1a 00 00 00 00 00 00 00 00 03 00 00 00 00 00 00 00 03 00 00 00 00 00 00 1e 38 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 00 00 00 00 f0 f0 d2 f0 70 00 00 00 00 00 00 1f c0 00 00 00 f0 f0 d4 0b e8 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 60 ff ff ff fc 00 60 18 00 00 00 00 00 00 00 00 00 00 00 00 f0 f0 d8 8f d0 00 00 00 00 00 00 1f f8 00 00 00 00 00 00 00 00 00 00 00 f0 f0 d8 8d b8 00 00 00 00 00 00 1e e8 00 00

dnsmasq fails to extract the "filename" from this package and thus
reports "unsupported request from IP.x.y.z".
It fails to detect "filename", because it checks the char pointed to at
"*(end-1)" which is in the above example 0xe8 (3rd last byte) instead
of the last byte "00".

I did report this bug here as well: 
https://bugzilla.redhat.com/show_bug.cgi?id=2293793

The patch below fixes the issue for me.

Signed-off-by: Helge Deller <deller at gmx.de>


diff -up ./src/tftp.c.org ./src/tftp.c
--- ./src/tftp.c.org	2024-06-22 19:40:37.409316594 +0200
+++ ./src/tftp.c	2024-06-22 20:42:15.202330218 +0200
@@ -360,7 +360,7 @@ void tftp_request(struct listener *liste
     }
   
   p = packet + 2;
-  end = packet + len;
+  end = packet + 2 + len;
   
   if (ntohs(*((unsigned short *)packet)) != OP_RRQ ||
       !(filename = next(&p, end)) ||

More information about the Dnsmasq-discuss mailing list