Commit 20c24bf24ddf91fd9ab5d827fdd0fe14397de412
Committed by
Anthony Liguori
Anthony Liguori
1 parent
ef2d54d8
slirp: tftp: Refactor tftp_handle_rrq
Specifically make the filename extraction more readable, and always report errors back to the client. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com> Signed-off-by: Anthony Liguori <aliguori@us.ibm.com>
Showing
1 changed file
with
21 additions
and
28 deletions
slirp/tftp.c
| @@ -27,7 +27,7 @@ | @@ -27,7 +27,7 @@ | ||
| 27 | 27 | ||
| 28 | struct tftp_session { | 28 | struct tftp_session { |
| 29 | int in_use; | 29 | int in_use; |
| 30 | - unsigned char filename[TFTP_FILENAME_MAX]; | 30 | + char filename[TFTP_FILENAME_MAX]; |
| 31 | 31 | ||
| 32 | struct in_addr client_ip; | 32 | struct in_addr client_ip; |
| 33 | u_int16_t client_port; | 33 | u_int16_t client_port; |
| @@ -273,8 +273,8 @@ static int tftp_send_data(struct tftp_session *spt, | @@ -273,8 +273,8 @@ static int tftp_send_data(struct tftp_session *spt, | ||
| 273 | static void tftp_handle_rrq(struct tftp_t *tp, int pktlen) | 273 | static void tftp_handle_rrq(struct tftp_t *tp, int pktlen) |
| 274 | { | 274 | { |
| 275 | struct tftp_session *spt; | 275 | struct tftp_session *spt; |
| 276 | - int s, k, n; | ||
| 277 | - u_int8_t *src, *dst; | 276 | + int s, k; |
| 277 | + char *req_fname; | ||
| 278 | 278 | ||
| 279 | s = tftp_session_allocate(tp); | 279 | s = tftp_session_allocate(tp); |
| 280 | 280 | ||
| @@ -290,37 +290,31 @@ static void tftp_handle_rrq(struct tftp_t *tp, int pktlen) | @@ -290,37 +290,31 @@ static void tftp_handle_rrq(struct tftp_t *tp, int pktlen) | ||
| 290 | return; | 290 | return; |
| 291 | } | 291 | } |
| 292 | 292 | ||
| 293 | - src = tp->x.tp_buf; | ||
| 294 | - dst = spt->filename; | ||
| 295 | - n = pktlen - ((uint8_t *)&tp->x.tp_buf[0] - (uint8_t *)tp); | 293 | + /* skip header fields */ |
| 294 | + k = 0; | ||
| 295 | + pktlen -= ((uint8_t *)&tp->x.tp_buf[0] - (uint8_t *)tp); | ||
| 296 | 296 | ||
| 297 | /* get name */ | 297 | /* get name */ |
| 298 | + req_fname = spt->filename; | ||
| 298 | 299 | ||
| 299 | - for (k = 0; k < n; k++) { | ||
| 300 | - if (k < TFTP_FILENAME_MAX) { | ||
| 301 | - dst[k] = src[k]; | ||
| 302 | - } | ||
| 303 | - else { | 300 | + while (1) { |
| 301 | + if (k >= TFTP_FILENAME_MAX || k >= pktlen) { | ||
| 302 | + tftp_send_error(spt, 2, "Access violation", tp); | ||
| 304 | return; | 303 | return; |
| 305 | } | 304 | } |
| 306 | - | ||
| 307 | - if (src[k] == '\0') { | 305 | + req_fname[k] = (char)tp->x.tp_buf[k]; |
| 306 | + if (req_fname[k++] == '\0') { | ||
| 308 | break; | 307 | break; |
| 309 | } | 308 | } |
| 310 | } | 309 | } |
| 311 | 310 | ||
| 312 | - if (k >= n) { | ||
| 313 | - return; | ||
| 314 | - } | ||
| 315 | - | ||
| 316 | - k++; | ||
| 317 | - | ||
| 318 | /* check mode */ | 311 | /* check mode */ |
| 319 | - if ((n - k) < 6) { | 312 | + if ((pktlen - k) < 6) { |
| 313 | + tftp_send_error(spt, 2, "Access violation", tp); | ||
| 320 | return; | 314 | return; |
| 321 | } | 315 | } |
| 322 | 316 | ||
| 323 | - if (memcmp(&src[k], "octet\0", 6) != 0) { | 317 | + if (memcmp(&tp->x.tp_buf[k], "octet\0", 6) != 0) { |
| 324 | tftp_send_error(spt, 4, "Unsupported transfer mode", tp); | 318 | tftp_send_error(spt, 4, "Unsupported transfer mode", tp); |
| 325 | return; | 319 | return; |
| 326 | } | 320 | } |
| @@ -337,29 +331,28 @@ static void tftp_handle_rrq(struct tftp_t *tp, int pktlen) | @@ -337,29 +331,28 @@ static void tftp_handle_rrq(struct tftp_t *tp, int pktlen) | ||
| 337 | } | 331 | } |
| 338 | 332 | ||
| 339 | /* check if the file exists */ | 333 | /* check if the file exists */ |
| 340 | - | ||
| 341 | - if (tftp_read_data(spt, 0, spt->filename, 0) < 0) { | 334 | + if (tftp_read_data(spt, 0, NULL, 0) < 0) { |
| 342 | tftp_send_error(spt, 1, "File not found", tp); | 335 | tftp_send_error(spt, 1, "File not found", tp); |
| 343 | return; | 336 | return; |
| 344 | } | 337 | } |
| 345 | 338 | ||
| 346 | - if (src[n - 1] != 0) { | 339 | + if (tp->x.tp_buf[pktlen - 1] != 0) { |
| 347 | tftp_send_error(spt, 2, "Access violation", tp); | 340 | tftp_send_error(spt, 2, "Access violation", tp); |
| 348 | return; | 341 | return; |
| 349 | } | 342 | } |
| 350 | 343 | ||
| 351 | - while (k < n) { | 344 | + while (k < pktlen) { |
| 352 | const char *key, *value; | 345 | const char *key, *value; |
| 353 | 346 | ||
| 354 | - key = (char *)src + k; | 347 | + key = (const char *)&tp->x.tp_buf[k]; |
| 355 | k += strlen(key) + 1; | 348 | k += strlen(key) + 1; |
| 356 | 349 | ||
| 357 | - if (k >= n) { | 350 | + if (k >= pktlen) { |
| 358 | tftp_send_error(spt, 2, "Access violation", tp); | 351 | tftp_send_error(spt, 2, "Access violation", tp); |
| 359 | return; | 352 | return; |
| 360 | } | 353 | } |
| 361 | 354 | ||
| 362 | - value = (char *)src + k; | 355 | + value = (const char *)&tp->x.tp_buf[k]; |
| 363 | k += strlen(value) + 1; | 356 | k += strlen(value) + 1; |
| 364 | 357 | ||
| 365 | if (strcmp(key, "tsize") == 0) { | 358 | if (strcmp(key, "tsize") == 0) { |