/slirp/tftp.c - Diff - qemu - Greek Research and Technology Network's projects

Revision b55266b5 slirp/tftp.c

         m->m_data += sizeof(struct udpiphdr);
         tp->tp_op = htons(TFTP_OACK);
         n += snprintf(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%s", key) + 1;
         n += snprintf(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%u", value) + 1;
         n += snprintf((char *)tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%s",
                       key) + 1;
         n += snprintf((char *)tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%u",
                       value) + 1;
         saddr.sin_addr = recv_tp->ip.ip_dst;
         saddr.sin_port = recv_tp->udp.uh_dport;
-...
       tp->tp_op = htons(TFTP_ERROR);
       tp->x.tp_error.tp_error_code = htons(errorcode);
       pstrcpy(tp->x.tp_error.tp_msg, sizeof(tp->x.tp_error.tp_msg), msg);
       pstrcpy((char *)tp->x.tp_error.tp_msg, sizeof(tp->x.tp_error.tp_msg), msg);
       saddr.sin_addr = recv_tp->ip.ip_dst;
       saddr.sin_port = recv_tp->udp.uh_dport;
-...
       /* do sanity checks on the filename */
       if ((spt->filename[0] != '/')
           || (spt->filename[strlen(spt->filename) - 1] == '/')
           ||  strstr(spt->filename, "/../")) {
           || (spt->filename[strlen((char *)spt->filename) - 1] == '/')
           ||  strstr((char *)spt->filename, "/../")) {
           tftp_send_error(spt, 2, "Access violation", tp);
           return;
+      }
-...
       while (k < n) {
           const char *key, *value;
           key = src + k;
           key = (char *)src + k;
           k += strlen(key) + 1;
           if (k >= n) {
-...
     	  return;
+          }
           value = src + k;
           value = (char *)src + k;
           k += strlen(value) + 1;
           if (strcmp(key, "tsize") == 0) {

Also available in: Unified diff

Archipelago » qemu

Revision b55266b5 slirp/tftp.c