1 |
flameeyes 12/07/08 17:42:00 |
2 |
|
3 |
Added: netkit-tftp-0.17-overflow.patch |
4 |
Log: |
5 |
Add a patch to fix the overflow reported in bug #425184. Probably still worth of last riting though. |
6 |
|
7 |
(Portage version: 2.2.0_alpha116/cvs/Linux x86_64) |
8 |
|
9 |
Revision Changes Path |
10 |
1.1 net-ftp/netkit-tftp/files/netkit-tftp-0.17-overflow.patch |
11 |
|
12 |
file : http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-ftp/netkit-tftp/files/netkit-tftp-0.17-overflow.patch?rev=1.1&view=markup |
13 |
plain: http://sources.gentoo.org/viewvc.cgi/gentoo-x86/net-ftp/netkit-tftp/files/netkit-tftp-0.17-overflow.patch?rev=1.1&content-type=text/plain |
14 |
|
15 |
Index: netkit-tftp-0.17-overflow.patch |
16 |
=================================================================== |
17 |
Index: netkit-tftp-0.17/tftp/tftp.c |
18 |
=================================================================== |
19 |
--- netkit-tftp-0.17.orig/tftp/tftp.c |
20 |
+++ netkit-tftp-0.17/tftp/tftp.c |
21 |
@@ -56,6 +56,7 @@ char tftp_rcsid[] = |
22 |
#include <setjmp.h> |
23 |
#include <unistd.h> |
24 |
#include <string.h> |
25 |
+#include <stddef.h> |
26 |
|
27 |
#include "tftpsubs.h" |
28 |
|
29 |
@@ -78,7 +79,7 @@ static sigjmp_buf timeoutbuf; |
30 |
|
31 |
|
32 |
static int makerequest(int request, char *name, |
33 |
- struct tftphdr *tp, char *mode); |
34 |
+ char *hdr, char *mode); |
35 |
static void nak(int errnor); |
36 |
static void tpacket(const char *s, struct tftphdr *tp, int n); |
37 |
static void startclock(void); |
38 |
@@ -126,7 +127,7 @@ sendfile(int fd, char *name, char *mode) |
39 |
mysignal(SIGALRM, timer); |
40 |
do { |
41 |
if (firsttrip) { |
42 |
- size = makerequest(WRQ, name, dp, mode) - 4; |
43 |
+ size = makerequest(WRQ, name, (char*)dp, mode) - 4; |
44 |
} |
45 |
else { |
46 |
/* size = read(fd, dp->th_data, SEGSIZE); */ |
47 |
@@ -238,7 +239,7 @@ recvfile(int fd, char *name, char *mode) |
48 |
mysignal(SIGALRM, timer); |
49 |
do { |
50 |
if (firsttrip) { |
51 |
- size = makerequest(RRQ, name, ap, mode); |
52 |
+ size = makerequest(RRQ, name, ackbuf, mode); |
53 |
firsttrip = 0; |
54 |
} else { |
55 |
ap->th_opcode = htons((u_short)ACK); |
56 |
@@ -320,12 +321,13 @@ abort: |
57 |
} |
58 |
|
59 |
int |
60 |
-makerequest(int request, char *name, struct tftphdr *tp, char *mode) |
61 |
+makerequest(int request, char *name, char *hdr, char *mode) |
62 |
{ |
63 |
register char *cp; |
64 |
+ struct tftphdr *tp = (struct tftphdr*)hdr; |
65 |
|
66 |
tp->th_opcode = htons((u_short)request); |
67 |
- cp = tp->th_stuff; |
68 |
+ cp = hdr + offsetof(struct tftphdr, th_stuff); |
69 |
strcpy(cp, name); |
70 |
cp += strlen(name); |
71 |
*cp++ = '\0'; |