From owner-freebsd-bugs@FreeBSD.ORG  Thu May 28 19:50:14 2015
Return-Path: <owner-freebsd-bugs@FreeBSD.ORG>
Delivered-To: freebsd-bugs@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id F00F2ABF
 for <freebsd-bugs@FreeBSD.org>; Thu, 28 May 2015 19:50:14 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id DBC0AE87
 for <freebsd-bugs@FreeBSD.org>; Thu, 28 May 2015 19:50:14 +0000 (UTC)
 (envelope-from bugzilla-noreply@freebsd.org)
Received: from bugs.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.14.9/8.14.9) with ESMTP id t4SJoEm6071902
 for <freebsd-bugs@FreeBSD.org>; Thu, 28 May 2015 19:50:14 GMT
 (envelope-from bugzilla-noreply@freebsd.org)
From: bugzilla-noreply@freebsd.org
To: freebsd-bugs@FreeBSD.org
Subject: [Bug 200500] libstand/tftp.c recvtftp() is broken for large files
Date: Thu, 28 May 2015 19:50:15 +0000
X-Bugzilla-Reason: AssignedTo
X-Bugzilla-Type: new
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 11.0-CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: tsoome@me.com
X-Bugzilla-Status: New
X-Bugzilla-Priority: ---
X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: bug_id short_desc product version rep_platform
 op_sys bug_status bug_severity priority component assigned_to reporter
Message-ID: <bug-200500-8@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-bugs@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Bug reports <freebsd-bugs.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-bugs/>
List-Post: <mailto:freebsd-bugs@freebsd.org>
List-Help: <mailto:freebsd-bugs-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-bugs>,
 <mailto:freebsd-bugs-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 28 May 2015 19:50:15 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=200500

            Bug ID: 200500
           Summary: libstand/tftp.c recvtftp() is broken for large files
           Product: Base System
           Version: 11.0-CURRENT
          Hardware: Any
                OS: Any
            Status: New
          Severity: Affects Only Me
          Priority: ---
         Component: kern
          Assignee: freebsd-bugs@FreeBSD.org
          Reporter: tsoome@me.com

The tftp th_block is unsigned short, but tftp code in libstand is tracking
transaction id's with struct iodesc field xid, which is long. In case of large
files, the transaction id will reset to 0 but current code will miss it as it
does compare short int with long int.

the fix is simple:

--- a/libstand/tftp.c
+++ b/libstand/tftp.c
@@ -200,7 +200,7 @@ recvtftp(struct tftp_handle *h, void *pkt, ssize_t len,
time_t tleft,
        case DATA: {
                int got;

-               if (htons(t->th_block) != d->xid) {
+               if (htons(t->th_block) != (u_short) d->xid) {
                        /*
                         * Expected block?
                         */

-- 
You are receiving this mail because:
You are the assignee for the bug.