Fix memory corruption in tftpd

... when filename remapping with macro \x is used Resolves: rhbz#2066858
2022-03-23 15:08:25 +01:00 · 2022-03-23 15:08:25 +01:00 · 895f4883d1
commit 895f4883d1
parent 2938160d14
2 changed files with 48 additions and 0 deletions
--- a/tftp-rewrite-macro.patch
+++ b/tftp-rewrite-macro.patch
@ -0,0 +1,44 @@
+Resolves: #1485943
+
+--- a/tftpd/tftpd.c       2017-08-28 09:12:11.681299000 +0200
+++ b/tftpd/tftpd.c       2017-08-28 13:30:03.109312000 +0200
+@@ -1388,24 +1388,25 @@
+             return strlen(p);
+ 
+     case 'x':
+-        if (output) {
+-            if (from.sa.sa_family == AF_INET) {
+        if (from.sa.sa_family == AF_INET) {
+            if (output) {
+                 sprintf(output, "%08lX",
+                     (unsigned long)ntohl(from.si.sin_addr.s_addr));
+-                l = 8;
+            }
+            l = 8;
+ #ifdef HAVE_IPV6
+-            } else {
+-                unsigned char *c = (unsigned char *)SOCKADDR_P(&from);
+-                p = tb;
+-                for (l = 0; l < 16; l++) {
+-                    sprintf(p, "%02X", *c);
+-                    c++;
+-                    p += 2;
+-                }
+        } else {
+            unsigned char *c = (unsigned char *)SOCKADDR_P(&from);
+            p = tb;
+            for (l = 0; l < 16; l++) {
+                sprintf(p, "%02X", *c);
+                c++;
+                p += 2;
+            }
+            if (output)
+                 strcpy(output, tb);
+-                l = strlen(tb);
+            l = strlen(tb);
+ #endif
+-            }
+         }
+         return l;
+ 
+
--- a/tftp.spec
+++ b/tftp.spec
@ -22,6 +22,7 @@ Patch8: tftp-hpa-5.2-pktinfo.patch
 Patch9: tftp-doc.patch
 Patch10: tftp-enhanced-logging.patch
 Patch11: tftp-hpa-5.2-gcc10.patch
+Patch12: tftp-rewrite-macro.patch

 BuildRequires: make
 BuildRequires:  gcc
@ -61,6 +62,7 @@ systemd socket activation, and is disabled by default.
 %patch9 -p1 -b .doc
 %patch10 -p1 -b .logging
 %patch11 -p1 -b .gcc10
+%patch12 -p1 -b .rewrite-macro

 %build
 autoreconf
@ -105,6 +107,8 @@ install -p -m 644 %SOURCE2 ${RPM_BUILD_ROOT}%{_unitdir}
 %changelog
 * Wed Mar 23 2022 Lukáš Zaoral <lzaoral@redhat.com> - 5.2-36
 - Fix inconsistent --map-file option spelling in manual (rhbz#2066855)
+- Fix memory corruption in tftpd when filename remapping with macro \x
+  is used (rhbz#2066858)

 * Thu Jan 27 2022 Lukáš Zaoral <lzaoral@redhat.com> - 5.2-35
 - Rebuilt for fixed gating.yaml. Related rhbz#2042975