From 895f4883d103078a5300897a4fa447a18f549cd8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Zaoral?= <lzaoral@redhat.com>
Date: Wed, 23 Mar 2022 15:08:25 +0100
Subject: [PATCH] Fix memory corruption in tftpd

... when filename remapping with macro \x is used

Resolves: rhbz#2066858
---
 tftp-rewrite-macro.patch | 44 ++++++++++++++++++++++++++++++++++++++++
 tftp.spec                |  4 ++++
 2 files changed, 48 insertions(+)
 create mode 100644 tftp-rewrite-macro.patch

diff --git a/tftp-rewrite-macro.patch b/tftp-rewrite-macro.patch
new file mode 100644
index 0000000..98b0874
--- /dev/null
+++ b/tftp-rewrite-macro.patch
@@ -0,0 +1,44 @@
+Resolves: #1485943
+
+--- a/tftpd/tftpd.c       2017-08-28 09:12:11.681299000 +0200
++++ b/tftpd/tftpd.c       2017-08-28 13:30:03.109312000 +0200
+@@ -1388,24 +1388,25 @@
+             return strlen(p);
+ 
+     case 'x':
+-        if (output) {
+-            if (from.sa.sa_family == AF_INET) {
++        if (from.sa.sa_family == AF_INET) {
++            if (output) {
+                 sprintf(output, "%08lX",
+                     (unsigned long)ntohl(from.si.sin_addr.s_addr));
+-                l = 8;
++            }
++            l = 8;
+ #ifdef HAVE_IPV6
+-            } else {
+-                unsigned char *c = (unsigned char *)SOCKADDR_P(&from);
+-                p = tb;
+-                for (l = 0; l < 16; l++) {
+-                    sprintf(p, "%02X", *c);
+-                    c++;
+-                    p += 2;
+-                }
++        } else {
++            unsigned char *c = (unsigned char *)SOCKADDR_P(&from);
++            p = tb;
++            for (l = 0; l < 16; l++) {
++                sprintf(p, "%02X", *c);
++                c++;
++                p += 2;
++            }
++            if (output)
+                 strcpy(output, tb);
+-                l = strlen(tb);
++            l = strlen(tb);
+ #endif
+-            }
+         }
+         return l;
+ 
+
diff --git a/tftp.spec b/tftp.spec
index a7e5ee8..27d06ed 100644
--- a/tftp.spec
+++ b/tftp.spec
@@ -22,6 +22,7 @@ Patch8: tftp-hpa-5.2-pktinfo.patch
 Patch9: tftp-doc.patch
 Patch10: tftp-enhanced-logging.patch
 Patch11: tftp-hpa-5.2-gcc10.patch
+Patch12: tftp-rewrite-macro.patch
 
 BuildRequires: make
 BuildRequires:  gcc
@@ -61,6 +62,7 @@ systemd socket activation, and is disabled by default.
 %patch9 -p1 -b .doc
 %patch10 -p1 -b .logging
 %patch11 -p1 -b .gcc10
+%patch12 -p1 -b .rewrite-macro
 
 %build
 autoreconf
@@ -105,6 +107,8 @@ install -p -m 644 %SOURCE2 ${RPM_BUILD_ROOT}%{_unitdir}
 %changelog
 * Wed Mar 23 2022 Lukáš Zaoral <lzaoral@redhat.com> - 5.2-36
 - Fix inconsistent --map-file option spelling in manual (rhbz#2066855)
+- Fix memory corruption in tftpd when filename remapping with macro \x
+  is used (rhbz#2066858)
 
 * Thu Jan 27 2022 Lukáš Zaoral <lzaoral@redhat.com> - 5.2-35
 - Rebuilt for fixed gating.yaml. Related rhbz#2042975