summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorWolfgang Denk <wd@denx.de>2007-08-31 10:01:51 +0200
committerWolfgang Denk <wd@denx.de>2007-08-31 10:01:51 +0200
commit60174746c668b309378a91488dded898e9553eae (patch)
treefe5a75a822a2dc269ba8b927b0c681126ead93d9
parentff13ac8c7bbebb238e339592de765c546dba1073 (diff)
downloadu-boot-imx-60174746c668b309378a91488dded898e9553eae.zip
u-boot-imx-60174746c668b309378a91488dded898e9553eae.tar.gz
u-boot-imx-60174746c668b309378a91488dded898e9553eae.tar.bz2
Fix TFTP OACK code for short packets.
The old code had a loop limit overflow bug which caused a semi- infinite loop for small packets, because in "i<len-8", "i" was signed, but "len" was unsigned, and "len-8" became a huge number for small values of "len". This is a workaround which replaces broken commit 8f1bc284. Signed-off-by: Wolfgang Denk <wd@denx.de>
-rw-r--r--net/tftp.c8
1 files changed, 6 insertions, 2 deletions
diff --git a/net/tftp.c b/net/tftp.c
index fb2f505..5ee7676 100644
--- a/net/tftp.c
+++ b/net/tftp.c
@@ -276,8 +276,12 @@ TftpHandler (uchar * pkt, unsigned dest, unsigned src, unsigned len)
#endif
TftpState = STATE_OACK;
TftpServerPort = src;
- /* Check for 'blksize' option */
- for (i=0;i<len-8;i++) {
+ /*
+ * Check for 'blksize' option.
+ * Careful: "i" is signed, "len" is unsigned, thus
+ * something like "len-8" may give a *huge* number
+ */
+ for (i=0; i+8<len; i++) {
if (strcmp ((char*)pkt+i,"blksize") == 0) {
TftpBlkSize = (unsigned short)
simple_strtoul((char*)pkt+i+8,NULL,10);