diff options
author | Wolfgang Denk <wd@denx.de> | 2007-08-31 10:01:51 +0200 |
---|---|---|
committer | Wolfgang Denk <wd@denx.de> | 2007-08-31 10:01:51 +0200 |
commit | 60174746c668b309378a91488dded898e9553eae (patch) | |
tree | fe5a75a822a2dc269ba8b927b0c681126ead93d9 | |
parent | ff13ac8c7bbebb238e339592de765c546dba1073 (diff) | |
download | u-boot-imx-60174746c668b309378a91488dded898e9553eae.zip u-boot-imx-60174746c668b309378a91488dded898e9553eae.tar.gz u-boot-imx-60174746c668b309378a91488dded898e9553eae.tar.bz2 |
Fix TFTP OACK code for short packets.
The old code had a loop limit overflow bug which caused a semi-
infinite loop for small packets, because in "i<len-8", "i" was signed,
but "len" was unsigned, and "len-8" became a huge number for small
values of "len".
This is a workaround which replaces broken commit 8f1bc284.
Signed-off-by: Wolfgang Denk <wd@denx.de>
-rw-r--r-- | net/tftp.c | 8 |
1 files changed, 6 insertions, 2 deletions
@@ -276,8 +276,12 @@ TftpHandler (uchar * pkt, unsigned dest, unsigned src, unsigned len) #endif TftpState = STATE_OACK; TftpServerPort = src; - /* Check for 'blksize' option */ - for (i=0;i<len-8;i++) { + /* + * Check for 'blksize' option. + * Careful: "i" is signed, "len" is unsigned, thus + * something like "len-8" may give a *huge* number + */ + for (i=0; i+8<len; i++) { if (strcmp ((char*)pkt+i,"blksize") == 0) { TftpBlkSize = (unsigned short) simple_strtoul((char*)pkt+i+8,NULL,10); |