Commit 567a72f6 authored by Guillaume Tucker's avatar Guillaume Tucker Committed by Ricardo Cañuelo Navarro
Browse files

tftp: allow 16-bit block number to wrap around



The TFTP protocol defines a 16-bit block number, which will typically
wrap around by server implementations to allow files with more than
65535 blocks.  As each block typically has a size of 512 bytes, the
overflow happens after 32 MiB of data being transferred.

The sequence of block numbers is being verified in tftp.c to ensure
the blocks are received in the correct order.  While most FIT images
will be smaller than 32MiB, it's easy to go beyond this limit with
debug kernel configs enabled and when using ramdisks.

To cope with this, only check the block number sequence within the
16-bit integer range.  With TFTP servers able to deliver any file size
by wrapping the block number around, this allows any file size to be
downloaded.

BRANCH=master
BUG=none
TEST=Boot with FIT image larger than 32MiB

Change-Id: Icfe988cc33747528493bf37d8e56d2df34a46a81
Signed-off-by: Guillaume Tucker's avatarGuillaume Tucker <guillaume.tucker@collabora.com>
Reviewed-on: https://chromium-review.googlesource.com/1202122


Commit-Ready: Guillaume Tucker <gtucker.collabora@gmail.com>
Tested-by: default avatarGuillaume Tucker <gtucker.collabora@gmail.com>
Reviewed-by: default avatarJulius Werner <jwerner@chromium.org>
parent 8b7cc5c6
......@@ -133,8 +133,9 @@ static void tftp_callback(void)
memcpy(&blocknum, (uint8_t *)uip_appdata + 2, sizeof(blocknum));
blocknum = ntohw(blocknum);
// Ignore blocks which are duplicated or out of order.
if (blocknum != tftp_blocknum)
// Ignore blocks which are duplicated or out of order, taking into
// account 16-bit block number overflow.
if (blocknum != (tftp_blocknum & 0xFFFF))
return;
void *new_data = (uint8_t *)uip_appdata + 4;
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment