fix bounds checking, add corresponding unit tests

czp182 · alandekok · commit ede4ad675219 · 2026-03-09T17:36:52.000-04:00
blksize was missing minimum check,
if statement previously flags the 'end-of-file' packet as malformed,
unit tests added to check empty data block signals end-of-file, as well as invalid block size where minimum is 8

(protocols/tftp: fix empty DATA packet rejection and missing blksize minimum check 470)
diff --git a/src/protocols/tftp/decode.c b/src/protocols/tftp/decode.c
@@ -178,7 +178,9 @@ int fr_tftp_decode(TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t const *data, si
 
 			blksize = strtol((const char *)p, &p_end, 10);
 
-			if (p == (const uint8_t *)p_end || blksize > FR_TFTP_BLOCK_MAX_SIZE) {
+			if ((p == (const uint8_t *)p_end) ||
+			    (blksize < FR_TFTP_BLOCK_MIN_SIZE) ||
+			    (blksize > FR_TFTP_BLOCK_MAX_SIZE)) {
 				fr_strerror_printf("Invalid Block-Size %ld value", blksize);
 				goto error;
 			}
@@ -217,7 +219,7 @@ int fr_tftp_decode(TALLOC_CTX *ctx, fr_pair_list_t *out, uint8_t const *data, si
 		 */
 		if (opcode != FR_OPCODE_VALUE_DATA) goto done;
 
-		if ((p + 2) >= end) goto error_malformed;
+		if ((p + 2) > end) goto error_malformed;
 
 		p += 2;
 
diff --git a/src/tests/unit/protocols/tftp/base.txt b/src/tests/unit/protocols/tftp/base.txt
@@ -42,6 +42,12 @@ match Opcode = ::Data, Block = 4660, Data = 0x3132333435
 encode-proto -
 match 00 03 12 34 31 32 33 34 35
 
+#
+#	Server -> Client (Data) - empty data block signals end-of-file
+#
+decode-proto 00 03 00 01
+match Opcode = ::Data, Block = 1, Data = 0x
+
 #
 #	Client -> Server (Acknowledgement)
 #
@@ -61,4 +67,4 @@ encode-proto -
 match 00 05 00 04 4b 61 6c 6f 73 20 46 61 75 6c 74 00
 
 count
-match 27
+match 29
diff --git a/src/tests/unit/protocols/tftp/error.txt b/src/tests/unit/protocols/tftp/error.txt
@@ -21,6 +21,12 @@ match Packet contains malformed attribute
 decode-proto 00 01 00 6f 63 74 65 74 00 62 6c 6b 73 69 7a 65 7d 35 35 35 35 35 35 35
 match Packet contains malformed attribute
 
+#
+#	Client -> Server (Read-Request) - With invalid block-size. (min is 8)
+#
+decode-proto 00 01 66 00 6f 63 74 65 74 00 62 6c 6b 73 69 7a 65 00 37 00
+match Invalid Block-Size 7 value
+
 #
 #	Client -> Server (Read-Request) - With invalid block-size. (max is 65464)
 #
@@ -49,4 +55,4 @@ decode-proto 00 00 25 88
 match Invalid TFTP opcode 0000
 
 count
-match 19
+match 21
