fs tftp: Fix possible fifo overflow

In tftp_read we send a request for a new packet without checking if we
have enough space in the FIFO. This can lead to a FIFO overflow and a
corrupt file. Add a check for it.

Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Reported-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Tested-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>

1 files changed, 5 insertions, 1 deletions

diff --git a/fs/tftp.c b/fs/tftp.c
index d89272e5ec..dff41e9c17 100644
--- a/fs/tftp.c
+++ b/fs/tftp.c
@@ -62,6 +62,7 @@
 #define STATE_DONE	8
 
 #define TFTP_BLOCK_SIZE		512	/* default TFTP block size */
+#define TFTP_FIFO_SIZE		4096
 
 #define TFTP_ERR_RESEND	1
 
@@ -399,7 +400,7 @@ static struct file_priv *tftp_do_open(struct device_d *dev,
 	priv->blocksize = TFTP_BLOCK_SIZE;
 	priv->block_requested = -1;
 
-	priv->fifo = kfifo_alloc(4096);
+	priv->fifo = kfifo_alloc(TFTP_FIFO_SIZE);
 	if (!priv->fifo) {
 		ret = -ENOMEM;
 		goto out;
@@ -558,6 +559,9 @@ static int tftp_read(struct device_d *dev, FILE *f, void *buf, size_t insize)
 			outsize += now;
 			buf += now;
 			insize -= now;
+		}
+
+		if (TFTP_FIFO_SIZE - kfifo_len(priv->fifo) >= priv->blocksize) {
 			tftp_send(priv);
 			tftp_timer_reset(priv);
 		}