From 2017dcb08b21dd2f977954ddb50394ba3010137c Mon Sep 17 00:00:00 2001
From: Toomas Soome <tsoome@me.com>
Date: Tue, 4 Sep 2018 15:27:45 +0300
Subject: 9789 loader: tftp should not read past file end Reviewed by: Garrett
 D'Amore <garrett@damore.org> Reviewed by: Andy Fiddaman
 <omnios@citrus-it.co.uk> Reviewed by: Igor Kozhukhov <igor@dilos.org>
 Approved by: Robert Mustacchi <rm@joyent.com>

---
 usr/src/boot/lib/libstand/tftp.c | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/usr/src/boot/lib/libstand/tftp.c b/usr/src/boot/lib/libstand/tftp.c
index ad3e89d448..46ce5f16b2 100644
--- a/usr/src/boot/lib/libstand/tftp.c
+++ b/usr/src/boot/lib/libstand/tftp.c
@@ -487,11 +487,19 @@ tftp_read(struct open_file *f, void *addr, size_t size,
     size_t *resid /* out */)
 {
 	struct tftp_handle *tftpfile;
+	size_t res;
 	int rc;
 
 	rc = 0;
+	res = size;
 	tftpfile = (struct tftp_handle *) f->f_fsdata;
 
+	/* Make sure we will not read past file end */
+	if (tftpfile->tftp_tsize > 0 &&
+	    tftpfile->off + size > tftpfile->tftp_tsize) {
+		size = tftpfile->tftp_tsize - tftpfile->off;
+	}
+
 	while (size > 0) {
 		int needblock, count;
 
@@ -539,6 +547,7 @@ tftp_read(struct open_file *f, void *addr, size_t size,
 			addr = (char *)addr + count;
 			tftpfile->off += count;
 			size -= count;
+			res -= count;
 
 			if ((tftpfile->islastblock) && (count == inbuffer))
 				break;	/* EOF */
@@ -551,8 +560,8 @@ tftp_read(struct open_file *f, void *addr, size_t size,
 
 	}
 
-	if (resid)
-		*resid = size;
+	if (resid != NULL)
+		*resid = res;
 	return (rc);
 }
 
-- 
cgit v1.2.3