From fa6d2bce50b5b45e6dd3e30c0f9e477f4ce3e9b9 Mon Sep 17 00:00:00 2001
From: Erik Auerswald <auerswal@unix-ag.uni-kl.de>
Date: Sun, 11 Sep 2022 15:12:26 +0200
Subject: [PATCH] tftp: Ignore excess arguments

When given too many arguments to a command at the tftp cli,
the buffer used to hold the arguments would overflow.  This
could result in a crash.

The problem was reported by AiDai in
<https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00018.html>.

This commit fixes the test failure in the previously added
file "tests/tftp-regressions.sh".

* NEWS: Mention fix.
* src/tftp.c (makeargv): Do not overflow argument buffer.
---
 NEWS       |  6 ++++++
 src/tftp.c | 10 +++++++++-
 2 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/NEWS b/NEWS
index 86552296..3401d6de 100644
--- a/NEWS
+++ b/NEWS
@@ -12,6 +12,12 @@ https://pierrekim.github.io/blog/2022-08-24-2-byte-dos-freebsd-netbsd-telnetd-ne
 *** Fix a buffer overflow problem.  CVE-2019-0053
 https://cgit.freebsd.org/src/commit/?id=14aab889f4e50072a6b914eb95ebbfa939539dad
 
+** tftp
+
+*** Avoid crashing when given unexpected or invalid commands from tty.
+Reported by AiDai in
+<https://lists.gnu.org/archive/html/bug-inetutils/2021-12/msg00018.html>.
+
 * Noteworthy changes in release 2.3 (2022-07-08) [stable]
 
 ** telnet
diff --git a/src/tftp.c b/src/tftp.c
index 42abbb4a..75f925bd 100644
--- a/src/tftp.c
+++ b/src/tftp.c
@@ -122,7 +122,10 @@ static int fromatty;
 char mode[32];
 char line[200];
 int margc;
-char *margv[20];
+
+#define TFTP_MAX_ARGS 20
+
+char *margv[TFTP_MAX_ARGS];
 char *prompt = "tftp";
 jmp_buf toplevel;
 void intr (int signo);
@@ -914,6 +917,11 @@ makeargv (void)
 	cp++;
       if (*cp == '\0')
 	break;
+      if (margc + 1 >= TFTP_MAX_ARGS)
+	{
+	  fprintf (stderr, "Ignoring excess arguments.\n");
+	  break;
+	}
       *argp++ = cp;
       margc += 1;
       while (*cp != '\0' && !isspace (*cp))