You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by se...@apache.org on 2017/02/09 16:09:31 UTC

svn commit: r1782356 - in /commons/proper/net/trunk/src: changes/changes.xml main/java/org/apache/commons/net/tftp/TFTPClient.java

Author: sebb
Date: Thu Feb  9 16:09:31 2017
New Revision: 1782356

URL: http://svn.apache.org/viewvc?rev=1782356&view=rev
Log:
NET-414 Apache Commons TFTP does not reject request replies that originate from a control port.

Modified:
    commons/proper/net/trunk/src/changes/changes.xml
    commons/proper/net/trunk/src/main/java/org/apache/commons/net/tftp/TFTPClient.java

Modified: commons/proper/net/trunk/src/changes/changes.xml
URL: http://svn.apache.org/viewvc/commons/proper/net/trunk/src/changes/changes.xml?rev=1782356&r1=1782355&r2=1782356&view=diff
==============================================================================
--- commons/proper/net/trunk/src/changes/changes.xml [utf-8] (original)
+++ commons/proper/net/trunk/src/changes/changes.xml [utf-8] Thu Feb  9 16:09:31 2017
@@ -87,6 +87,9 @@ without checking it if is a space.
   The POP3Mail examples can now get password from console, stdin or an environment variable.
   
 ">
+            <action issue="NET-414" type="fix" dev="sebb" due-to="Chuck Wolber">
+            Apache Commons TFTP does not reject request replies that originate from a control port.
+            </action>
             <action issue="NET-477" type="fix" dev="sebb" due-to="John Walton">
             TFTP sendFile retry broken
             </action>

Modified: commons/proper/net/trunk/src/main/java/org/apache/commons/net/tftp/TFTPClient.java
URL: http://svn.apache.org/viewvc/commons/proper/net/trunk/src/main/java/org/apache/commons/net/tftp/TFTPClient.java?rev=1782356&r1=1782355&r2=1782356&view=diff
==============================================================================
--- commons/proper/net/trunk/src/main/java/org/apache/commons/net/tftp/TFTPClient.java (original)
+++ commons/proper/net/trunk/src/main/java/org/apache/commons/net/tftp/TFTPClient.java Thu Feb  9 16:09:31 2017
@@ -177,6 +177,13 @@ public class TFTPClient extends TFTP
                         final InetAddress recdAddress = received.getAddress();
                         if (lastBlock == 0)
                         {
+                            if (recdPort == port) { // must not use the control port here
+                                TFTPErrorPacket error = new TFTPErrorPacket(recdAddress,
+                                        recdPort, TFTPErrorPacket.UNKNOWN_TID,
+                                        "INCORRECT SOURCE PORT");
+                                bufferedSend(error);
+                                throw new IOException("Incorrect source port ("+recdPort+") in request reply.");
+                            }
                             hostPort = recdPort;
                             ack.setPort(hostPort);
                             if(!host.equals(recdAddress))
@@ -377,6 +384,13 @@ public class TFTPClient extends TFTP
                         // answering host address (for hosts with multiple IPs)
                         if (justStarted) {
                             justStarted = false;
+                            if (recdPort == port) { // must not use the control port here
+                                TFTPErrorPacket error = new TFTPErrorPacket(recdAddress,
+                                        recdPort, TFTPErrorPacket.UNKNOWN_TID,
+                                        "INCORRECT SOURCE PORT");
+                                bufferedSend(error);
+                                throw new IOException("Incorrect source port ("+recdPort+") in request reply.");
+                            }
                             hostPort = recdPort;
                             data.setPort(hostPort);
                             if (!host.equals(recdAddress)) {