From e8d0fb768527fd745aa6e5d0de7dbfef89352ac2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=B6ren=20Tempel?= <soeren+git@soeren-tempel.net>
Date: Mon, 1 Jul 2019 10:07:05 +0200
Subject: [PATCH] gnrc_tftp: Add minimum packet length check

Fixes #10927
---
 sys/net/gnrc/application_layer/tftp/gnrc_tftp.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/sys/net/gnrc/application_layer/tftp/gnrc_tftp.c b/sys/net/gnrc/application_layer/tftp/gnrc_tftp.c
index 6526cd64a8..9fd06e80d0 100644
--- a/sys/net/gnrc/application_layer/tftp/gnrc_tftp.c
+++ b/sys/net/gnrc/application_layer/tftp/gnrc_tftp.c
@@ -51,6 +51,7 @@ static kernel_pid_t _tftp_kernel_pid;
 
 #define TFTP_TIMEOUT_MSG            0x4000
 #define TFTP_STOP_SERVER_MSG        0x4001
+#define TFTP_MIN_PACKET_LEN         4
 #define TFTP_DEFAULT_DATA_SIZE      (GNRC_TFTP_MAX_TRANSFER_UNIT    \
                                      + sizeof(tftp_packet_data_t))
 
@@ -598,6 +599,11 @@ tftp_state _tftp_state_processes(tftp_context_t *ctxt, msg_t *m)
     }
 
     gnrc_pktsnip_t *pkt = m->content.ptr;
+    if (pkt->size < TFTP_MIN_PACKET_LEN) {
+       DEBUG("tftp: packet is too short\n");
+       gnrc_pktbuf_release(outbuf);
+       return TS_FAILED;
+    }
 
     gnrc_pktsnip_t *tmp;
     tmp = gnrc_pktsnip_search_type(pkt, GNRC_NETTYPE_UDP);