From 60174746c668b309378a91488dded898e9553eae Mon Sep 17 00:00:00 2001
From: Wolfgang Denk <wd@denx.de>
Date: Fri, 31 Aug 2007 10:01:51 +0200
Subject: [PATCH] Fix TFTP OACK code for short packets.

The old code had a loop limit overflow bug which caused a semi-
infinite loop for small packets, because in "i<len-8", "i" was signed,
but "len" was unsigned, and "len-8" became a huge number for small
values of "len".

This is a workaround which replaces broken commit 8f1bc284.

Signed-off-by: Wolfgang Denk <wd@denx.de>
---
 net/tftp.c | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/net/tftp.c b/net/tftp.c
index fb2f50564e..5ee7676466 100644
--- a/net/tftp.c
+++ b/net/tftp.c
@@ -276,8 +276,12 @@ TftpHandler (uchar * pkt, unsigned dest, unsigned src, unsigned len)
 #endif
 		TftpState = STATE_OACK;
 		TftpServerPort = src;
-		/* Check for 'blksize' option */
-		for (i=0;i<len-8;i++) {
+		/*
+		 * Check for 'blksize' option.
+		 * Careful: "i" is signed, "len" is unsigned, thus
+		 * something like "len-8" may give a *huge* number
+		 */
+		for (i=0; i+8<len; i++) {
 			if (strcmp ((char*)pkt+i,"blksize") == 0) {
 				TftpBlkSize = (unsigned short)
 					simple_strtoul((char*)pkt+i+8,NULL,10);
-- 
2.25.1