Reading a file via tftp client causes a buffer overflow (see below, for a backtrace scroll a bit further down). Building tftp-hpa with -O0 (instead of -O1 or -O2) seems to workaround this bug. % tftp localhost tftp> get pulsar *** buffer overflow detected ***: tftp terminated ======= Backtrace: ========= /lib/libc.so.6(__fortify_fail+0x37)[0x7ff15a1bb857] /lib/libc.so.6(+0xe4670)[0x7ff15a1b9670] tftp[0x4019cf] tftp[0x4021a8] tftp[0x402fad] tftp[0x403b66] /lib/libc.so.6(__libc_start_main+0xfd)[0x7ff15a0f3b6d] tftp[0x4018a9] ======= Memory map: ======== 00400000-00406000 r-xp 00000000 08:03 1597392 /usr/bin/tftp 00605000-00606000 r--p 00005000 08:03 1597392 /usr/bin/tftp 00606000-00607000 rw-p 00006000 08:03 1597392 /usr/bin/tftp 00607000-00669000 rw-p 00000000 00:00 0 [heap] 7ff15985c000-7ff159871000 r-xp 00000000 08:03 4860780 /lib64/libgcc_s.so.1 7ff159871000-7ff159a70000 ---p 00015000 08:03 4860780 /lib64/libgcc_s.so.1 7ff159a70000-7ff159a71000 r--p 00014000 08:03 4860780 /lib64/libgcc_s.so.1 7ff159a71000-7ff159a72000 rw-p 00015000 08:03 4860780 /lib64/libgcc_s.so.1 7ff159a72000-7ff159a7e000 r-xp 00000000 08:03 4849666 /lib64/libnss_files-2.11.2.so 7ff159a7e000-7ff159c7d000 ---p 0000c000 08:03 4849666 /lib64/libnss_files-2.11.2.so 7ff159c7d000-7ff159c7e000 r--p 0000b000 08:03 4849666 /lib64/libnss_files-2.11.2.so 7ff159c7e000-7ff159c7f000 rw-p 0000c000 08:03 4849666 /lib64/libnss_files-2.11.2.so 7ff159c7f000-7ff159c81000 r-xp 00000000 08:03 4850678 /lib64/libdl-2.11.2.so 7ff159c81000-7ff159e81000 ---p 00002000 08:03 4850678 /lib64/libdl-2.11.2.so 7ff159e81000-7ff159e82000 r--p 00002000 08:03 4850678 /lib64/libdl-2.11.2.so 7ff159e82000-7ff159e83000 rw-p 00003000 08:03 4850678 /lib64/libdl-2.11.2.so 7ff159e83000-7ff159ecf000 r-xp 00000000 08:03 4849888 /lib64/libncurses.so.5.7 7ff159ecf000-7ff15a0cf000 ---p 0004c000 08:03 4849888 /lib64/libncurses.so.5.7 7ff15a0cf000-7ff15a0d3000 r--p 0004c000 08:03 4849888 /lib64/libncurses.so.5.7 7ff15a0d3000-7ff15a0d4000 rw-p 00050000 08:03 4849888 /lib64/libncurses.so.5.7 7ff15a0d4000-7ff15a0d5000 rw-p 00000000 00:00 0 7ff15a0d5000-7ff15a22a000 r-xp 00000000 08:03 4850578 /lib64/libc-2.11.2.so 7ff15a22a000-7ff15a42a000 ---p 00155000 08:03 4850578 /lib64/libc-2.11.2.so 7ff15a42a000-7ff15a42e000 r--p 00155000 08:03 4850578 /lib64/libc-2.11.2.so 7ff15a42e000-7ff15a42f000 rw-p 00159000 08:03 4850578 /lib64/libc-2.11.2.so 7ff15a42f000-7ff15a434000 rw-p 00000000 00:00 0 7ff15a434000-7ff15a471000 r-xp 00000000 08:03 4849672 /lib64/libreadline.so.6.1 7ff15a471000-7ff15a670000 ---p 0003d000 08:03 4849672 /lib64/libreadline.so.6.1 7ff15a670000-7ff15a672000 r--p 0003c000 08:03 4849672 /lib64/libreadline.so.6.1 7ff15a672000-7ff15a678000 rw-p 0003e000 08:03 4849672 /lib64/libreadline.so.6.1 7ff15a678000-7ff15a67a000 rw-p 00000000 00:00 0 7ff15a67a000-7ff15a698000 r-xp 00000000 08:03 4849894 /lib64/ld-2.11.2.so 7ff15a6c0000-7ff15a871000 r--p 00000000 08:03 6696063 /usr/lib64/locale/locale-archive 7ff15a871000-7ff15a875000 rw-p 00000000 00:00 0 7ff15a88d000-7ff15a88f000 rw-p 00000000 00:00 0 7ff15a88f000-7ff15a896000 r--s 00000000 08:03 6049476 /usr/lib64/gconv/gconv-modules.cache 7ff15a896000-7ff15a897000 rw-p 00000000 00:00 0 7ff15a897000-7ff15a898000 r--p 0001d000 08:03 4849894 /lib64/ld-2.11.2.so 7ff15a898000-7ff15a899000 rw-p 0001e000 08:03 4849894 /lib64/ld-2.11.2.so 7ff15a899000-7ff15a89a000 rw-p 00000000 00:00 0 7fff9b2d6000-7fff9b2f7000 rw-p 00000000 00:00 0 [stack] 7fff9b315000-7fff9b316000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] zsh: abort (core dumped) tftp localhost Backtrace: (gdb) bt full #0 0x00007ff15a107455 in raise () from /lib/libc.so.6 No symbol table info available. #1 0x00007ff15a1088d6 in abort () from /lib/libc.so.6 No symbol table info available. #2 0x00007ff15a141ea3 in ?? () from /lib/libc.so.6 No symbol table info available. #3 0x00007ff15a1bb857 in __fortify_fail () from /lib/libc.so.6 No symbol table info available. #4 0x00007ff15a1b9670 in __chk_fail () from /lib/libc.so.6 No symbol table info available. #5 0x00000000004019cf in strcpy (request=<value optimized out>, name=0x63bdc4 "pulsar", tp=<value optimized out>, mode=0x404a45 "netascii") at /usr/include/bits/string3.h:107 No locals. #6 makerequest (request=<value optimized out>, name=0x63bdc4 "pulsar", tp=<value optimized out>, mode=0x404a45 "netascii") at tftp.c:285 cp = 0x606402 "p" #7 0x00000000004021a8 in tftp_recvfile (fd=<value optimized out>, name=0x63bdc4 "pulsar", mode=0x404a45 "netascii") at tftp.c:197 ap = 0x606400 dp = 0x606924 n = <value optimized out> block = 1 size = 6536644 firsttrip = 1 amount = 0 from = {sa = {sa_family = 0, sa_data = "\000\000\000\000\000\000\225\317hZ\361\177\000"}, si = {sin_family = 0, sin_port = 0, sin_addr = {s_addr = 0}, sin_zero = "\225\317hZ\361\177\000"}, s6 = {sin6_family = 0, sin6_port = 0, sin6_flowinfo = 0, sin6_addr = {__in6_u = { __u6_addr8 = "\225\317hZ\361\177\000\000\000\000\000\000\000\000\000", __u6_addr16 = {53141, 23144, 32753, 0, 0, 0, 0, 0}, __u6_addr32 = {1516818325, 32753, 0, 0}}}, sin6_scope_id = 21}} fromlen = 0 file = 0x64a740 convert = 1 dp_opcode = <value optimized out> dp_block = <value optimized out> #8 0x0000000000402fad in get (argc=<value optimized out>, argv=<value optimized out>) at main.c:673 n = <value optimized out> cp = 0x63bdc4 "pulsar" src = 0x63bdc4 "pulsar" #9 0x0000000000403b66 in command (argc=<value optimized out>, argv=0x7fff9b2f5d88) at main.c:837 c = <value optimized out> #10 main (argc=<value optimized out>, argv=0x7fff9b2f5d88) at main.c:356 sa = {sa = {sa_family = 2, sa_data = '\000' <repeats 13 times>}, si = {sin_family = 2, sin_port = 0, sin_addr = {s_addr = 0}, sin_zero = "\000\000\000\000\000\000\000"}, s6 = {sin6_family = 2, sin6_port = 0, sin6_flowinfo = 0, sin6_addr = {__in6_u = {__u6_addr8 = '\000' <repeats 15 times>, __u6_addr16 = {0, 0, 0, 0, 0, 0, 0, 0}, __u6_addr32 = {0, 0, 0, 0}}}, sin6_scope_id = 0}} arg = <value optimized out> pargc = 0 peerargc = 2 iscmd = 0 pargv = 0x2 optx = <value optimized out> peerargv = {0x7fff9b2f6916 "tftp", 0x7fff9b2f691b "localhost", 0x0} Reproducible: Always Steps to Reproduce: Open tftp connection, GET a file. Actual Results: Detected buffer overflow -> core dump. Expected Results: The file is downloaded without error. Portage 2.1.9.25 (default/linux/amd64/10.0, gcc-4.5.2, glibc-2.11.2-r3, 2.6.37.1 x86_64) ================================================================= System uname: Linux-2.6.37.1-x86_64-Intel-R-_Core-TM-_i7_CPU_L_640_@_2.13GHz-with-gentoo-1.12.14 Timestamp of tree: Wed, 02 Mar 2011 00:30:01 +0000 app-shells/bash: 4.1_p9 dev-lang/python: 2.6.6-r2, 3.1.3-r1 dev-util/cmake: 2.8.1-r2 sys-apps/baselayout: 1.12.14-r1 sys-apps/sandbox: 2.4 sys-devel/autoconf: 2.13, 2.65-r1 sys-devel/automake: 1.10.3, 1.11.1 sys-devel/binutils: 2.20.1-r1 sys-devel/gcc: 4.4.5, 4.5.2 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.10 sys-devel/make: 3.81-r2 virtual/os-headers: 2.6.36.1 (sys-kernel/linux-headers) ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="*" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O1 -g -march=native -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo /etc/texmf/language.dat.d /etc/texmf/language.def.d /etc/texmf/updmap.d /etc/texmf/web2c" CXXFLAGS="-O1 -g -march=native -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests binpkg-logs candy distlocks fail-clean fixlafiles fixpackages news nostrip parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="en_US.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" LINGUAS="de en" MAKEOPTS="-s -j2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/luke-jr /var/lib/layman/lisp /var/lib/layman/lordvan" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi alsa amd64 berkdb bzip2 cairo cli cracklib crypt cups cxx dri dts dvb dvd emacs flac fontconfig fortran gdbm gpm iconv ipv6 jpeg matroska mmx modules mp3 mpeg mudflap multilib musepack ncurses nptl nptlonly ogg opengl openmp pam pcre perl png pppd python readline session sse sse2 sse3 ssl ssse3 sysfs tcpd theora threads truetype unicode v4l vaapi vorbis x264 xcb xinerama xorg xv xvmc zlib zsh-completion" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" DVB_CARDS="usb-dib0700" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="de en" PHP_TARGETS="php5-3" QEMU_SOFTMMU_TARGETS="x86_64" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="intel vesa" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS
fortify code is only enabled when optimization is enabled (not -O0). the code in question though explains why fortify throws up on it. /usr/include/arpa/tftp.h: struct tftphdr { short th_opcode; /* packet type */ union { unsigned short tu_block; /* block # */ short tu_code; /* error code */ char tu_stuff[1]; /* request packet stuff */ } __attribute__ ((__packed__)) th_u; char th_data[1]; /* data or error string */ } __attribute__ ((__packed__)); #define th_stuff th_u.tu_stuff tftp.c: static int makerequest(int request, const char *name, struct tftphdr *tp, const char *mode) { char *cp; tp->th_opcode = htons((u_short) request); cp = (char *)&(tp->th_stuff); strcpy(cp, name); that isnt going to work ... the code declares th_stuff as only being 1 byte long. i guess the structure would need to be defined as tu_stuff[] rather than tu_stuff[1] to make it work.
Hello! I have switched gcc to 4.4.5 from 4.5.2; emerging netkit-tftp solved this issue...
This happens on netkit-tftp as well, with gcc 4.5.3
*** Bug 375157 has been marked as a duplicate of this bug. ***
Is this waiting for patches changing the [1] to a []?
going: gcc-config x86_64-pc-linux-gnu-4.4.5 from: [1] x86_64-pc-linux-gnu-4.4.5 [2] x86_64-pc-linux-gnu-4.5.3 * fixed this for me.
tftp -m binary 192.168.1.1 -c put RT-N16-1.9.2.7-rtn-r3300.trx *** buffer overflow detected ***: tftp terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x7f986c722fd7] /lib64/libc.so.6(+0xfbe60)[0x7f986c720e60] tftp[0x401ba1] tftp[0x402067] tftp[0x403eb1] /lib64/libc.so.6(__libc_start_main+0xfd)[0x7f986c643ebd] tftp[0x401a89] ======= Memory map: ======== 00400000-00407000 r-xp 00000000 fe:04 2366 /usr/bin/tftp 00606000-00607000 r--p 00006000 fe:04 2366 /usr/bin/tftp 00607000-00608000 rw-p 00007000 fe:04 2366 /usr/bin/tftp 00608000-00628000 rw-p 00000000 00:00 0 00bda000-00bfb000 rw-p 00000000 00:00 0 [heap] 7f986bdaa000-7f986bdbf000 r-xp 00000000 08:02 9804 /lib64/libgcc_s.so.1 7f986bdbf000-7f986bfbe000 ---p 00015000 08:02 9804 /lib64/libgcc_s.so.1 7f986bfbe000-7f986bfbf000 r--p 00014000 08:02 9804 /lib64/libgcc_s.so.1 7f986bfbf000-7f986bfc0000 rw-p 00015000 08:02 9804 /lib64/libgcc_s.so.1 7f986bfc0000-7f986bfcc000 r-xp 00000000 08:02 9754 /lib64/libnss_files-2.13.so 7f986bfcc000-7f986c1cb000 ---p 0000c000 08:02 9754 /lib64/libnss_files-2.13.so 7f986c1cb000-7f986c1cc000 r--p 0000b000 08:02 9754 /lib64/libnss_files-2.13.so 7f986c1cc000-7f986c1cd000 rw-p 0000c000 08:02 9754 /lib64/libnss_files-2.13.so 7f986c1cd000-7f986c1cf000 r-xp 00000000 08:02 9143 /lib64/libdl-2.13.so 7f986c1cf000-7f986c3cf000 ---p 00002000 08:02 9143 /lib64/libdl-2.13.so 7f986c3cf000-7f986c3d0000 r--p 00002000 08:02 9143 /lib64/libdl-2.13.so 7f986c3d0000-7f986c3d1000 rw-p 00003000 08:02 9143 /lib64/libdl-2.13.so 7f986c3d1000-7f986c420000 r-xp 00000000 08:02 9771 /lib64/libncurses.so.5.9 7f986c420000-7f986c61f000 ---p 0004f000 08:02 9771 /lib64/libncurses.so.5.9 7f986c61f000-7f986c623000 r--p 0004e000 08:02 9771 /lib64/libncurses.so.5.9 7f986c623000-7f986c624000 rw-p 00052000 08:02 9771 /lib64/libncurses.so.5.9 7f986c624000-7f986c625000 rw-p 00000000 00:00 0 7f986c625000-7f986c7bf000 r-xp 00000000 08:02 9750 /lib64/libc-2.13.so 7f986c7bf000-7f986c9be000 ---p 0019a000 08:02 9750 /lib64/libc-2.13.so 7f986c9be000-7f986c9c2000 r--p 00199000 08:02 9750 /lib64/libc-2.13.so 7f986c9c2000-7f986c9c3000 rw-p 0019d000 08:02 9750 /lib64/libc-2.13.so 7f986c9c3000-7f986c9c9000 rw-p 00000000 00:00 0 7f986c9c9000-7f986ca06000 r-xp 00000000 08:02 2095 /lib64/libreadline.so.6.2 7f986ca06000-7f986cc06000 ---p 0003d000 08:02 2095 /lib64/libreadline.so.6.2 7f986cc06000-7f986cc08000 r--p 0003d000 08:02 2095 /lib64/libreadline.so.6.2 7f986cc08000-7f986cc0e000 rw-p 0003f000 08:02 2095 /lib64/libreadline.so.6.2 7f986cc0e000-7f986cc10000 rw-p 00000000 00:00 0 7f986cc10000-7f986cc31000 r-xp 00000000 08:02 9747 /lib64/ld-2.13.so 7f986cdf5000-7f986cdf9000 rw-p 00000000 00:00 0 7f986ce2e000-7f986ce30000 rw-p 00000000 00:00 0 7f986ce30000-7f986ce31000 r--p 00020000 08:02 9747 /lib64/ld-2.13.so 7f986ce31000-7f986ce32000 rw-p 00021000 08:02 9747 /lib64/ld-2.13.so 7f986ce32000-7f986ce33000 rw-p 00000000 00:00 0 7fff28ee6000-7fff28f08000 rw-p 00000000 00:00 0 [stack] 7fff28f6f000-7fff28f70000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Aborted gcc-config -l [1] x86_64-pc-linux-gnu-4.5.3 * CFLAGS="-O0" fix it
*** Bug 406347 has been marked as a duplicate of this bug. ***
Sadly, but does not solve with CFLAGS="-O0" net-ftp/netkit-tftp-0.17-r7 was built with the following: USE="(multilib)" CFLAGS="-O0" gNutCore tmp # tftp localhost tftp> get test *** buffer overflow detected ***: tftp terminated ======= Backtrace: ========= /lib64/libc.so.6(__fortify_fail+0x37)[0x7fd273b3b0a7] /lib64/libc.so.6(+0xedf00)[0x7fd273b38f00] tftp[0x4015b1] tftp[0x40204d] tftp[0x4027ea] tftp[0x4035c7] /lib64/libc.so.6(__libc_start_main+0xfd)[0x7fd273a6d09d] tftp[0x401499] ======= Memory map: ======== 00400000-00405000 r-xp 00000000 08:03 193524 /usr/bin/tftp 00604000-00605000 r--p 00004000 08:03 193524 /usr/bin/tftp 00605000-00606000 rw-p 00005000 08:03 193524 /usr/bin/tftp 00606000-00607000 rw-p 00000000 00:00 0 015f7000-01618000 rw-p 00000000 00:00 0 [heap] 7fd273628000-7fd27363d000 r-xp 00000000 08:03 1077 /lib64/libgcc_s.so.1 7fd27363d000-7fd27383c000 ---p 00015000 08:03 1077 /lib64/libgcc_s.so.1 7fd27383c000-7fd27383d000 r--p 00014000 08:03 1077 /lib64/libgcc_s.so.1 7fd27383d000-7fd27383e000 rw-p 00015000 08:03 1077 /lib64/libgcc_s.so.1 7fd27383e000-7fd27384a000 r-xp 00000000 08:03 1010 /lib64/libnss_files-2.13.so 7fd27384a000-7fd273a49000 ---p 0000c000 08:03 1010 /lib64/libnss_files-2.13.so 7fd273a49000-7fd273a4a000 r--p 0000b000 08:03 1010 /lib64/libnss_files-2.13.so 7fd273a4a000-7fd273a4b000 rw-p 0000c000 08:03 1010 /lib64/libnss_files-2.13.so 7fd273a4b000-7fd273bcc000 r-xp 00000000 08:03 1045 /lib64/libc-2.13.so 7fd273bcc000-7fd273dcc000 ---p 00181000 08:03 1045 /lib64/libc-2.13.so 7fd273dcc000-7fd273dd0000 r--p 00181000 08:03 1045 /lib64/libc-2.13.so 7fd273dd0000-7fd273dd1000 rw-p 00185000 08:03 1045 /lib64/libc-2.13.so 7fd273dd1000-7fd273dd6000 rw-p 00000000 00:00 0 7fd273dd6000-7fd273df5000 r-xp 00000000 08:03 1013 /lib64/ld-2.13.so 7fd273fc2000-7fd273fc5000 rw-p 00000000 00:00 0 7fd273ff1000-7fd273ff5000 rw-p 00000000 00:00 0 7fd273ff5000-7fd273ff6000 r--p 0001f000 08:03 1013 /lib64/ld-2.13.so 7fd273ff6000-7fd273ff7000 rw-p 00020000 08:03 1013 /lib64/ld-2.13.so 7fd273ff7000-7fd273ff8000 rw-p 00000000 00:00 0 7fff20062000-7fff20083000 rw-p 00000000 00:00 0 [stack] 7fff200ff000-7fff20100000 r-xp 00000000 00:00 0 [vdso] ffffffffff600000-ffffffffff601000 r-xp 00000000 00:00 0 [vsyscall] Aborted
According to this bug report: https://bugs.archlinux.org/task/28103 this patch fixes this issue: http://pkgs.fedoraproject.org/gitweb/?p=tftp.git;a=blob_plain;f=tftp-hpa-0.49-fortify-strcpy-crash.patch;hb=HEAD
as noted in Bug 375157, that patch works by accident imo i've filed PR52944 with upstream gcc ... let's see where it goes otherwise, it should be easy to make all the tftp packages by using _FORTIFY_SOURCE=1 when building the tftp packages. that setting will disable crossing of variable boundaries.
upstream gcc indicates that 4.7 should be fixed, but i don't have a local install of that to double check. with a little more anonymous structure/union abuse though, we can make the tftp.h header play ball. patch posted to upstream glibc to do just that.
*** Bug 394803 has been marked as a duplicate of this bug. ***
i've included the fix in glibc-2.15