/* $NetBSD: tftpd.c,v 1.45 2016/07/20 20:18:21 shm Exp $ */ /* * Copyright (c) 1983, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include #ifndef lint __COPYRIGHT("@(#) Copyright (c) 1983, 1993\ The Regents of the University of California. All rights reserved."); #if 0 static char sccsid[] = "@(#)tftpd.c 8.1 (Berkeley) 6/4/93"; #else __RCSID("$NetBSD: tftpd.c,v 1.45 2016/07/20 20:18:21 shm Exp $"); #endif #endif /* not lint */ /* * Trivial file transfer protocol server. * * This version includes many modifications by Jim Guyton * . */ #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include #include "tftpsubs.h" #define DEFAULTUSER "nobody" #define TIMEOUT 5 static int peer; static int rexmtval = TIMEOUT; static int maxtimeout = 5*TIMEOUT; static char buf[MAXPKTSIZE]; static char ackbuf[PKTSIZE]; static char oackbuf[PKTSIZE]; static struct sockaddr_storage from; static socklen_t fromlen; static int debug; static int tftp_opt_tsize = 0; static int tftp_blksize = SEGSIZE; static int tftp_tsize = 0; /* * Null-terminated directory prefix list for absolute pathname requests and * search list for relative pathname requests. * * MAXDIRS should be at least as large as the number of arguments that * inetd allows (currently 20). */ #define MAXDIRS 20 static struct dirlist { char *name; int len; } dirs[MAXDIRS+1]; static int suppress_naks; static int logging; static int secure; static char pathsep = '\0'; static char *securedir; static int unrestricted_writes; /* uploaded files don't have to exist */ static int broadcast_client = 0; /* Some clients ack to the broadcast address */ struct formats; static const char *errtomsg(int); static void nak(int); __dead static void tftp(struct tftphdr *, int); __dead static void usage(void); static char *verifyhost(struct sockaddr *); __dead static void justquit(int); static void recvfile(struct formats *, int, int); static void sendfile(struct formats *, int, int); __dead static void timer(int); static const char *opcode(int); static int validate_access(char **, int); static struct formats { const char *f_mode; int (*f_validate)(char **, int); void (*f_send)(struct formats *, int, int); void (*f_recv)(struct formats *, int, int); int f_convert; } formats[] = { { "netascii", validate_access, sendfile, recvfile, 1 }, { "octet", validate_access, sendfile, recvfile, 0 }, { .f_mode = NULL } }; static void usage(void) { syslog(LOG_ERR, "Usage: %s [-bcdln] [-g group] [-p pathsep] [-s directory] [-u user] [directory ...]", getprogname()); exit(1); } int main(int argc, char *argv[]) { struct sockaddr_storage me; struct passwd *pwent; struct group *grent; struct tftphdr *tp; const char *tgtuser, *tgtgroup; char *ep; int n, ch, on, fd; int soopt; socklen_t len; uid_t curuid, tgtuid; gid_t curgid, tgtgid; long nid; n = 0; fd = 0; tzset(); openlog("tftpd", LOG_PID | LOG_NDELAY, LOG_DAEMON); tgtuser = DEFAULTUSER; tgtgroup = NULL; curuid = getuid(); curgid = getgid(); while ((ch = getopt(argc, argv, "bcdg:lnp:s:u:")) != -1) switch (ch) { case 'b': /* * Some clients, notably older Cisco boot loaders, * send their acknowledgements to the broadcast address * rather than the unicast address of the server. * Allow those clients to inter-operate with us. * It's worth noting that this interaction doesn't cause the * server to change where it sends the responses, meaning * servers that have this flag enabled are no more * susceptible to magnifcation DOS attacks than those * servers that don't use this flag. This flag merely * permits the reception of acknowledgement traffic to the * broadcast address/specific port number that's being used for * this session as well as the unicast address/specific port * number for this session. For example, if the session is * expecting acks on 192.168.1.40:50201, then this flag * would also allow acks to be returned to * 192.168.1.255:50201, assuming that 192.168.1.255 is the * broadcast address for the subnet containing 192.168.1.40. */ broadcast_client = 1; break; case 'c': unrestricted_writes = 1; break; case 'd': debug++; break; case 'g': tgtgroup = optarg; break; case 'l': logging = 1; break; case 'n': suppress_naks = 1; break; case 'p': if (optarg[0] == '\0' || optarg[1] != '\0') usage(); pathsep = optarg[0]; break; case 's': secure = 1; securedir = optarg; break; case 'u': tgtuser = optarg; break; default: usage(); break; } if (optind < argc) { struct dirlist *dirp; /* Get list of directory prefixes. Skip relative pathnames. */ for (dirp = dirs; optind < argc && dirp < &dirs[MAXDIRS]; optind++) { if (argv[optind][0] == '/') { dirp->name = argv[optind]; dirp->len = strlen(dirp->name); dirp++; } } } if (*tgtuser == '\0' || (tgtgroup != NULL && *tgtgroup == '\0')) usage(); nid = (strtol(tgtuser, &ep, 10)); if (*ep == '\0') { if ((uid_t)nid > UID_MAX) { syslog(LOG_ERR, "uid %ld is too large", nid); exit(1); } pwent = getpwuid((uid_t)nid); } else pwent = getpwnam(tgtuser); if (pwent == NULL) { syslog(LOG_ERR, "unknown user `%s'", tgtuser); exit(1); } tgtuid = pwent->pw_uid; tgtgid = pwent->pw_gid; if (tgtgroup != NULL) { nid = (strtol(tgtgroup, &ep, 10)); if (*ep == '\0') { if ((uid_t)nid > GID_MAX) { syslog(LOG_ERR, "gid %ld is too large", nid); exit(1); } grent = getgrgid((gid_t)nid); } else grent = getgrnam(tgtgroup); if (grent != NULL) tgtgid = grent->gr_gid; else { syslog(LOG_ERR, "unknown group `%s'", tgtgroup); exit(1); } } if (secure) { if (chdir(securedir) < 0) { syslog(LOG_ERR, "chdir %s: %m", securedir); exit(1); } if (chroot(".")) { syslog(LOG_ERR, "chroot: %m"); exit(1); } } if (logging) syslog(LOG_DEBUG, "running as user `%s' (%d), group `%s' (%d)", tgtuser, tgtuid, tgtgroup ? tgtgroup : "(unspecified)", tgtgid); if (curgid != tgtgid) { if (setgid(tgtgid)) { syslog(LOG_ERR, "setgid to %d: %m", (int)tgtgid); exit(1); } if (setgroups(0, NULL)) { syslog(LOG_ERR, "setgroups: %m"); exit(1); } } if (curuid != tgtuid) { if (setuid(tgtuid)) { syslog(LOG_ERR, "setuid to %d: %m", (int)tgtuid); exit(1); } } on = 1; if (ioctl(fd, FIONBIO, &on) < 0) { syslog(LOG_ERR, "ioctl(FIONBIO): %m"); exit(1); } fromlen = sizeof (from); n = recvfrom(fd, buf, sizeof (buf), 0, (struct sockaddr *)&from, &fromlen); if (n < 0) { syslog(LOG_ERR, "recvfrom: %m"); exit(1); } /* * Now that we have read the message out of the UDP * socket, we fork and exit. Thus, inetd will go back * to listening to the tftp port, and the next request * to come in will start up a new instance of tftpd. * * We do this so that inetd can run tftpd in "wait" mode. * The problem with tftpd running in "nowait" mode is that * inetd may get one or more successful "selects" on the * tftp port before we do our receive, so more than one * instance of tftpd may be started up. Worse, if tftpd * break before doing the above "recvfrom", inetd would * spawn endless instances, clogging the system. */ { int pid; int i; socklen_t j; for (i = 1; i < 20; i++) { pid = fork(); if (pid < 0) { sleep(i); /* * flush out to most recently sent request. * * This may drop some request, but those * will be resent by the clients when * they timeout. The positive effect of * this flush is to (try to) prevent more * than one tftpd being started up to service * a single request from a single client. */ j = sizeof from; i = recvfrom(fd, buf, sizeof (buf), 0, (struct sockaddr *)&from, &j); if (i > 0) { n = i; fromlen = j; } } else { break; } } if (pid < 0) { syslog(LOG_ERR, "fork: %m"); exit(1); } else if (pid != 0) { exit(0); } } /* * remember what address this was sent to, so we can respond on the * same interface */ len = sizeof(me); if (getsockname(fd, (struct sockaddr *)&me, &len) == 0) { switch (me.ss_family) { case AF_INET: ((struct sockaddr_in *)&me)->sin_port = 0; break; case AF_INET6: ((struct sockaddr_in6 *)&me)->sin6_port = 0; break; default: /* unsupported */ break; } } else { memset(&me, 0, sizeof(me)); me.ss_family = from.ss_family; me.ss_len = from.ss_len; } alarm(0); close(fd); close(1); peer = socket(from.ss_family, SOCK_DGRAM, 0); if (peer < 0) { syslog(LOG_ERR, "socket: %m"); exit(1); } if (broadcast_client) { soopt = 1; if (setsockopt(peer, SOL_SOCKET, SO_BROADCAST, (void *) &soopt, sizeof(soopt)) < 0) { syslog(LOG_ERR, "set SO_BROADCAST: %m"); exit(1); } } if (bind(peer, (struct sockaddr *)&me, me.ss_len) < 0) { syslog(LOG_ERR, "bind: %m"); exit(1); } soopt = 65536; /* larger than we'll ever need */ if (setsockopt(peer, SOL_SOCKET, SO_SNDBUF, (void *) &soopt, sizeof(soopt)) < 0) { syslog(LOG_ERR, "set SNDBUF: %m"); exit(1); } if (setsockopt(peer, SOL_SOCKET, SO_RCVBUF, (void *) &soopt, sizeof(soopt)) < 0) { syslog(LOG_ERR, "set RCVBUF: %m"); exit(1); } tp = (struct tftphdr *)buf; tp->th_opcode = ntohs(tp->th_opcode); if (tp->th_opcode == RRQ || tp->th_opcode == WRQ) tftp(tp, n); exit(1); } static int blk_handler(struct tftphdr *tp, const char *val, char *ack, size_t asize, size_t *ackl, int *ecode) { unsigned long bsize; char *endp; int l; /* * On these failures, we could just ignore the blocksize option. * Perhaps that should be a command-line option. */ errno = 0; bsize = strtoul(val, &endp, 10); if ((bsize == ULONG_MAX && errno == ERANGE) || *endp) { syslog(LOG_NOTICE, "%s: %s request for %s: " "illegal value %s for blksize option", verifyhost((struct sockaddr *)&from), tp->th_opcode == WRQ ? "write" : "read", tp->th_stuff, val); *ecode = EBADOP; return -1; } if (bsize < 8 || bsize > 65464) { syslog(LOG_NOTICE, "%s: %s request for %s: " "out of range value %s for blksize option", verifyhost((struct sockaddr *)&from), tp->th_opcode == WRQ ? "write" : "read", tp->th_stuff, val); *ecode = EBADOP; return -1; } tftp_blksize = bsize; if (asize > *ackl && (l = snprintf(ack + *ackl, asize - *ackl, "blksize%c%lu%c", 0, bsize, 0)) > 0) { *ackl += l; } else { *ecode = EBADOP; return -1; } return 0; } static int timeout_handler(struct tftphdr *tp, const char *val, char *ack, size_t asize, size_t *ackl, int *ecode) { unsigned long tout; char *endp; int l; errno = 0; tout = strtoul(val, &endp, 10); if ((tout == ULONG_MAX && errno == ERANGE) || *endp) { syslog(LOG_NOTICE, "%s: %s request for %s: " "illegal value %s for timeout option", verifyhost((struct sockaddr *)&from), tp->th_opcode == WRQ ? "write" : "read", tp->th_stuff, val); *ecode = EBADOP; return -1; } if (tout < 1 || tout > 255) { syslog(LOG_NOTICE, "%s: %s request for %s: " "out of range value %s for timeout option", verifyhost((struct sockaddr *)&from), tp->th_opcode == WRQ ? "write" : "read", tp->th_stuff, val); return 0; } rexmtval = tout; if (asize > *ackl && (l = snprintf(ack + *ackl, asize - *ackl, "timeout%c%lu%c", 0, tout, 0)) > 0) *ackl += l; else return -1; /* * Arbitrarily pick a maximum timeout on a request to 3 * retransmissions if the interval timeout is more than * one minute. Longest possible timeout is therefore * 3 * 255 - 1, or 764 seconds. */ if (rexmtval > 60) { maxtimeout = rexmtval * 3; } else { maxtimeout = rexmtval * 5; } return 0; } static int tsize_handler(struct tftphdr *tp, const char *val, char *ack, size_t asize, size_t *ackl, int *ecode) { unsigned long fsize; char *endp; /* * Maximum file even with extended tftp is 65535 blocks of * length 65464, or 4290183240 octets (4784056 less than 2^32). * unsigned long is at least 32 bits on all NetBSD archs. */ errno = 0; fsize = strtoul(val, &endp, 10); if ((fsize == ULONG_MAX && errno == ERANGE) || *endp) { syslog(LOG_NOTICE, "%s: %s request for %s: " "illegal value %s for tsize option", verifyhost((struct sockaddr *)&from), tp->th_opcode == WRQ ? "write" : "read", tp->th_stuff, val); *ecode = EBADOP; return -1; } if (fsize > (unsigned long) 65535 * 65464) { syslog(LOG_NOTICE, "%s: %s request for %s: " "out of range value %s for tsize option", verifyhost((struct sockaddr *)&from), tp->th_opcode == WRQ ? "write" : "read", tp->th_stuff, val); *ecode = EBADOP; return -1; } tftp_opt_tsize = 1; tftp_tsize = fsize; /* * We will report this later -- either replying with the fsize (WRQ) * or replying with the actual filesize (RRQ). */ return 0; } static const struct tftp_options { const char *o_name; int (*o_handler)(struct tftphdr *, const char *, char *, size_t, size_t *, int *); } options[] = { { "blksize", blk_handler }, { "timeout", timeout_handler }, { "tsize", tsize_handler }, { .o_name = NULL } }; /* * Get options for an extended tftp session. Stuff the ones we * recognize in oackbuf. */ static int get_options(struct tftphdr *tp, char *cp, int size, char *ackb, size_t asize, size_t *alen, int *ecode) { const struct tftp_options *op; char *option, *value, *endp; int r, rv=0; endp = cp + size; while (cp < endp) { option = cp; while (*cp && cp < endp) { *cp = tolower((unsigned char)*cp); cp++; } if (*cp) { /* if we have garbage at the end, just ignore it */ break; } cp++; /* skip over NUL */ value = cp; while (*cp && cp < endp) { cp++; } if (*cp) { /* if we have garbage at the end, just ignore it */ break; } cp++; for (op = options; op->o_name; op++) { if (strcmp(op->o_name, option) == 0) break; } if (op->o_name) { r = op->o_handler(tp, value, ackb, asize, alen, ecode); if (r < 0) { rv = -1; break; } rv++; } /* else ignore unknown options */ } return rv; } /* * Handle initial connection protocol. */ static void tftp(struct tftphdr *tp, int size) { struct formats *pf; char *cp; char *filename, *mode; int first, ecode, etftp = 0, r; size_t alen; ecode = 0; /* XXX gcc */ first = 1; mode = NULL; filename = cp = tp->th_stuff; again: while (cp < buf + size) { if (*cp == '\0') break; cp++; } if (*cp != '\0') { nak(EBADOP); exit(1); } if (first) { mode = ++cp; first = 0; goto again; } for (cp = mode; *cp; cp++) *cp = tolower((unsigned char)*cp); for (pf = formats; pf->f_mode; pf++) if (strcmp(pf->f_mode, mode) == 0) break; if (pf->f_mode == 0) { nak(EBADOP); exit(1); } /* * cp currently points to the NUL byte following the mode. * * If we have some valid options, then let's assume that we're * now dealing with an extended tftp session. Note that if we * don't get any options, then we *must* assume that we do not * have an extended tftp session. If we get options, we fill * in the ack buf to acknowledge them. If we skip that, then * the client *must* assume that we are not using an extended * session. */ size -= (++cp - (char *) tp); if (size > 0 && *cp) { alen = 2; /* Skip over opcode */ r = get_options(tp, cp, size, oackbuf, sizeof(oackbuf), &alen, &ecode); if (r > 0) { etftp = 1; } else if (r < 0) { nak(ecode); exit(1); } } /* * Globally replace the path separator given in the -p option * with / to cope with clients expecting a non-unix path separator. */ if (pathsep != '\0') { for (cp = filename; *cp != '\0'; ++cp) { if (*cp == pathsep) *cp = '/'; } } ecode = (*pf->f_validate)(&filename, tp->th_opcode); if (logging) { syslog(LOG_INFO, "%s: %s request for %s: %s", verifyhost((struct sockaddr *)&from), tp->th_opcode == WRQ ? "write" : "read", filename, errtomsg(ecode)); } if (ecode) { /* * Avoid storms of naks to a RRQ broadcast for a relative * bootfile pathname from a diskless Sun. */ if (suppress_naks && *filename != '/' && ecode == ENOTFOUND) exit(0); nak(ecode); exit(1); } if (etftp) { struct tftphdr *oack_h; if (tftp_opt_tsize) { int l; if (sizeof(oackbuf) > alen && (l = snprintf(oackbuf + alen, sizeof(oackbuf) - alen, "tsize%c%u%c", 0, tftp_tsize, 0)) > 0) alen += l; } oack_h = (struct tftphdr *) oackbuf; oack_h->th_opcode = htons(OACK); } if (tp->th_opcode == WRQ) (*pf->f_recv)(pf, etftp, alen); else (*pf->f_send)(pf, etftp, alen); exit(0); } FILE *file; /* * Validate file access. Since we * have no uid or gid, for now require * file to exist and be publicly * readable/writable. * If we were invoked with arguments * from inetd then the file must also be * in one of the given directory prefixes. */ int validate_access(char **filep, int mode) { struct stat stbuf; struct dirlist *dirp; static char pathname[MAXPATHLEN]; char *filename; int fd; int create = 0; int trunc = 0; filename = *filep; /* * Prevent tricksters from getting around the directory restrictions */ if (strstr(filename, "/../")) return (EACCESS); if (*filename == '/') { /* * Allow the request if it's in one of the approved locations. * Special case: check the null prefix ("/") by looking * for length = 1 and relying on the arg. processing that * it's a /. */ for (dirp = dirs; dirp->name != NULL; dirp++) { if (dirp->len == 1 || (!strncmp(filename, dirp->name, dirp->len) && filename[dirp->len] == '/')) break; } /* If directory list is empty, allow access to any file */ if (dirp->name == NULL && dirp != dirs) return (EACCESS); if (stat(filename, &stbuf) < 0) return (errno == ENOENT ? ENOTFOUND : EACCESS); if (!S_ISREG(stbuf.st_mode)) return (ENOTFOUND); if (mode == RRQ) { if ((stbuf.st_mode & S_IROTH) == 0) return (EACCESS); } else { if ((stbuf.st_mode & S_IWOTH) == 0) return (EACCESS); } } else { /* * Relative file name: search the approved locations for it. */ if (!strncmp(filename, "../", 3)) return (EACCESS); /* * Find the first file that exists in any of the directories, * check access on it. */ if (dirs[0].name != NULL) { for (dirp = dirs; dirp->name != NULL; dirp++) { snprintf(pathname, sizeof pathname, "%s/%s", dirp->name, filename); if (stat(pathname, &stbuf) == 0 && (stbuf.st_mode & S_IFMT) == S_IFREG) { break; } } if (dirp->name == NULL) return (ENOTFOUND); if (mode == RRQ && !(stbuf.st_mode & S_IROTH)) return (EACCESS); if (mode == WRQ && !(stbuf.st_mode & S_IWOTH)) return (EACCESS); *filep = filename = pathname; } else { int stat_rc; /* * If there's no directory list, take our cue from the * absolute file request check above (*filename == '/'), * and allow access to anything. */ stat_rc = stat(filename, &stbuf); if (mode == RRQ) { /* Read request */ if (stat_rc < 0) return (errno == ENOENT ? ENOTFOUND : EACCESS); if (!S_ISREG(stbuf.st_mode)) return (ENOTFOUND); if ((stbuf.st_mode & S_IROTH) == 0) return (EACCESS); } else { if (stat_rc < 0) { /* Can't stat */ if (errno == EACCES) { /* Permission denied */ return EACCESS; } else { /* Not there */ if (unrestricted_writes) { /* need to creat new file! */ create = O_CREAT; } else { /* Permission denied */ return EACCESS; } } } else { /* Can stat */ if ((stbuf.st_mode & S_IWOTH) == 0) { return (EACCESS); } trunc = O_TRUNC; } } *filep = filename; } } if (tftp_opt_tsize && mode == RRQ) tftp_tsize = (unsigned long) stbuf.st_size; fd = open(filename, mode == RRQ ? O_RDONLY : O_WRONLY | trunc | create, 0644); /* debatable */ if (fd < 0) return (errno + 100); file = fdopen(fd, (mode == RRQ)? "r":"w"); if (file == NULL) { close(fd); return (errno + 100); } return (0); } static int timeout; static jmp_buf timeoutbuf; static void timer(int dummy) { timeout += rexmtval; if (timeout >= maxtimeout) exit(1); longjmp(timeoutbuf, 1); } static const char * opcode(int code) { static char obuf[64]; switch (code) { case RRQ: return "RRQ"; case WRQ: return "WRQ"; case DATA: return "DATA"; case ACK: return "ACK"; case ERROR: return "ERROR"; case OACK: return "OACK"; default: (void)snprintf(obuf, sizeof(obuf), "*code 0x%x*", code); return obuf; } } /* * Send the requested file. */ static void sendfile(struct formats *pf, volatile int etftp, int acklength) { volatile unsigned int block; struct tftphdr *dp; struct tftphdr *ap; /* ack packet */ volatile int size; int n; signal(SIGALRM, timer); ap = (struct tftphdr *)ackbuf; if (etftp) { dp = (struct tftphdr *)oackbuf; size = acklength - 4; block = 0; } else { dp = r_init(); size = 0; block = 1; } do { if (block > 0) { size = readit(file, &dp, tftp_blksize, pf->f_convert); if (size < 0) { nak(errno + 100); goto abort; } dp->th_opcode = htons((u_short)DATA); dp->th_block = htons((u_short)block); } timeout = 0; (void)setjmp(timeoutbuf); send_data: if (!etftp && debug) syslog(LOG_DEBUG, "Send DATA %u", block); if ((n = sendto(peer, dp, size + 4, 0, (struct sockaddr *)&from, fromlen)) != size + 4) { syslog(LOG_ERR, "tftpd: write: %m"); goto abort; } if (block) read_ahead(file, tftp_blksize, pf->f_convert); for ( ; ; ) { alarm(rexmtval); /* read the ack */ n = recvfrom(peer, ackbuf, tftp_blksize, 0,(struct sockaddr *)&from, &fromlen ); alarm(0); if (n < 0) { syslog(LOG_ERR, "tftpd: read: %m"); goto abort; } ap->th_opcode = ntohs((u_short)ap->th_opcode); ap->th_block = ntohs((u_short)ap->th_block); switch (ap->th_opcode) { case ERROR: goto abort; case ACK: if (etftp && ap->th_block == 0) { etftp = 0; acklength = 0; dp = r_init(); goto done; } if (ap->th_block == (u_short)block) goto done; if (debug) syslog(LOG_DEBUG, "Resync ACK %u != %u", (unsigned int)ap->th_block, block); /* Re-synchronize with the other side */ (void) synchnet(peer, tftp_blksize); if (ap->th_block == (u_short)(block - 1)) goto send_data; /* FALLTHROUGH */ default: syslog(LOG_INFO, "Received %s in sendfile\n", opcode(dp->th_opcode)); } } done: if (debug) syslog(LOG_DEBUG, "Received ACK for block %u", block); if (block == UINT16_MAX && size == tftp_blksize) syslog(LOG_WARNING, "Block number wrapped (hint: increase block size)"); block++; } while (size == tftp_blksize || block == 1); abort: (void) fclose(file); } static void justquit(int dummy) { exit(0); } /* * Receive a file. */ static void recvfile(struct formats *pf, volatile int etftp, volatile int acklength) { volatile unsigned int block; struct tftphdr *dp; struct tftphdr *ap; /* ack buffer */ volatile int size; int n; signal(SIGALRM, timer); dp = w_init(); ap = (struct tftphdr *)oackbuf; block = 0; do { timeout = 0; if (etftp == 0) { ap = (struct tftphdr *)ackbuf; ap->th_opcode = htons((u_short)ACK); ap->th_block = htons((u_short)block); acklength = 4; } if (debug) syslog(LOG_DEBUG, "Sending ACK for block %u\n", block); if (block == UINT16_MAX) syslog(LOG_WARNING, "Block number wrapped (hint: increase block size)"); block++; (void) setjmp(timeoutbuf); send_ack: ap = (struct tftphdr *) (etftp ? oackbuf : ackbuf); if (sendto(peer, ap, acklength, 0, (struct sockaddr *)&from, fromlen) != acklength) { syslog(LOG_ERR, "tftpd: write: %m"); goto abort; } write_behind(file, pf->f_convert); for ( ; ; ) { alarm(rexmtval); n = recvfrom(peer, dp, tftp_blksize + 4, 0, (struct sockaddr *)&from, &fromlen); alarm(0); if (n < 0) { /* really? */ syslog(LOG_ERR, "tftpd: read: %m"); goto abort; } etftp = 0; dp->th_opcode = ntohs((u_short)dp->th_opcode); dp->th_block = ntohs((u_short)dp->th_block); if (debug) syslog(LOG_DEBUG, "Received %s for block %u", opcode(dp->th_opcode), (unsigned int)dp->th_block); switch (dp->th_opcode) { case ERROR: goto abort; case DATA: if (dp->th_block == block) goto done; /* normal */ if (debug) syslog(LOG_DEBUG, "Resync %u != %u", (unsigned int)dp->th_block, block); /* Re-synchronize with the other side */ (void) synchnet(peer, tftp_blksize); if (dp->th_block == (block-1)) goto send_ack; /* rexmit */ break; default: syslog(LOG_INFO, "Received %s in recvfile\n", opcode(dp->th_opcode)); break; } } done: if (debug) syslog(LOG_DEBUG, "Got block %u", block); /* size = write(file, dp->th_data, n - 4); */ size = writeit(file, &dp, n - 4, pf->f_convert); if (size != (n-4)) { /* ahem */ if (size < 0) nak(errno + 100); else nak(ENOSPACE); goto abort; } } while (size == tftp_blksize); write_behind(file, pf->f_convert); (void) fclose(file); /* close data file */ ap->th_opcode = htons((u_short)ACK); /* send the "final" ack */ ap->th_block = htons((u_short)(block)); if (debug) syslog(LOG_DEBUG, "Send final ACK %u", block); (void) sendto(peer, ackbuf, 4, 0, (struct sockaddr *)&from, fromlen); signal(SIGALRM, justquit); /* just quit on timeout */ alarm(rexmtval); n = recvfrom(peer, buf, sizeof (buf), 0, (struct sockaddr *)&from, &fromlen); /* normally times out and quits */ alarm(0); if (n >= 4 && /* if read some data */ dp->th_opcode == DATA && /* and got a data block */ block == dp->th_block) { /* then my last ack was lost */ (void) sendto(peer, ackbuf, 4, 0, (struct sockaddr *)&from, fromlen); /* resend final ack */ } abort: return; } const struct errmsg { int e_code; const char *e_msg; } errmsgs[] = { { EUNDEF, "Undefined error code" }, { ENOTFOUND, "File not found" }, { EACCESS, "Access violation" }, { ENOSPACE, "Disk full or allocation exceeded" }, { EBADOP, "Illegal TFTP operation" }, { EBADID, "Unknown transfer ID" }, { EEXISTS, "File already exists" }, { ENOUSER, "No such user" }, { EOPTNEG, "Option negotiation failed" }, { -1, 0 } }; static const char * errtomsg(int error) { static char ebuf[20]; const struct errmsg *pe; if (error == 0) return ("success"); for (pe = errmsgs; pe->e_code >= 0; pe++) if (pe->e_code == error) return (pe->e_msg); snprintf(ebuf, sizeof(ebuf), "error %d", error); return (ebuf); } /* * Send a nak packet (error message). * Error code passed in is one of the * standard TFTP codes, or a UNIX errno * offset by 100. */ static void nak(int error) { const struct errmsg *pe; struct tftphdr *tp; int length; size_t msglen; tp = (struct tftphdr *)buf; tp->th_opcode = htons((u_short)ERROR); msglen = sizeof(buf) - (&tp->th_msg[0] - buf); for (pe = errmsgs; pe->e_code >= 0; pe++) if (pe->e_code == error) break; if (pe->e_code < 0) { tp->th_code = EUNDEF; /* set 'undef' errorcode */ strlcpy(tp->th_msg, strerror(error - 100), msglen); } else { tp->th_code = htons((u_short)error); strlcpy(tp->th_msg, pe->e_msg, msglen); } if (debug) syslog(LOG_DEBUG, "Send NACK %s", tp->th_msg); length = strlen(tp->th_msg); msglen = &tp->th_msg[length + 1] - buf; if (sendto(peer, buf, msglen, 0, (struct sockaddr *)&from, fromlen) != (ssize_t)msglen) syslog(LOG_ERR, "nak: %m"); } static char * verifyhost(struct sockaddr *fromp) { static char hbuf[MAXHOSTNAMELEN]; if (getnameinfo(fromp, fromp->sa_len, hbuf, sizeof(hbuf), NULL, 0, 0)) strlcpy(hbuf, "?", sizeof(hbuf)); return (hbuf); }