search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Patrick Welche <prlw1@cam.ac.uk>
[netbsd-mini2440.git] / libexec / tftpd / tftpd.c
blobf98c099b8683baa3063e9694cb582b52e6f8811a
1 /* $NetBSD: tftpd.c,v 1.32 2009/03/16 01:56:21 lukem Exp $ */
2
3 /*
4 * Copyright (c) 1983, 1993
5 * The Regents of the University of California. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the University nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32 #include <sys/cdefs.h>
33 #ifndef lint
34 __COPYRIGHT("@(#) Copyright (c) 1983, 1993\
35 The Regents of the University of California. All rights reserved.");
36 #if 0
37 static char sccsid[] = "@(#)tftpd.c 8.1 (Berkeley) 6/4/93";
38 #else
39 __RCSID("$NetBSD: tftpd.c,v 1.32 2009/03/16 01:56:21 lukem Exp $");
40 #endif
41 #endif /* not lint */
42
43 /*
44 * Trivial file transfer protocol server.
45 *
46 * This version includes many modifications by Jim Guyton
47 * <guyton@rand-unix>.
48 */
49
50 #include <sys/param.h>
51 #include <sys/ioctl.h>
52 #include <sys/stat.h>
53 #include <sys/socket.h>
54
55 #include <netinet/in.h>
56 #include <arpa/tftp.h>
57 #include <arpa/inet.h>
58
59 #include <ctype.h>
60 #include <errno.h>
61 #include <fcntl.h>
62 #include <grp.h>
63 #include <netdb.h>
64 #include <pwd.h>
65 #include <setjmp.h>
66 #include <signal.h>
67 #include <stdio.h>
68 #include <stdlib.h>
69 #include <string.h>
70 #include <syslog.h>
71 #include <time.h>
72 #include <unistd.h>
73
74 #include "tftpsubs.h"
75
76 #define DEFAULTUSER "nobody"
77
78 #define TIMEOUT 5
79
80 static int peer;
81 static int rexmtval = TIMEOUT;
82 static int maxtimeout = 5*TIMEOUT;
83
84 static char buf[MAXPKTSIZE];
85 static char ackbuf[PKTSIZE];
86 static char oackbuf[PKTSIZE];
87 static struct sockaddr_storage from;
88 static socklen_t fromlen;
89 static int debug;
90
91 static int tftp_opt_tsize = 0;
92 static int tftp_blksize = SEGSIZE;
93 static int tftp_tsize = 0;
94
95 /*
96 * Null-terminated directory prefix list for absolute pathname requests and
97 * search list for relative pathname requests.
98 *
99 * MAXDIRS should be at least as large as the number of arguments that
100 * inetd allows (currently 20).
101 */
102 #define MAXDIRS 20
103 static struct dirlist {
104 char *name;
105 int len;
106 } dirs[MAXDIRS+1];
107 static int suppress_naks;
108 static int logging;
109 static int secure;
110 static char pathsep = '\0';
111 static char *securedir;
112
113 struct formats;
114
115 static const char *errtomsg(int);
116 static void nak(int);
117 static void tftp(struct tftphdr *, int);
118 static void usage(void) __attribute__((__noreturn__));
119 static char *verifyhost(struct sockaddr *);
120 static void justquit(int);
121 static void recvfile(struct formats *, int, int);
122 static void sendfile(struct formats *, int, int);
123 static void timer(int);
124 static const char *opcode(int);
125 static int validate_access(char **, int);
126
127 static struct formats {
128 const char *f_mode;
129 int (*f_validate)(char **, int);
130 void (*f_send)(struct formats *, int, int);
131 void (*f_recv)(struct formats *, int, int);
132 int f_convert;
133 } formats[] = {
134 { "netascii", validate_access, sendfile, recvfile, 1 },
135 { "octet", validate_access, sendfile, recvfile, 0 },
136 { .f_mode = NULL }
137 };
138
139 static void
140 usage(void)
141 {
142
143 syslog(LOG_ERR,
144 "Usage: %s [-dln] [-u user] [-g group] [-s directory] [-p pathsep] [directory ...]",
145 getprogname());
146 exit(1);
147 }
148
149 int
150 main(int argc, char *argv[])
151 {
152 struct sockaddr_storage me;
153 struct passwd *pwent;
154 struct group *grent;
155 struct tftphdr *tp;
156 const char *tgtuser, *tgtgroup;
157 char *ep;
158 int n, ch, on, fd;
159 int soopt;
160 socklen_t len;
161 uid_t curuid, tgtuid;
162 gid_t curgid, tgtgid;
163 long nid;
164
165 n = 0;
166 fd = 0;
167 tzset();
168 openlog("tftpd", LOG_PID | LOG_NDELAY, LOG_DAEMON);
169 tgtuser = DEFAULTUSER;
170 tgtgroup = NULL;
171 curuid = getuid();
172 curgid = getgid();
173
174 while ((ch = getopt(argc, argv, "dg:lnp:s:u:w:")) != -1)
175 switch (ch) {
176 case 'd':
177 debug++;
178 break;
179
180 case 'g':
181 tgtgroup = optarg;
182 break;
183
184 case 'l':
185 logging = 1;
186 break;
187
188 case 'n':
189 suppress_naks = 1;
190 break;
191
192 case 'p':
193 if (optarg[0] == '\0' || optarg[1] != '\0')
194 usage();
195 pathsep = optarg[0];
196 break;
197
198 case 's':
199 secure = 1;
200 securedir = optarg;
201 break;
202
203 case 'u':
204 tgtuser = optarg;
205 break;
206
207 default:
208 usage();
209 break;
210 }
211
212 if (optind < argc) {
213 struct dirlist *dirp;
214
215 /* Get list of directory prefixes. Skip relative pathnames. */
216 for (dirp = dirs; optind < argc && dirp < &dirs[MAXDIRS];
217 optind++) {
218 if (argv[optind][0] == '/') {
219 dirp->name = argv[optind];
220 dirp->len = strlen(dirp->name);
221 dirp++;
222 }
223 }
224 }
225
226 if (*tgtuser == '\0' || (tgtgroup != NULL && *tgtgroup == '\0'))
227 usage();
228
229 nid = (strtol(tgtuser, &ep, 10));
230 if (*ep == '\0') {
231 if (nid > UID_MAX) {
232 syslog(LOG_ERR, "uid %ld is too large", nid);
233 exit(1);
234 }
235 pwent = getpwuid((uid_t)nid);
236 } else
237 pwent = getpwnam(tgtuser);
238 if (pwent == NULL) {
239 syslog(LOG_ERR, "unknown user `%s'", tgtuser);
240 exit(1);
241 }
242 tgtuid = pwent->pw_uid;
243 tgtgid = pwent->pw_gid;
244
245 if (tgtgroup != NULL) {
246 nid = (strtol(tgtgroup, &ep, 10));
247 if (*ep == '\0') {
248 if (nid > GID_MAX) {
249 syslog(LOG_ERR, "gid %ld is too large", nid);
250 exit(1);
251 }
252 grent = getgrgid((gid_t)nid);
253 } else
254 grent = getgrnam(tgtgroup);
255 if (grent != NULL)
256 tgtgid = grent->gr_gid;
257 else {
258 syslog(LOG_ERR, "unknown group `%s'", tgtgroup);
259 exit(1);
260 }
261 }
262
263 if (secure) {
264 if (chdir(securedir) < 0) {
265 syslog(LOG_ERR, "chdir %s: %m", securedir);
266 exit(1);
267 }
268 if (chroot(".")) {
269 syslog(LOG_ERR, "chroot: %m");
270 exit(1);
271 }
272 }
273
274 if (logging)
275 syslog(LOG_DEBUG, "running as user `%s' (%d), group `%s' (%d)",
276 tgtuser, tgtuid, tgtgroup ? tgtgroup : "(unspecified)",
277 tgtgid);
278 if (curgid != tgtgid) {
279 if (setgid(tgtgid)) {
280 syslog(LOG_ERR, "setgid to %d: %m", (int)tgtgid);
281 exit(1);
282 }
283 if (setgroups(0, NULL)) {
284 syslog(LOG_ERR, "setgroups: %m");
285 exit(1);
286 }
287 }
288
289 if (curuid != tgtuid) {
290 if (setuid(tgtuid)) {
291 syslog(LOG_ERR, "setuid to %d: %m", (int)tgtuid);
292 exit(1);
293 }
294 }
295
296 on = 1;
297 if (ioctl(fd, FIONBIO, &on) < 0) {
298 syslog(LOG_ERR, "ioctl(FIONBIO): %m");
299 exit(1);
300 }
301 fromlen = sizeof (from);
302 n = recvfrom(fd, buf, sizeof (buf), 0,
303 (struct sockaddr *)&from, &fromlen);
304 if (n < 0) {
305 syslog(LOG_ERR, "recvfrom: %m");
306 exit(1);
307 }
308 /*
309 * Now that we have read the message out of the UDP
310 * socket, we fork and exit. Thus, inetd will go back
311 * to listening to the tftp port, and the next request
312 * to come in will start up a new instance of tftpd.
313 *
314 * We do this so that inetd can run tftpd in "wait" mode.
315 * The problem with tftpd running in "nowait" mode is that
316 * inetd may get one or more successful "selects" on the
317 * tftp port before we do our receive, so more than one
318 * instance of tftpd may be started up. Worse, if tftpd
319 * break before doing the above "recvfrom", inetd would
320 * spawn endless instances, clogging the system.
321 */
322 {
323 int pid;
324 int i;
325 socklen_t j;
326
327 for (i = 1; i < 20; i++) {
328 pid = fork();
329 if (pid < 0) {
330 sleep(i);
331 /*
332 * flush out to most recently sent request.
333 *
334 * This may drop some request, but those
335 * will be resent by the clients when
336 * they timeout. The positive effect of
337 * this flush is to (try to) prevent more
338 * than one tftpd being started up to service
339 * a single request from a single client.
340 */
341 j = sizeof from;
342 i = recvfrom(fd, buf, sizeof (buf), 0,
343 (struct sockaddr *)&from, &j);
344 if (i > 0) {
345 n = i;
346 fromlen = j;
347 }
348 } else {
349 break;
350 }
351 }
352 if (pid < 0) {
353 syslog(LOG_ERR, "fork: %m");
354 exit(1);
355 } else if (pid != 0) {
356 exit(0);
357 }
358 }
359
360 /*
361 * remember what address this was sent to, so we can respond on the
362 * same interface
363 */
364 len = sizeof(me);
365 if (getsockname(fd, (struct sockaddr *)&me, &len) == 0) {
366 switch (me.ss_family) {
367 case AF_INET:
368 ((struct sockaddr_in *)&me)->sin_port = 0;
369 break;
370 case AF_INET6:
371 ((struct sockaddr_in6 *)&me)->sin6_port = 0;
372 break;
373 default:
374 /* unsupported */
375 break;
376 }
377 } else {
378 memset(&me, 0, sizeof(me));
379 me.ss_family = from.ss_family;
380 me.ss_len = from.ss_len;
381 }
382
383 alarm(0);
384 close(fd);
385 close(1);
386 peer = socket(from.ss_family, SOCK_DGRAM, 0);
387 if (peer < 0) {
388 syslog(LOG_ERR, "socket: %m");
389 exit(1);
390 }
391 if (bind(peer, (struct sockaddr *)&me, me.ss_len) < 0) {
392 syslog(LOG_ERR, "bind: %m");
393 exit(1);
394 }
395 if (connect(peer, (struct sockaddr *)&from, from.ss_len) < 0) {
396 syslog(LOG_ERR, "connect: %m");
397 exit(1);
398 }
399 soopt = 65536; /* larger than we'll ever need */
400 if (setsockopt(peer, SOL_SOCKET, SO_SNDBUF, (void *) &soopt, sizeof(soopt)) < 0) {
401 syslog(LOG_ERR, "set SNDBUF: %m");
402 exit(1);
403 }
404 if (setsockopt(peer, SOL_SOCKET, SO_RCVBUF, (void *) &soopt, sizeof(soopt)) < 0) {
405 syslog(LOG_ERR, "set RCVBUF: %m");
406 exit(1);
407 }
408
409 tp = (struct tftphdr *)buf;
410 tp->th_opcode = ntohs(tp->th_opcode);
411 if (tp->th_opcode == RRQ || tp->th_opcode == WRQ)
412 tftp(tp, n);
413 exit(1);
414 }
415
416 static int
417 blk_handler(struct tftphdr *tp, char *opt, char *val, char *ack,
418 int *ackl, int *ec)
419 {
420 unsigned long bsize;
421 char *endp;
422 int l;
423
424 /*
425 * On these failures, we could just ignore the blocksize option.
426 * Perhaps that should be a command-line option.
427 */
428 errno = 0;
429 bsize = strtoul(val, &endp, 10);
430 if ((bsize == ULONG_MAX && errno == ERANGE) || *endp) {
431 syslog(LOG_NOTICE, "%s: %s request for %s: "
432 "illegal value %s for blksize option",
433 verifyhost((struct sockaddr *)&from),
434 tp->th_opcode == WRQ ? "write" : "read",
435 tp->th_stuff, val);
436 return 0;
437 }
438 if (bsize < 8 || bsize > 65464) {
439 syslog(LOG_NOTICE, "%s: %s request for %s: "
440 "out of range value %s for blksize option",
441 verifyhost((struct sockaddr *)&from),
442 tp->th_opcode == WRQ ? "write" : "read",
443 tp->th_stuff, val);
444 return 0;
445 }
446
447 tftp_blksize = bsize;
448 strcpy(ack + *ackl, "blksize");
449 *ackl += 8;
450 l = sprintf(ack + *ackl, "%lu", bsize);
451 *ackl += l + 1;
452
453 return 0;
454 }
455
456 static int
457 timeout_handler(struct tftphdr *tp, char *opt, char *val, char *ack,
458 int *ackl, int *ec)
459 {
460 unsigned long tout;
461 char *endp;
462 int l;
463
464 errno = 0;
465 tout = strtoul(val, &endp, 10);
466 if ((tout == ULONG_MAX && errno == ERANGE) || *endp) {
467 syslog(LOG_NOTICE, "%s: %s request for %s: "
468 "illegal value %s for timeout option",
469 verifyhost((struct sockaddr *)&from),
470 tp->th_opcode == WRQ ? "write" : "read",
471 tp->th_stuff, val);
472 return 0;
473 }
474 if (tout < 1 || tout > 255) {
475 syslog(LOG_NOTICE, "%s: %s request for %s: "
476 "out of range value %s for timeout option",
477 verifyhost((struct sockaddr *)&from),
478 tp->th_opcode == WRQ ? "write" : "read",
479 tp->th_stuff, val);
480 return 0;
481 }
482
483 rexmtval = tout;
484 strcpy(ack + *ackl, "timeout");
485 *ackl += 8;
486 l = sprintf(ack + *ackl, "%lu", tout);
487 *ackl += l + 1;
488
489 /*
490 * Arbitrarily pick a maximum timeout on a request to 3
491 * retransmissions if the interval timeout is more than
492 * one minute. Longest possible timeout is therefore
493 * 3 * 255 - 1, or 764 seconds.
494 */
495 if (rexmtval > 60) {
496 maxtimeout = rexmtval * 3;
497 } else {
498 maxtimeout = rexmtval * 5;
499 }
500
501 return 0;
502 }
503
504 static int
505 tsize_handler(struct tftphdr *tp, char *opt, char *val, char *ack,
506 int *ackl, int *ec)
507 {
508 unsigned long fsize;
509 char *endp;
510
511 /*
512 * Maximum file even with extended tftp is 65535 blocks of
513 * length 65464, or 4290183240 octets (4784056 less than 2^32).
514 * unsigned long is at least 32 bits on all NetBSD archs.
515 */
516
517 errno = 0;
518 fsize = strtoul(val, &endp, 10);
519 if ((fsize == ULONG_MAX && errno == ERANGE) || *endp) {
520 syslog(LOG_NOTICE, "%s: %s request for %s: "
521 "illegal value %s for tsize option",
522 verifyhost((struct sockaddr *)&from),
523 tp->th_opcode == WRQ ? "write" : "read",
524 tp->th_stuff, val);
525 return 0;
526 }
527 if (fsize > (unsigned long) 65535 * 65464) {
528 syslog(LOG_NOTICE, "%s: %s request for %s: "
529 "out of range value %s for tsize option",
530 verifyhost((struct sockaddr *)&from),
531 tp->th_opcode == WRQ ? "write" : "read",
532 tp->th_stuff, val);
533 return 0;
534 }
535
536 tftp_opt_tsize = 1;
537 tftp_tsize = fsize;
538 /*
539 * We will report this later -- either replying with the fsize (WRQ)
540 * or replying with the actual filesize (RRQ).
541 */
542
543 return 0;
544 }
545
546 static const struct tftp_options {
547 const char *o_name;
548 int (*o_handler)(struct tftphdr *, char *, char *, char *,
549 int *, int *);
550 } options[] = {
551 { "blksize", blk_handler },
552 { "timeout", timeout_handler },
553 { "tsize", tsize_handler },
554 { .o_name = NULL }
555 };
556
557 /*
558 * Get options for an extended tftp session. Stuff the ones we
559 * recognize in oackbuf.
560 */
561 static int
562 get_options(struct tftphdr *tp, char *cp, int size, char *ackb,
563 int *alen, int *err)
564 {
565 const struct tftp_options *op;
566 char *option, *value, *endp;
567 int r, rv=0, ec=0;
568
569 endp = cp + size;
570 while (cp < endp) {
571 option = cp;
572 while (*cp && cp < endp) {
573 *cp = tolower((unsigned char)*cp);
574 cp++;
575 }
576 if (*cp) {
577 /* if we have garbage at the end, just ignore it */
578 break;
579 }
580 cp++; /* skip over NUL */
581 value = cp;
582 while (*cp && cp < endp) {
583 cp++;
584 }
585 if (*cp) {
586 /* if we have garbage at the end, just ignore it */
587 break;
588 }
589 cp++;
590 for (op = options; op->o_name; op++) {
591 if (strcmp(op->o_name, option) == 0)
592 break;
593 }
594 if (op->o_name) {
595 r = op->o_handler(tp, option, value, ackb, alen, &ec);
596 if (r < 0) {
597 rv = -1;
598 break;
599 }
600 rv++;
601 } /* else ignore unknown options */
602 }
603
604 if (rv < 0)
605 *err = ec;
606
607 return rv;
608 }
609
610 /*
611 * Handle initial connection protocol.
612 */
613 static void
614 tftp(struct tftphdr *tp, int size)
615 {
616 struct formats *pf;
617 char *cp;
618 char *filename, *mode;
619 int first, ecode, alen, etftp = 0, r;
620
621 ecode = 0; /* XXX gcc */
622 first = 1;
623 mode = NULL;
624
625 filename = cp = tp->th_stuff;
626 again:
627 while (cp < buf + size) {
628 if (*cp == '\0')
629 break;
630 cp++;
631 }
632 if (*cp != '\0') {
633 nak(EBADOP);
634 exit(1);
635 }
636 if (first) {
637 mode = ++cp;
638 first = 0;
639 goto again;
640 }
641 for (cp = mode; *cp; cp++)
642 *cp = tolower((unsigned char)*cp);
643 for (pf = formats; pf->f_mode; pf++)
644 if (strcmp(pf->f_mode, mode) == 0)
645 break;
646 if (pf->f_mode == 0) {
647 nak(EBADOP);
648 exit(1);
649 }
650 /*
651 * cp currently points to the NUL byte following the mode.
652 *
653 * If we have some valid options, then let's assume that we're
654 * now dealing with an extended tftp session. Note that if we
655 * don't get any options, then we *must* assume that we do not
656 * have an extended tftp session. If we get options, we fill
657 * in the ack buf to acknowledge them. If we skip that, then
658 * the client *must* assume that we are not using an extended
659 * session.
660 */
661 size -= (++cp - (char *) tp);
662 if (size > 0 && *cp) {
663 alen = 2; /* Skip over opcode */
664 r = get_options(tp, cp, size, oackbuf, &alen, &ecode);
665 if (r > 0) {
666 etftp = 1;
667 } else if (r < 0) {
668 nak(ecode);
669 exit(1);
670 }
671 }
672 /*
673 * Globally replace the path separator given in the -p option
674 * with / to cope with clients expecting a non-unix path separator.
675 */
676 if (pathsep != '\0') {
677 for (cp = filename; *cp != '\0'; ++cp) {
678 if (*cp == pathsep)
679 *cp = '/';
680 }
681 }
682 ecode = (*pf->f_validate)(&filename, tp->th_opcode);
683 if (logging) {
684 syslog(LOG_INFO, "%s: %s request for %s: %s",
685 verifyhost((struct sockaddr *)&from),
686 tp->th_opcode == WRQ ? "write" : "read",
687 filename, errtomsg(ecode));
688 }
689 if (ecode) {
690 /*
691 * Avoid storms of naks to a RRQ broadcast for a relative
692 * bootfile pathname from a diskless Sun.
693 */
694 if (suppress_naks && *filename != '/' && ecode == ENOTFOUND)
695 exit(0);
696 nak(ecode);
697 exit(1);
698 }
699
700 if (etftp) {
701 struct tftphdr *oack_h;
702
703 if (tftp_opt_tsize) {
704 int l;
705
706 strcpy(oackbuf + alen, "tsize");
707 alen += 6;
708 l = sprintf(oackbuf + alen, "%u", tftp_tsize);
709 alen += l + 1;
710 }
711 oack_h = (struct tftphdr *) oackbuf;
712 oack_h->th_opcode = htons(OACK);
713 }
714
715 if (tp->th_opcode == WRQ)
716 (*pf->f_recv)(pf, etftp, alen);
717 else
718 (*pf->f_send)(pf, etftp, alen);
719 exit(0);
720 }
721
722
723 FILE *file;
724
725 /*
726 * Validate file access. Since we
727 * have no uid or gid, for now require
728 * file to exist and be publicly
729 * readable/writable.
730 * If we were invoked with arguments
731 * from inetd then the file must also be
732 * in one of the given directory prefixes.
733 */
734 int
735 validate_access(char **filep, int mode)
736 {
737 struct stat stbuf;
738 struct dirlist *dirp;
739 static char pathname[MAXPATHLEN];
740 char *filename;
741 int fd;
742
743 filename = *filep;
744
745 /*
746 * Prevent tricksters from getting around the directory restrictions
747 */
748 if (strstr(filename, "/../"))
749 return (EACCESS);
750
751 if (*filename == '/') {
752 /*
753 * Allow the request if it's in one of the approved locations.
754 * Special case: check the null prefix ("/") by looking
755 * for length = 1 and relying on the arg. processing that
756 * it's a /.
757 */
758 for (dirp = dirs; dirp->name != NULL; dirp++) {
759 if (dirp->len == 1 ||
760 (!strncmp(filename, dirp->name, dirp->len) &&
761 filename[dirp->len] == '/'))
762 break;
763 }
764 /* If directory list is empty, allow access to any file */
765 if (dirp->name == NULL && dirp != dirs)
766 return (EACCESS);
767 if (stat(filename, &stbuf) < 0)
768 return (errno == ENOENT ? ENOTFOUND : EACCESS);
769 if (!S_ISREG(stbuf.st_mode))
770 return (ENOTFOUND);
771 if (mode == RRQ) {
772 if ((stbuf.st_mode & S_IROTH) == 0)
773 return (EACCESS);
774 } else {
775 if ((stbuf.st_mode & S_IWOTH) == 0)
776 return (EACCESS);
777 }
778 } else {
779 /*
780 * Relative file name: search the approved locations for it.
781 */
782
783 if (!strncmp(filename, "../", 3))
784 return (EACCESS);
785
786 /*
787 * Find the first file that exists in any of the directories,
788 * check access on it.
789 */
790 if (dirs[0].name != NULL) {
791 for (dirp = dirs; dirp->name != NULL; dirp++) {
792 snprintf(pathname, sizeof pathname, "%s/%s",
793 dirp->name, filename);
794 if (stat(pathname, &stbuf) == 0 &&
795 (stbuf.st_mode & S_IFMT) == S_IFREG) {
796 break;
797 }
798 }
799 if (dirp->name == NULL)
800 return (ENOTFOUND);
801 if (mode == RRQ && !(stbuf.st_mode & S_IROTH))
802 return (EACCESS);
803 if (mode == WRQ && !(stbuf.st_mode & S_IWOTH))
804 return (EACCESS);
805 *filep = filename = pathname;
806 } else {
807 /*
808 * If there's no directory list, take our cue from the
809 * absolute file request check above (*filename == '/'),
810 * and allow access to anything.
811 */
812 if (stat(filename, &stbuf) < 0)
813 return (errno == ENOENT ? ENOTFOUND : EACCESS);
814 if (!S_ISREG(stbuf.st_mode))
815 return (ENOTFOUND);
816 if (mode == RRQ) {
817 if ((stbuf.st_mode & S_IROTH) == 0)
818 return (EACCESS);
819 } else {
820 if ((stbuf.st_mode & S_IWOTH) == 0)
821 return (EACCESS);
822 }
823 *filep = filename;
824 }
825 }
826
827 if (tftp_opt_tsize && mode == RRQ)
828 tftp_tsize = (unsigned long) stbuf.st_size;
829
830 fd = open(filename, mode == RRQ ? O_RDONLY : O_WRONLY | O_TRUNC);
831 if (fd < 0)
832 return (errno + 100);
833 file = fdopen(fd, (mode == RRQ)? "r":"w");
834 if (file == NULL) {
835 close(fd);
836 return (errno + 100);
837 }
838 return (0);
839 }
840
841 static int timeout;
842 static jmp_buf timeoutbuf;
843
844 static void
845 timer(int dummy)
846 {
847
848 timeout += rexmtval;
849 if (timeout >= maxtimeout)
850 exit(1);
851 longjmp(timeoutbuf, 1);
852 }
853
854 static const char *
855 opcode(int code)
856 {
857 static char obuf[64];
858
859 switch (code) {
860 case RRQ:
861 return "RRQ";
862 case WRQ:
863 return "WRQ";
864 case DATA:
865 return "DATA";
866 case ACK:
867 return "ACK";
868 case ERROR:
869 return "ERROR";
870 case OACK:
871 return "OACK";
872 default:
873 (void)snprintf(obuf, sizeof(obuf), "*code 0x%x*", code);
874 return obuf;
875 }
876 }
877
878 /*
879 * Send the requested file.
880 */
881 static void
882 sendfile(struct formats *pf, volatile int etftp, int acklength)
883 {
884 volatile unsigned int block;
885 struct tftphdr *dp;
886 struct tftphdr *ap; /* ack packet */
887 volatile int size;
888 int n;
889
890 signal(SIGALRM, timer);
891 ap = (struct tftphdr *)ackbuf;
892 if (etftp) {
893 dp = (struct tftphdr *)oackbuf;
894 size = acklength - 4;
895 block = 0;
896 } else {
897 dp = r_init();
898 size = 0;
899 block = 1;
900 }
901
902 do {
903 if (block > 0) {
904 size = readit(file, &dp, tftp_blksize, pf->f_convert);
905 if (size < 0) {
906 nak(errno + 100);
907 goto abort;
908 }
909 dp->th_opcode = htons((u_short)DATA);
910 dp->th_block = htons((u_short)block);
911 }
912 timeout = 0;
913 (void)setjmp(timeoutbuf);
914
915 send_data:
916 if (!etftp && debug)
917 syslog(LOG_DEBUG, "Send DATA %u", block);
918 if ((n = send(peer, dp, size + 4, 0)) != size + 4) {
919 syslog(LOG_ERR, "tftpd: write: %m");
920 goto abort;
921 }
922 if (block)
923 read_ahead(file, tftp_blksize, pf->f_convert);
924 for ( ; ; ) {
925 alarm(rexmtval); /* read the ack */
926 n = recv(peer, ackbuf, tftp_blksize, 0);
927 alarm(0);
928 if (n < 0) {
929 syslog(LOG_ERR, "tftpd: read: %m");
930 goto abort;
931 }
932 ap->th_opcode = ntohs((u_short)ap->th_opcode);
933 ap->th_block = ntohs((u_short)ap->th_block);
934 switch (ap->th_opcode) {
935 case ERROR:
936 goto abort;
937
938 case ACK:
939 if (etftp && ap->th_block == 0) {
940 etftp = 0;
941 acklength = 0;
942 dp = r_init();
943 goto done;
944 }
945 if (ap->th_block == (u_short)block)
946 goto done;
947 if (debug)
948 syslog(LOG_DEBUG, "Resync ACK %u != %u",
949 (unsigned int)ap->th_block, block);
950 /* Re-synchronize with the other side */
951 (void) synchnet(peer, tftp_blksize);
952 if (ap->th_block == (u_short)(block - 1))
953 goto send_data;
954 default:
955 syslog(LOG_INFO, "Received %s in sendfile\n",
956 opcode(dp->th_opcode));
957 }
958
959 }
960 done:
961 if (debug)
962 syslog(LOG_DEBUG, "Received ACK for block %u", block);
963 if (block == UINT16_MAX && size == tftp_blksize)
964 syslog(LOG_WARNING,
965 "Block number wrapped (hint: increase block size)");
966 block++;
967 } while (size == tftp_blksize || block == 1);
968 abort:
969 (void) fclose(file);
970 }
971
972 static void
973 justquit(int dummy)
974 {
975
976 exit(0);
977 }
978
979 /*
980 * Receive a file.
981 */
982 static void
983 recvfile(struct formats *pf, volatile int etftp, volatile int acklength)
984 {
985 volatile unsigned int block;
986 struct tftphdr *dp;
987 struct tftphdr *ap; /* ack buffer */
988 volatile int size;
989 int n;
990
991 signal(SIGALRM, timer);
992 dp = w_init();
993 ap = (struct tftphdr *)oackbuf;
994 block = 0;
995 do {
996 timeout = 0;
997 if (etftp == 0) {
998 ap = (struct tftphdr *)ackbuf;
999 ap->th_opcode = htons((u_short)ACK);
1000 ap->th_block = htons((u_short)block);
1001 acklength = 4;
1002 }
1003 if (debug)
1004 syslog(LOG_DEBUG, "Sending ACK for block %u\n", block);
1005 if (block == UINT16_MAX)
1006 syslog(LOG_WARNING,
1007 "Block number wrapped (hint: increase block size)");
1008 block++;
1009 (void) setjmp(timeoutbuf);
1010 send_ack:
1011 ap = (struct tftphdr *) (etftp ? oackbuf : ackbuf);
1012 if (send(peer, ap, acklength, 0) != acklength) {
1013 syslog(LOG_ERR, "tftpd: write: %m");
1014 goto abort;
1015 }
1016 write_behind(file, pf->f_convert);
1017 for ( ; ; ) {
1018 alarm(rexmtval);
1019 n = recv(peer, dp, tftp_blksize + 4, 0);
1020 alarm(0);
1021 if (n < 0) { /* really? */
1022 syslog(LOG_ERR, "tftpd: read: %m");
1023 goto abort;
1024 }
1025 etftp = 0;
1026 dp->th_opcode = ntohs((u_short)dp->th_opcode);
1027 dp->th_block = ntohs((u_short)dp->th_block);
1028 if (debug)
1029 syslog(LOG_DEBUG, "Received %s for block %u",
1030 opcode(dp->th_opcode),
1031 (unsigned int)dp->th_block);
1032
1033 switch (dp->th_opcode) {
1034 case ERROR:
1035 goto abort;
1036 case DATA:
1037 if (dp->th_block == block)
1038 goto done; /* normal */
1039 if (debug)
1040 syslog(LOG_DEBUG, "Resync %u != %u",
1041 (unsigned int)dp->th_block, block);
1042 /* Re-synchronize with the other side */
1043 (void) synchnet(peer, tftp_blksize);
1044 if (dp->th_block == (block-1))
1045 goto send_ack; /* rexmit */
1046 break;
1047 default:
1048 syslog(LOG_INFO, "Received %s in recvfile\n",
1049 opcode(dp->th_opcode));
1050 break;
1051 }
1052 }
1053 done:
1054 if (debug)
1055 syslog(LOG_DEBUG, "Got block %u", block);
1056 /* size = write(file, dp->th_data, n - 4); */
1057 size = writeit(file, &dp, n - 4, pf->f_convert);
1058 if (size != (n-4)) { /* ahem */
1059 if (size < 0) nak(errno + 100);
1060 else nak(ENOSPACE);
1061 goto abort;
1062 }
1063 } while (size == tftp_blksize);
1064 write_behind(file, pf->f_convert);
1065 (void) fclose(file); /* close data file */
1066
1067 ap->th_opcode = htons((u_short)ACK); /* send the "final" ack */
1068 ap->th_block = htons((u_short)(block));
1069 if (debug)
1070 syslog(LOG_DEBUG, "Send final ACK %u", block);
1071 (void) send(peer, ackbuf, 4, 0);
1072
1073 signal(SIGALRM, justquit); /* just quit on timeout */
1074 alarm(rexmtval);
1075 n = recv(peer, buf, sizeof (buf), 0); /* normally times out and quits */
1076 alarm(0);
1077 if (n >= 4 && /* if read some data */
1078 dp->th_opcode == DATA && /* and got a data block */
1079 block == dp->th_block) { /* then my last ack was lost */
1080 (void) send(peer, ackbuf, 4, 0); /* resend final ack */
1081 }
1082 abort:
1083 return;
1084 }
1085
1086 const struct errmsg {
1087 int e_code;
1088 const char *e_msg;
1089 } errmsgs[] = {
1090 { EUNDEF, "Undefined error code" },
1091 { ENOTFOUND, "File not found" },
1092 { EACCESS, "Access violation" },
1093 { ENOSPACE, "Disk full or allocation exceeded" },
1094 { EBADOP, "Illegal TFTP operation" },
1095 { EBADID, "Unknown transfer ID" },
1096 { EEXISTS, "File already exists" },
1097 { ENOUSER, "No such user" },
1098 { EOPTNEG, "Option negotiation failed" },
1099 { -1, 0 }
1100 };
1101
1102 static const char *
1103 errtomsg(int error)
1104 {
1105 static char ebuf[20];
1106 const struct errmsg *pe;
1107
1108 if (error == 0)
1109 return ("success");
1110 for (pe = errmsgs; pe->e_code >= 0; pe++)
1111 if (pe->e_code == error)
1112 return (pe->e_msg);
1113 snprintf(ebuf, sizeof(ebuf), "error %d", error);
1114 return (ebuf);
1115 }
1116
1117 /*
1118 * Send a nak packet (error message).
1119 * Error code passed in is one of the
1120 * standard TFTP codes, or a UNIX errno
1121 * offset by 100.
1122 */
1123 static void
1124 nak(int error)
1125 {
1126 const struct errmsg *pe;
1127 struct tftphdr *tp;
1128 int length;
1129 size_t msglen;
1130
1131 tp = (struct tftphdr *)buf;
1132 tp->th_opcode = htons((u_short)ERROR);
1133 msglen = sizeof(buf) - (&tp->th_msg[0] - buf);
1134 for (pe = errmsgs; pe->e_code >= 0; pe++)
1135 if (pe->e_code == error)
1136 break;
1137 if (pe->e_code < 0) {
1138 tp->th_code = EUNDEF; /* set 'undef' errorcode */
1139 strlcpy(tp->th_msg, strerror(error - 100), msglen);
1140 } else {
1141 tp->th_code = htons((u_short)error);
1142 strlcpy(tp->th_msg, pe->e_msg, msglen);
1143 }
1144 if (debug)
1145 syslog(LOG_DEBUG, "Send NACK %s", tp->th_msg);
1146 length = strlen(tp->th_msg);
1147 msglen = &tp->th_msg[length + 1] - buf;
1148 if (send(peer, buf, msglen, 0) != msglen)
1149 syslog(LOG_ERR, "nak: %m");
1150 }
1151
1152 static char *
1153 verifyhost(struct sockaddr *fromp)
1154 {
1155 static char hbuf[MAXHOSTNAMELEN];
1156
1157 if (getnameinfo(fromp, fromp->sa_len, hbuf, sizeof(hbuf), NULL, 0, 0))
1158 strlcpy(hbuf, "?", sizeof(hbuf));
1159 return (hbuf);
1160 }
NetBSD on the FriendlyARM MINI2440