git: 626ee3cac845 - stable/14 - tftpd: Add missing `-S` option to synopsis.

From: Dag-Erling Smørgrav <des_at_FreeBSD.org>
Date: Tue, 14 May 2024 06:59:08 UTC
The branch stable/14 has been updated by des:

URL: https://cgit.FreeBSD.org/src/commit/?id=626ee3cac8458b355d4330c2099240d3ca881589

commit 626ee3cac8458b355d4330c2099240d3ca881589
Author:     Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2024-05-10 21:15:37 +0000
Commit:     Dag-Erling Smørgrav <des@FreeBSD.org>
CommitDate: 2024-05-14 06:58:40 +0000

    tftpd: Add missing `-S` option to synopsis.
    
    MFC after:      3 days
    Sponsored by:   Klara, Inc.
    Reviewed by:    imp, markj
    Differential Revision:  https://reviews.freebsd.org/D45129
    
    (cherry picked from commit 816c4d3dcf99adcd40a03d93431237ddbd23bbdf)
    
    tftpd: Drop unneeded includes.
    
    MFC after:      3 days
    Sponsored by:   Klara, Inc.
    Reviewed by:    imp, markj
    Differential Revision:  https://reviews.freebsd.org/D45130
    
    (cherry picked from commit 1111da6b7c612c571453a23a8dd02fd5e7e40b18)
    
    tftpd: Add missing include.
    
    This went unnoticed due to namespace pollution in our headers.
    
    MFC after:      3 days
    Sponsored by:   Klara, Inc.
    Reviewed by:    imp
    Differential Revision:  https://reviews.freebsd.org/D45131
    
    (cherry picked from commit ae285a8cbf1212bdc1b3f81219635bc1395fadee)
    
    tftpd: Satisfy clang-analyzer.
    
    * Replace `random()` with `arc4random()`.
    * Change some variable types.
    * Drop some unused assignments.
    
    MFC after:      3 days
    Sponsored by:   Klara, Inc.
    Reviewed by:    imp, markj
    Differential Revision:  https://reviews.freebsd.org/D45132
    
    (cherry picked from commit 4d09eb87c5d5bec2e2832f50537e2ce6f75f4117)
    
    tftpd: silence gcc overflow warnings
    
    GCC 13 complains that we might be writing too much to an on-stack buffer
    when createing a filename.
    
    In practice there is a check that filename isn't too long given the
    time format and other static characters so GCC is incorrect, but GCC
    isn't wrong that we're potentially trying to put a MAXPATHLEN length
    string + some other characters into a MAXPATHLEN buffer (if you ignore
    the check GCC can't realistically evaluate at compile time).
    
    Switch to snprintf to populate filename to ensure that future logic
    errors don't result in a stack overflow.
    
    Shorten the questionably named yyyymmdd buffer enough to slience the
    warning (checking the snprintf return value isn't sufficent) while
    preserving maximum flexibility for admins who use the -F option.
    
    MFC after:      3 days
    Sponsored by:   Klara, Inc.
    Reviewed by:    brooks
    Differential Revision:  https://reviews.freebsd.org/D45086
    
    (cherry picked from commit 25945af47e7a1d06c44c8c160045a866e90569ab)
---
 libexec/tftpd/tests/functional.c |  1 +
 libexec/tftpd/tftp-file.h        |  1 -
 libexec/tftpd/tftp-io.c          | 11 +++-----
 libexec/tftpd/tftp-io.h          |  1 -
 libexec/tftpd/tftp-options.h     |  1 -
 libexec/tftpd/tftp-transfer.h    |  1 -
 libexec/tftpd/tftp-utils.c       |  2 +-
 libexec/tftpd/tftp-utils.h       |  3 +--
 libexec/tftpd/tftpd.8            |  6 ++---
 libexec/tftpd/tftpd.c            | 56 +++++++++++++++++++++++++---------------
 10 files changed, 45 insertions(+), 38 deletions(-)

diff --git a/libexec/tftpd/tests/functional.c b/libexec/tftpd/tests/functional.c
index f31d2a893da1..32e5f85cf421 100644
--- a/libexec/tftpd/tests/functional.c
+++ b/libexec/tftpd/tests/functional.c
@@ -29,6 +29,7 @@
 #include <sys/param.h>
 #include <sys/socket.h>
 #include <sys/stat.h>
+#include <sys/time.h>
 #include <sys/wait.h>
 
 #include <netinet/in.h>
diff --git a/libexec/tftpd/tftp-file.h b/libexec/tftpd/tftp-file.h
index 0fb7f6c1decc..c424e5cbc75b 100644
--- a/libexec/tftpd/tftp-file.h
+++ b/libexec/tftpd/tftp-file.h
@@ -25,7 +25,6 @@
  * SUCH DAMAGE.
  */
 
-#include <sys/cdefs.h>
 int	write_init(int fd, FILE *f, const char *mode);
 size_t	write_file(char *buffer, int count);
 int	write_close(void);
diff --git a/libexec/tftpd/tftp-io.c b/libexec/tftpd/tftp-io.c
index b5f39423fd60..aaacc9dd7f45 100644
--- a/libexec/tftpd/tftp-io.c
+++ b/libexec/tftpd/tftp-io.c
@@ -72,13 +72,13 @@ static struct errmsg {
 
 #define DROPPACKET(s)							\
 	if (packetdroppercentage != 0 &&				\
-	    random()%100 < packetdroppercentage) {			\
+	    arc4random()%100 < packetdroppercentage) {			\
 		tftp_log(LOG_DEBUG, "Artificial packet drop in %s", s);	\
 		return;							\
 	}
 #define DROPPACKETn(s,n)						\
 	if (packetdroppercentage != 0 &&				\
-	    random()%100 < packetdroppercentage) {			\
+	    arc4random()%100 < packetdroppercentage) {			\
 		tftp_log(LOG_DEBUG, "Artificial packet drop in %s", s);	\
 		return (n);						\
 	}
@@ -157,10 +157,8 @@ send_error(int peer, int error)
 		pe->e_msg = strerror(error - 100);
 		tp->th_code = EUNDEF;   /* set 'undef' errorcode */
 	}
-	strcpy(tp->th_msg, pe->e_msg);
-	length = strlen(pe->e_msg);
-	tp->th_msg[length] = '\0';
-	length += 5;
+	snprintf(tp->th_msg, MAXPKTSIZE - 4, "%s%n", pe->e_msg, &length);
+	length += 5; /* header and terminator */
 
 	if (debug & DEBUG_PACKETS)
 		tftp_log(LOG_DEBUG, "Sending ERROR %d: %s", error, tp->th_msg);
@@ -331,7 +329,6 @@ send_ack(int fp, uint16_t block)
 	DROPPACKETn("send_ack", 0);
 
 	tp = (struct tftphdr *)buf;
-	size = sizeof(buf) - 2;
 	tp->th_opcode = htons((u_short)ACK);
 	tp->th_block = htons((u_short)block);
 	size = 4;
diff --git a/libexec/tftpd/tftp-io.h b/libexec/tftpd/tftp-io.h
index 85934e824a1a..1d6bc2bd8b5e 100644
--- a/libexec/tftpd/tftp-io.h
+++ b/libexec/tftpd/tftp-io.h
@@ -25,7 +25,6 @@
  * SUCH DAMAGE.
  */
 
-#include <sys/cdefs.h>
 #define RP_NONE		0
 #define	RP_RECVFROM	-1
 #define	RP_TOOSMALL	-2
diff --git a/libexec/tftpd/tftp-options.h b/libexec/tftpd/tftp-options.h
index c68db53de4e2..f1b0a5cfaf32 100644
--- a/libexec/tftpd/tftp-options.h
+++ b/libexec/tftpd/tftp-options.h
@@ -25,7 +25,6 @@
  * SUCH DAMAGE.
  */
 
-#include <sys/cdefs.h>
 /*
  * Options
  */
diff --git a/libexec/tftpd/tftp-transfer.h b/libexec/tftpd/tftp-transfer.h
index 48431ebbc863..449f29c246e0 100644
--- a/libexec/tftpd/tftp-transfer.h
+++ b/libexec/tftpd/tftp-transfer.h
@@ -25,7 +25,6 @@
  * SUCH DAMAGE.
  */
 
-#include <sys/cdefs.h>
 int	tftp_send(int peer, uint16_t *block, struct tftp_stats *tp);
 int	tftp_receive(int peer, uint16_t *block, struct tftp_stats *tp,
 	    struct tftphdr *firstblock, size_t fb_size);
diff --git a/libexec/tftpd/tftp-utils.c b/libexec/tftpd/tftp-utils.c
index b309a94f7653..8ce7c09c9992 100644
--- a/libexec/tftpd/tftp-utils.c
+++ b/libexec/tftpd/tftp-utils.c
@@ -204,7 +204,7 @@ struct debugs debugs[] = {
 	{ DEBUG_ACCESS,		"access",	"TCPd access debugging"	},
 	{ DEBUG_NONE,		NULL,		"No debugging"		},
 };
-int	packetdroppercentage = 0;
+unsigned int packetdroppercentage = 0;
 
 int
 debug_find(char *s)
diff --git a/libexec/tftpd/tftp-utils.h b/libexec/tftpd/tftp-utils.h
index 763b3b493c7e..276dedcf74cd 100644
--- a/libexec/tftpd/tftp-utils.h
+++ b/libexec/tftpd/tftp-utils.h
@@ -25,7 +25,6 @@
  * SUCH DAMAGE.
  */
 
-#include <sys/cdefs.h>
 /*
  */
 #define	TIMEOUT		5
@@ -100,7 +99,7 @@ struct debugs {
 };
 extern int	debug;
 extern struct debugs debugs[];
-extern int	packetdroppercentage;
+extern unsigned int packetdroppercentage;
 int	debug_find(char *s);
 int	debug_finds(char *s);
 const char *debug_show(int d);
diff --git a/libexec/tftpd/tftpd.8 b/libexec/tftpd/tftpd.8
index 3de042197618..24a743a92e14 100644
--- a/libexec/tftpd/tftpd.8
+++ b/libexec/tftpd/tftpd.8
@@ -27,7 +27,7 @@
 .\"
 .\"	@(#)tftpd.8	8.1 (Berkeley) 6/4/93
 .\"
-.Dd July 20, 2023
+.Dd May 8, 2024
 .Dt TFTPD 8
 .Os
 .Sh NAME
@@ -35,11 +35,11 @@
 .Nd Internet Trivial File Transfer Protocol server
 .Sh SYNOPSIS
 .Nm tftpd
-.Op Fl cdClnow
+.Op Fl CcdlnoSw
 .Op Fl F Ar strftime-format
 .Op Fl s Ar directory
-.Op Fl u Ar user
 .Op Fl U Ar umask
+.Op Fl u Ar user
 .Op Ar directory ...
 .Sh DESCRIPTION
 The
diff --git a/libexec/tftpd/tftpd.c b/libexec/tftpd/tftpd.c
index 78348a8c6aaf..00c1257ce548 100644
--- a/libexec/tftpd/tftpd.c
+++ b/libexec/tftpd/tftpd.c
@@ -172,7 +172,7 @@ main(int argc, char *argv[])
 			options_extra_enabled = 0;
 			break;
 		case 'p':
-			packetdroppercentage = atoi(optarg);
+			packetdroppercentage = (unsigned int)atoi(optarg);
 			tftp_log(LOG_INFO,
 			    "Randomly dropping %d out of 100 packets",
 			    packetdroppercentage);
@@ -463,9 +463,9 @@ static char *
 parse_header(int peer, char *recvbuffer, size_t size,
 	char **filename, char **mode)
 {
-	char	*cp;
-	int	i;
 	struct formats *pf;
+	char	*cp;
+	size_t	i;
 
 	*mode = NULL;
 	cp = recvbuffer;
@@ -482,12 +482,11 @@ parse_header(int peer, char *recvbuffer, size_t size,
 
 	i = get_field(peer, cp, size);
 	*mode = cp;
-	cp += i;
 
 	/* Find the file transfer mode */
-	for (cp = *mode; *cp; cp++)
-		if (isupper(*cp))
-			*cp = tolower(*cp);
+	for (; *cp; cp++)
+		if (isupper((unsigned char)*cp))
+			*cp = tolower((unsigned char)*cp);
 	for (pf = formats; pf->f_mode; pf++)
 		if (strcmp(pf->f_mode, *mode) == 0)
 			break;
@@ -624,12 +623,20 @@ tftp_rrq(int peer, char *recvbuffer, size_t size)
 static int
 find_next_name(char *filename, int *fd)
 {
-	int i;
+	/*
+	 * GCC "knows" that we might write all of yyyymmdd plus the static
+	 * elemenents in the format into into newname and thus complains
+	 * unless we reduce the size.  This array is still too big, but since
+	 * the format is user supplied, it's not clear what a better limit
+	 * value would be and this is sufficent to silence the warnings.
+	 */
+	static const int suffix_len = strlen("..00");
+	char yyyymmdd[MAXPATHLEN - suffix_len];
+	char newname[MAXPATHLEN];
+	int i, ret;
 	time_t tval;
-	size_t len;
+	size_t len, namelen;
 	struct tm lt;
-	char yyyymmdd[MAXPATHLEN];
-	char newname[MAXPATHLEN];
 
 	/* Create the YYYYMMDD part of the filename */
 	time(&tval);
@@ -637,26 +644,33 @@ find_next_name(char *filename, int *fd)
 	len = strftime(yyyymmdd, sizeof(yyyymmdd), newfile_format, &lt);
 	if (len == 0) {
 		syslog(LOG_WARNING,
-			"Filename suffix too long (%d characters maximum)",
-			MAXPATHLEN);
+			"Filename suffix too long (%zu characters maximum)",
+			sizeof(yyyymmdd) - 1);
 		return (EACCESS);
 	}
 
 	/* Make sure the new filename is not too long */
-	if (strlen(filename) > MAXPATHLEN - len - 5) {
+	namelen = strlen(filename);
+	if (namelen >= sizeof(newname) - len - suffix_len) {
 		syslog(LOG_WARNING,
-			"Filename too long (%zd characters, %zd maximum)",
-			strlen(filename), MAXPATHLEN - len - 5);
+			"Filename too long (%zu characters, %zu maximum)",
+			namelen,
+			sizeof(newname) - len - suffix_len - 1);
 		return (EACCESS);
 	}
 
 	/* Find the first file which doesn't exist */
 	for (i = 0; i < 100; i++) {
-		sprintf(newname, "%s.%s.%02d", filename, yyyymmdd, i);
-		*fd = open(newname,
-		    O_WRONLY | O_CREAT | O_EXCL,
-		    S_IRUSR | S_IWUSR | S_IRGRP |
-		    S_IWGRP | S_IROTH | S_IWOTH);
+		ret = snprintf(newname, sizeof(newname), "%s.%s.%02d",
+		    filename, yyyymmdd, i);
+		/*
+		 * Size checked above so this can't happen, we'd use a
+		 * (void) cast, but gcc intentionally ignores that if
+		 * snprintf has __attribute__((warn_unused_result)).
+		 */
+		if (ret < 0 || (size_t)ret >= sizeof(newname))
+			__unreachable();
+		*fd = open(newname, O_WRONLY | O_CREAT | O_EXCL, 0666);
 		if (*fd > 0)
 			return 0;
 	}