git: 626ee3cac845 - stable/14 - tftpd: Add missing `-S` option to synopsis.
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Tue, 14 May 2024 06:59:08 UTC
The branch stable/14 has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=626ee3cac8458b355d4330c2099240d3ca881589 commit 626ee3cac8458b355d4330c2099240d3ca881589 Author: Dag-Erling Smørgrav <des@FreeBSD.org> AuthorDate: 2024-05-10 21:15:37 +0000 Commit: Dag-Erling Smørgrav <des@FreeBSD.org> CommitDate: 2024-05-14 06:58:40 +0000 tftpd: Add missing `-S` option to synopsis. MFC after: 3 days Sponsored by: Klara, Inc. Reviewed by: imp, markj Differential Revision: https://reviews.freebsd.org/D45129 (cherry picked from commit 816c4d3dcf99adcd40a03d93431237ddbd23bbdf) tftpd: Drop unneeded includes. MFC after: 3 days Sponsored by: Klara, Inc. Reviewed by: imp, markj Differential Revision: https://reviews.freebsd.org/D45130 (cherry picked from commit 1111da6b7c612c571453a23a8dd02fd5e7e40b18) tftpd: Add missing include. This went unnoticed due to namespace pollution in our headers. MFC after: 3 days Sponsored by: Klara, Inc. Reviewed by: imp Differential Revision: https://reviews.freebsd.org/D45131 (cherry picked from commit ae285a8cbf1212bdc1b3f81219635bc1395fadee) tftpd: Satisfy clang-analyzer. * Replace `random()` with `arc4random()`. * Change some variable types. * Drop some unused assignments. MFC after: 3 days Sponsored by: Klara, Inc. Reviewed by: imp, markj Differential Revision: https://reviews.freebsd.org/D45132 (cherry picked from commit 4d09eb87c5d5bec2e2832f50537e2ce6f75f4117) tftpd: silence gcc overflow warnings GCC 13 complains that we might be writing too much to an on-stack buffer when createing a filename. In practice there is a check that filename isn't too long given the time format and other static characters so GCC is incorrect, but GCC isn't wrong that we're potentially trying to put a MAXPATHLEN length string + some other characters into a MAXPATHLEN buffer (if you ignore the check GCC can't realistically evaluate at compile time). Switch to snprintf to populate filename to ensure that future logic errors don't result in a stack overflow. Shorten the questionably named yyyymmdd buffer enough to slience the warning (checking the snprintf return value isn't sufficent) while preserving maximum flexibility for admins who use the -F option. MFC after: 3 days Sponsored by: Klara, Inc. Reviewed by: brooks Differential Revision: https://reviews.freebsd.org/D45086 (cherry picked from commit 25945af47e7a1d06c44c8c160045a866e90569ab) --- libexec/tftpd/tests/functional.c | 1 + libexec/tftpd/tftp-file.h | 1 - libexec/tftpd/tftp-io.c | 11 +++----- libexec/tftpd/tftp-io.h | 1 - libexec/tftpd/tftp-options.h | 1 - libexec/tftpd/tftp-transfer.h | 1 - libexec/tftpd/tftp-utils.c | 2 +- libexec/tftpd/tftp-utils.h | 3 +-- libexec/tftpd/tftpd.8 | 6 ++--- libexec/tftpd/tftpd.c | 56 +++++++++++++++++++++++++--------------- 10 files changed, 45 insertions(+), 38 deletions(-) diff --git a/libexec/tftpd/tests/functional.c b/libexec/tftpd/tests/functional.c index f31d2a893da1..32e5f85cf421 100644 --- a/libexec/tftpd/tests/functional.c +++ b/libexec/tftpd/tests/functional.c @@ -29,6 +29,7 @@ #include <sys/param.h> #include <sys/socket.h> #include <sys/stat.h> +#include <sys/time.h> #include <sys/wait.h> #include <netinet/in.h> diff --git a/libexec/tftpd/tftp-file.h b/libexec/tftpd/tftp-file.h index 0fb7f6c1decc..c424e5cbc75b 100644 --- a/libexec/tftpd/tftp-file.h +++ b/libexec/tftpd/tftp-file.h @@ -25,7 +25,6 @@ * SUCH DAMAGE. */ -#include <sys/cdefs.h> int write_init(int fd, FILE *f, const char *mode); size_t write_file(char *buffer, int count); int write_close(void); diff --git a/libexec/tftpd/tftp-io.c b/libexec/tftpd/tftp-io.c index b5f39423fd60..aaacc9dd7f45 100644 --- a/libexec/tftpd/tftp-io.c +++ b/libexec/tftpd/tftp-io.c @@ -72,13 +72,13 @@ static struct errmsg { #define DROPPACKET(s) \ if (packetdroppercentage != 0 && \ - random()%100 < packetdroppercentage) { \ + arc4random()%100 < packetdroppercentage) { \ tftp_log(LOG_DEBUG, "Artificial packet drop in %s", s); \ return; \ } #define DROPPACKETn(s,n) \ if (packetdroppercentage != 0 && \ - random()%100 < packetdroppercentage) { \ + arc4random()%100 < packetdroppercentage) { \ tftp_log(LOG_DEBUG, "Artificial packet drop in %s", s); \ return (n); \ } @@ -157,10 +157,8 @@ send_error(int peer, int error) pe->e_msg = strerror(error - 100); tp->th_code = EUNDEF; /* set 'undef' errorcode */ } - strcpy(tp->th_msg, pe->e_msg); - length = strlen(pe->e_msg); - tp->th_msg[length] = '\0'; - length += 5; + snprintf(tp->th_msg, MAXPKTSIZE - 4, "%s%n", pe->e_msg, &length); + length += 5; /* header and terminator */ if (debug & DEBUG_PACKETS) tftp_log(LOG_DEBUG, "Sending ERROR %d: %s", error, tp->th_msg); @@ -331,7 +329,6 @@ send_ack(int fp, uint16_t block) DROPPACKETn("send_ack", 0); tp = (struct tftphdr *)buf; - size = sizeof(buf) - 2; tp->th_opcode = htons((u_short)ACK); tp->th_block = htons((u_short)block); size = 4; diff --git a/libexec/tftpd/tftp-io.h b/libexec/tftpd/tftp-io.h index 85934e824a1a..1d6bc2bd8b5e 100644 --- a/libexec/tftpd/tftp-io.h +++ b/libexec/tftpd/tftp-io.h @@ -25,7 +25,6 @@ * SUCH DAMAGE. */ -#include <sys/cdefs.h> #define RP_NONE 0 #define RP_RECVFROM -1 #define RP_TOOSMALL -2 diff --git a/libexec/tftpd/tftp-options.h b/libexec/tftpd/tftp-options.h index c68db53de4e2..f1b0a5cfaf32 100644 --- a/libexec/tftpd/tftp-options.h +++ b/libexec/tftpd/tftp-options.h @@ -25,7 +25,6 @@ * SUCH DAMAGE. */ -#include <sys/cdefs.h> /* * Options */ diff --git a/libexec/tftpd/tftp-transfer.h b/libexec/tftpd/tftp-transfer.h index 48431ebbc863..449f29c246e0 100644 --- a/libexec/tftpd/tftp-transfer.h +++ b/libexec/tftpd/tftp-transfer.h @@ -25,7 +25,6 @@ * SUCH DAMAGE. */ -#include <sys/cdefs.h> int tftp_send(int peer, uint16_t *block, struct tftp_stats *tp); int tftp_receive(int peer, uint16_t *block, struct tftp_stats *tp, struct tftphdr *firstblock, size_t fb_size); diff --git a/libexec/tftpd/tftp-utils.c b/libexec/tftpd/tftp-utils.c index b309a94f7653..8ce7c09c9992 100644 --- a/libexec/tftpd/tftp-utils.c +++ b/libexec/tftpd/tftp-utils.c @@ -204,7 +204,7 @@ struct debugs debugs[] = { { DEBUG_ACCESS, "access", "TCPd access debugging" }, { DEBUG_NONE, NULL, "No debugging" }, }; -int packetdroppercentage = 0; +unsigned int packetdroppercentage = 0; int debug_find(char *s) diff --git a/libexec/tftpd/tftp-utils.h b/libexec/tftpd/tftp-utils.h index 763b3b493c7e..276dedcf74cd 100644 --- a/libexec/tftpd/tftp-utils.h +++ b/libexec/tftpd/tftp-utils.h @@ -25,7 +25,6 @@ * SUCH DAMAGE. */ -#include <sys/cdefs.h> /* */ #define TIMEOUT 5 @@ -100,7 +99,7 @@ struct debugs { }; extern int debug; extern struct debugs debugs[]; -extern int packetdroppercentage; +extern unsigned int packetdroppercentage; int debug_find(char *s); int debug_finds(char *s); const char *debug_show(int d); diff --git a/libexec/tftpd/tftpd.8 b/libexec/tftpd/tftpd.8 index 3de042197618..24a743a92e14 100644 --- a/libexec/tftpd/tftpd.8 +++ b/libexec/tftpd/tftpd.8 @@ -27,7 +27,7 @@ .\" .\" @(#)tftpd.8 8.1 (Berkeley) 6/4/93 .\" -.Dd July 20, 2023 +.Dd May 8, 2024 .Dt TFTPD 8 .Os .Sh NAME @@ -35,11 +35,11 @@ .Nd Internet Trivial File Transfer Protocol server .Sh SYNOPSIS .Nm tftpd -.Op Fl cdClnow +.Op Fl CcdlnoSw .Op Fl F Ar strftime-format .Op Fl s Ar directory -.Op Fl u Ar user .Op Fl U Ar umask +.Op Fl u Ar user .Op Ar directory ... .Sh DESCRIPTION The diff --git a/libexec/tftpd/tftpd.c b/libexec/tftpd/tftpd.c index 78348a8c6aaf..00c1257ce548 100644 --- a/libexec/tftpd/tftpd.c +++ b/libexec/tftpd/tftpd.c @@ -172,7 +172,7 @@ main(int argc, char *argv[]) options_extra_enabled = 0; break; case 'p': - packetdroppercentage = atoi(optarg); + packetdroppercentage = (unsigned int)atoi(optarg); tftp_log(LOG_INFO, "Randomly dropping %d out of 100 packets", packetdroppercentage); @@ -463,9 +463,9 @@ static char * parse_header(int peer, char *recvbuffer, size_t size, char **filename, char **mode) { - char *cp; - int i; struct formats *pf; + char *cp; + size_t i; *mode = NULL; cp = recvbuffer; @@ -482,12 +482,11 @@ parse_header(int peer, char *recvbuffer, size_t size, i = get_field(peer, cp, size); *mode = cp; - cp += i; /* Find the file transfer mode */ - for (cp = *mode; *cp; cp++) - if (isupper(*cp)) - *cp = tolower(*cp); + for (; *cp; cp++) + if (isupper((unsigned char)*cp)) + *cp = tolower((unsigned char)*cp); for (pf = formats; pf->f_mode; pf++) if (strcmp(pf->f_mode, *mode) == 0) break; @@ -624,12 +623,20 @@ tftp_rrq(int peer, char *recvbuffer, size_t size) static int find_next_name(char *filename, int *fd) { - int i; + /* + * GCC "knows" that we might write all of yyyymmdd plus the static + * elemenents in the format into into newname and thus complains + * unless we reduce the size. This array is still too big, but since + * the format is user supplied, it's not clear what a better limit + * value would be and this is sufficent to silence the warnings. + */ + static const int suffix_len = strlen("..00"); + char yyyymmdd[MAXPATHLEN - suffix_len]; + char newname[MAXPATHLEN]; + int i, ret; time_t tval; - size_t len; + size_t len, namelen; struct tm lt; - char yyyymmdd[MAXPATHLEN]; - char newname[MAXPATHLEN]; /* Create the YYYYMMDD part of the filename */ time(&tval); @@ -637,26 +644,33 @@ find_next_name(char *filename, int *fd) len = strftime(yyyymmdd, sizeof(yyyymmdd), newfile_format, <); if (len == 0) { syslog(LOG_WARNING, - "Filename suffix too long (%d characters maximum)", - MAXPATHLEN); + "Filename suffix too long (%zu characters maximum)", + sizeof(yyyymmdd) - 1); return (EACCESS); } /* Make sure the new filename is not too long */ - if (strlen(filename) > MAXPATHLEN - len - 5) { + namelen = strlen(filename); + if (namelen >= sizeof(newname) - len - suffix_len) { syslog(LOG_WARNING, - "Filename too long (%zd characters, %zd maximum)", - strlen(filename), MAXPATHLEN - len - 5); + "Filename too long (%zu characters, %zu maximum)", + namelen, + sizeof(newname) - len - suffix_len - 1); return (EACCESS); } /* Find the first file which doesn't exist */ for (i = 0; i < 100; i++) { - sprintf(newname, "%s.%s.%02d", filename, yyyymmdd, i); - *fd = open(newname, - O_WRONLY | O_CREAT | O_EXCL, - S_IRUSR | S_IWUSR | S_IRGRP | - S_IWGRP | S_IROTH | S_IWOTH); + ret = snprintf(newname, sizeof(newname), "%s.%s.%02d", + filename, yyyymmdd, i); + /* + * Size checked above so this can't happen, we'd use a + * (void) cast, but gcc intentionally ignores that if + * snprintf has __attribute__((warn_unused_result)). + */ + if (ret < 0 || (size_t)ret >= sizeof(newname)) + __unreachable(); + *fd = open(newname, O_WRONLY | O_CREAT | O_EXCL, 0666); if (*fd > 0) return 0; }