The branch stable/14 has been updated by des:
URL:
https://cgit.FreeBSD.org/src/commit/?id=626ee3cac8458b355d4330c2099240d3ca881589
commit 626ee3cac8458b355d4330c2099240d3ca881589
Author: Dag-Erling Smørgrav <d...@freebsd.org>
AuthorDate: 2024-05-10 21:15:37 +0000
Commit: Dag-Erling Smørgrav <d...@freebsd.org>
CommitDate: 2024-05-14 06:58:40 +0000
tftpd: Add missing `-S` option to synopsis.
MFC after: 3 days
Sponsored by: Klara, Inc.
Reviewed by: imp, markj
Differential Revision: https://reviews.freebsd.org/D45129
(cherry picked from commit 816c4d3dcf99adcd40a03d93431237ddbd23bbdf)
tftpd: Drop unneeded includes.
MFC after: 3 days
Sponsored by: Klara, Inc.
Reviewed by: imp, markj
Differential Revision: https://reviews.freebsd.org/D45130
(cherry picked from commit 1111da6b7c612c571453a23a8dd02fd5e7e40b18)
tftpd: Add missing include.
This went unnoticed due to namespace pollution in our headers.
MFC after: 3 days
Sponsored by: Klara, Inc.
Reviewed by: imp
Differential Revision: https://reviews.freebsd.org/D45131
(cherry picked from commit ae285a8cbf1212bdc1b3f81219635bc1395fadee)
tftpd: Satisfy clang-analyzer.
* Replace `random()` with `arc4random()`.
* Change some variable types.
* Drop some unused assignments.
MFC after: 3 days
Sponsored by: Klara, Inc.
Reviewed by: imp, markj
Differential Revision: https://reviews.freebsd.org/D45132
(cherry picked from commit 4d09eb87c5d5bec2e2832f50537e2ce6f75f4117)
tftpd: silence gcc overflow warnings
GCC 13 complains that we might be writing too much to an on-stack buffer
when createing a filename.
In practice there is a check that filename isn't too long given the
time format and other static characters so GCC is incorrect, but GCC
isn't wrong that we're potentially trying to put a MAXPATHLEN length
string + some other characters into a MAXPATHLEN buffer (if you ignore
the check GCC can't realistically evaluate at compile time).
Switch to snprintf to populate filename to ensure that future logic
errors don't result in a stack overflow.
Shorten the questionably named yyyymmdd buffer enough to slience the
warning (checking the snprintf return value isn't sufficent) while
preserving maximum flexibility for admins who use the -F option.
MFC after: 3 days
Sponsored by: Klara, Inc.
Reviewed by: brooks
Differential Revision: https://reviews.freebsd.org/D45086
(cherry picked from commit 25945af47e7a1d06c44c8c160045a866e90569ab)
---
libexec/tftpd/tests/functional.c | 1 +
libexec/tftpd/tftp-file.h | 1 -
libexec/tftpd/tftp-io.c | 11 +++-----
libexec/tftpd/tftp-io.h | 1 -
libexec/tftpd/tftp-options.h | 1 -
libexec/tftpd/tftp-transfer.h | 1 -
libexec/tftpd/tftp-utils.c | 2 +-
libexec/tftpd/tftp-utils.h | 3 +--
libexec/tftpd/tftpd.8 | 6 ++---
libexec/tftpd/tftpd.c | 56 +++++++++++++++++++++++++---------------
10 files changed, 45 insertions(+), 38 deletions(-)
diff --git a/libexec/tftpd/tests/functional.c b/libexec/tftpd/tests/functional.c
index f31d2a893da1..32e5f85cf421 100644
--- a/libexec/tftpd/tests/functional.c
+++ b/libexec/tftpd/tests/functional.c
@@ -29,6 +29,7 @@
#include <sys/param.h>
#include <sys/socket.h>
#include <sys/stat.h>
+#include <sys/time.h>
#include <sys/wait.h>
#include <netinet/in.h>
diff --git a/libexec/tftpd/tftp-file.h b/libexec/tftpd/tftp-file.h
index 0fb7f6c1decc..c424e5cbc75b 100644
--- a/libexec/tftpd/tftp-file.h
+++ b/libexec/tftpd/tftp-file.h
@@ -25,7 +25,6 @@
* SUCH DAMAGE.
*/
-#include <sys/cdefs.h>
int write_init(int fd, FILE *f, const char *mode);
size_t write_file(char *buffer, int count);
int write_close(void);
diff --git a/libexec/tftpd/tftp-io.c b/libexec/tftpd/tftp-io.c
index b5f39423fd60..aaacc9dd7f45 100644
--- a/libexec/tftpd/tftp-io.c
+++ b/libexec/tftpd/tftp-io.c
@@ -72,13 +72,13 @@ static struct errmsg {
#define DROPPACKET(s) \
if (packetdroppercentage != 0 && \
- random()%100 < packetdroppercentage) { \
+ arc4random()%100 < packetdroppercentage) { \
tftp_log(LOG_DEBUG, "Artificial packet drop in %s", s); \
return; \
}
#define DROPPACKETn(s,n) \
if (packetdroppercentage != 0 && \
- random()%100 < packetdroppercentage) { \
+ arc4random()%100 < packetdroppercentage) { \
tftp_log(LOG_DEBUG, "Artificial packet drop in %s", s); \
return (n); \
}
@@ -157,10 +157,8 @@ send_error(int peer, int error)
pe->e_msg = strerror(error - 100);
tp->th_code = EUNDEF; /* set 'undef' errorcode */
}
- strcpy(tp->th_msg, pe->e_msg);
- length = strlen(pe->e_msg);
- tp->th_msg[length] = '\0';
- length += 5;
+ snprintf(tp->th_msg, MAXPKTSIZE - 4, "%s%n", pe->e_msg, &length);
+ length += 5; /* header and terminator */
if (debug & DEBUG_PACKETS)
tftp_log(LOG_DEBUG, "Sending ERROR %d: %s", error, tp->th_msg);
@@ -331,7 +329,6 @@ send_ack(int fp, uint16_t block)
DROPPACKETn("send_ack", 0);
tp = (struct tftphdr *)buf;
- size = sizeof(buf) - 2;
tp->th_opcode = htons((u_short)ACK);
tp->th_block = htons((u_short)block);
size = 4;
diff --git a/libexec/tftpd/tftp-io.h b/libexec/tftpd/tftp-io.h
index 85934e824a1a..1d6bc2bd8b5e 100644
--- a/libexec/tftpd/tftp-io.h
+++ b/libexec/tftpd/tftp-io.h
@@ -25,7 +25,6 @@
* SUCH DAMAGE.
*/
-#include <sys/cdefs.h>
#define RP_NONE 0
#define RP_RECVFROM -1
#define RP_TOOSMALL -2
diff --git a/libexec/tftpd/tftp-options.h b/libexec/tftpd/tftp-options.h
index c68db53de4e2..f1b0a5cfaf32 100644
--- a/libexec/tftpd/tftp-options.h
+++ b/libexec/tftpd/tftp-options.h
@@ -25,7 +25,6 @@
* SUCH DAMAGE.
*/
-#include <sys/cdefs.h>
/*
* Options
*/
diff --git a/libexec/tftpd/tftp-transfer.h b/libexec/tftpd/tftp-transfer.h
index 48431ebbc863..449f29c246e0 100644
--- a/libexec/tftpd/tftp-transfer.h
+++ b/libexec/tftpd/tftp-transfer.h
@@ -25,7 +25,6 @@
* SUCH DAMAGE.
*/
-#include <sys/cdefs.h>
int tftp_send(int peer, uint16_t *block, struct tftp_stats *tp);
int tftp_receive(int peer, uint16_t *block, struct tftp_stats *tp,
struct tftphdr *firstblock, size_t fb_size);
diff --git a/libexec/tftpd/tftp-utils.c b/libexec/tftpd/tftp-utils.c
index b309a94f7653..8ce7c09c9992 100644
--- a/libexec/tftpd/tftp-utils.c
+++ b/libexec/tftpd/tftp-utils.c
@@ -204,7 +204,7 @@ struct debugs debugs[] = {
{ DEBUG_ACCESS, "access", "TCPd access debugging" },
{ DEBUG_NONE, NULL, "No debugging" },
};
-int packetdroppercentage = 0;
+unsigned int packetdroppercentage = 0;
int
debug_find(char *s)
diff --git a/libexec/tftpd/tftp-utils.h b/libexec/tftpd/tftp-utils.h
index 763b3b493c7e..276dedcf74cd 100644
--- a/libexec/tftpd/tftp-utils.h
+++ b/libexec/tftpd/tftp-utils.h
@@ -25,7 +25,6 @@
* SUCH DAMAGE.
*/
-#include <sys/cdefs.h>
/*
*/
#define TIMEOUT 5
@@ -100,7 +99,7 @@ struct debugs {
};
extern int debug;
extern struct debugs debugs[];
-extern int packetdroppercentage;
+extern unsigned int packetdroppercentage;
int debug_find(char *s);
int debug_finds(char *s);
const char *debug_show(int d);
diff --git a/libexec/tftpd/tftpd.8 b/libexec/tftpd/tftpd.8
index 3de042197618..24a743a92e14 100644
--- a/libexec/tftpd/tftpd.8
+++ b/libexec/tftpd/tftpd.8
@@ -27,7 +27,7 @@
.\"
.\" @(#)tftpd.8 8.1 (Berkeley) 6/4/93
.\"
-.Dd July 20, 2023
+.Dd May 8, 2024
.Dt TFTPD 8
.Os
.Sh NAME
@@ -35,11 +35,11 @@
.Nd Internet Trivial File Transfer Protocol server
.Sh SYNOPSIS
.Nm tftpd
-.Op Fl cdClnow
+.Op Fl CcdlnoSw
.Op Fl F Ar strftime-format
.Op Fl s Ar directory
-.Op Fl u Ar user
.Op Fl U Ar umask
+.Op Fl u Ar user
.Op Ar directory ...
.Sh DESCRIPTION
The
diff --git a/libexec/tftpd/tftpd.c b/libexec/tftpd/tftpd.c
index 78348a8c6aaf..00c1257ce548 100644
--- a/libexec/tftpd/tftpd.c
+++ b/libexec/tftpd/tftpd.c
@@ -172,7 +172,7 @@ main(int argc, char *argv[])
options_extra_enabled = 0;
break;
case 'p':
- packetdroppercentage = atoi(optarg);
+ packetdroppercentage = (unsigned int)atoi(optarg);
tftp_log(LOG_INFO,
"Randomly dropping %d out of 100 packets",
packetdroppercentage);
@@ -463,9 +463,9 @@ static char *
parse_header(int peer, char *recvbuffer, size_t size,
char **filename, char **mode)
{
- char *cp;
- int i;
struct formats *pf;
+ char *cp;
+ size_t i;
*mode = NULL;
cp = recvbuffer;
@@ -482,12 +482,11 @@ parse_header(int peer, char *recvbuffer, size_t size,
i = get_field(peer, cp, size);
*mode = cp;
- cp += i;
/* Find the file transfer mode */
- for (cp = *mode; *cp; cp++)
- if (isupper(*cp))
- *cp = tolower(*cp);
+ for (; *cp; cp++)
+ if (isupper((unsigned char)*cp))
+ *cp = tolower((unsigned char)*cp);
for (pf = formats; pf->f_mode; pf++)
if (strcmp(pf->f_mode, *mode) == 0)
break;
@@ -624,12 +623,20 @@ tftp_rrq(int peer, char *recvbuffer, size_t size)
static int
find_next_name(char *filename, int *fd)
{
- int i;
+ /*
+ * GCC "knows" that we might write all of yyyymmdd plus the static
+ * elemenents in the format into into newname and thus complains
+ * unless we reduce the size. This array is still too big, but since
+ * the format is user supplied, it's not clear what a better limit
+ * value would be and this is sufficent to silence the warnings.
+ */
+ static const int suffix_len = strlen("..00");
+ char yyyymmdd[MAXPATHLEN - suffix_len];
+ char newname[MAXPATHLEN];
+ int i, ret;
time_t tval;
- size_t len;
+ size_t len, namelen;
struct tm lt;
- char yyyymmdd[MAXPATHLEN];
- char newname[MAXPATHLEN];
/* Create the YYYYMMDD part of the filename */
time(&tval);
@@ -637,26 +644,33 @@ find_next_name(char *filename, int *fd)
len = strftime(yyyymmdd, sizeof(yyyymmdd), newfile_format, <);
if (len == 0) {
syslog(LOG_WARNING,
- "Filename suffix too long (%d characters maximum)",
- MAXPATHLEN);
+ "Filename suffix too long (%zu characters maximum)",
+ sizeof(yyyymmdd) - 1);
return (EACCESS);
}
/* Make sure the new filename is not too long */
- if (strlen(filename) > MAXPATHLEN - len - 5) {
+ namelen = strlen(filename);
+ if (namelen >= sizeof(newname) - len - suffix_len) {
syslog(LOG_WARNING,
- "Filename too long (%zd characters, %zd maximum)",
- strlen(filename), MAXPATHLEN - len - 5);
+ "Filename too long (%zu characters, %zu maximum)",
+ namelen,
+ sizeof(newname) - len - suffix_len - 1);
return (EACCESS);
}
/* Find the first file which doesn't exist */
for (i = 0; i < 100; i++) {
- sprintf(newname, "%s.%s.%02d", filename, yyyymmdd, i);
- *fd = open(newname,
- O_WRONLY | O_CREAT | O_EXCL,
- S_IRUSR | S_IWUSR | S_IRGRP |
- S_IWGRP | S_IROTH | S_IWOTH);
+ ret = snprintf(newname, sizeof(newname), "%s.%s.%02d",
+ filename, yyyymmdd, i);
+ /*
+ * Size checked above so this can't happen, we'd use a
+ * (void) cast, but gcc intentionally ignores that if
+ * snprintf has __attribute__((warn_unused_result)).
+ */
+ if (ret < 0 || (size_t)ret >= sizeof(newname))
+ __unreachable();
+ *fd = open(newname, O_WRONLY | O_CREAT | O_EXCL, 0666);
if (*fd > 0)
return 0;
}
