1/* SPDX-License-Identifier: MIT */
2/*
3 * tftp.c - a simple, read-only tftp server for qemu
4 *
5 * Copyright (c) 2004 Magnus Damm <damm@opensource.se>
6 *
7 * Permission is hereby granted, free of charge, to any person obtaining a copy
8 * of this software and associated documentation files (the "Software"), to deal
9 * in the Software without restriction, including without limitation the rights
10 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11 * copies of the Software, and to permit persons to whom the Software is
12 * furnished to do so, subject to the following conditions:
13 *
14 * The above copyright notice and this permission notice shall be included in
15 * all copies or substantial portions of the Software.
16 *
17 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
20 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
23 * THE SOFTWARE.
24 */
25
26#include "slirp.h"
27
28#include <sys/types.h>
29#include <sys/stat.h>
30#include <fcntl.h>
31
32static inline int tftp_session_in_use(struct tftp_session *spt)
33{
34 return (spt->slirp != NULL);
35}
36
37static inline void tftp_session_update(struct tftp_session *spt)
38{
39 spt->timestamp = curtime;
40}
41
42static void tftp_session_terminate(struct tftp_session *spt)
43{
44 if (spt->fd >= 0) {
45 close(spt->fd);
46 spt->fd = -1;
47 }
48 g_free(spt->filename);
49 spt->slirp = NULL;
50}
51
52static int tftp_session_allocate(Slirp *slirp, struct sockaddr_storage *srcsas,
53 struct tftp_t *tp)
54{
55 struct tftp_session *spt;
56 int k;
57
58 for (k = 0; k < TFTP_SESSIONS_MAX; k++) {
59 spt = &slirp->tftp_sessions[k];
60
61 if (!tftp_session_in_use(spt))
62 goto found;
63
64 /* sessions time out after 5 inactive seconds */
65 if ((int)(curtime - spt->timestamp) > 5000) {
66 tftp_session_terminate(spt);
67 goto found;
68 }
69 }
70
71 return -1;
72
73found:
74 memset(spt, 0, sizeof(*spt));
75 memcpy(&spt->client_addr, srcsas, sockaddr_size(srcsas));
76 spt->fd = -1;
77 spt->block_size = 512;
78 spt->client_port = tp->udp.uh_sport;
79 spt->slirp = slirp;
80
81 tftp_session_update(spt);
82
83 return k;
84}
85
86static int tftp_session_find(Slirp *slirp, struct sockaddr_storage *srcsas,
87 struct tftp_t *tp)
88{
89 struct tftp_session *spt;
90 int k;
91
92 for (k = 0; k < TFTP_SESSIONS_MAX; k++) {
93 spt = &slirp->tftp_sessions[k];
94
95 if (tftp_session_in_use(spt)) {
96 if (sockaddr_equal(&spt->client_addr, srcsas)) {
97 if (spt->client_port == tp->udp.uh_sport) {
98 return k;
99 }
100 }
101 }
102 }
103
104 return -1;
105}
106
107static int tftp_read_data(struct tftp_session *spt, uint32_t block_nr,
108 uint8_t *buf, int len)
109{
110 int bytes_read = 0;
111
112 if (spt->fd < 0) {
113 spt->fd = open(spt->filename, O_RDONLY | O_BINARY);
114 }
115
116 if (spt->fd < 0) {
117 return -1;
118 }
119
120 if (len) {
121 lseek(spt->fd, block_nr * spt->block_size, SEEK_SET);
122
123 bytes_read = read(spt->fd, buf, len);
124 }
125
126 return bytes_read;
127}
128
129static struct tftp_t *tftp_prep_mbuf_data(struct tftp_session *spt,
130 struct mbuf *m)
131{
132 struct tftp_t *tp;
133
134 memset(m->m_data, 0, m->m_size);
135
136 m->m_data += IF_MAXLINKHDR;
137 if (spt->client_addr.ss_family == AF_INET6) {
138 m->m_data += sizeof(struct ip6);
139 } else {
140 m->m_data += sizeof(struct ip);
141 }
142 tp = (void *)m->m_data;
143 m->m_data += sizeof(struct udphdr);
144
145 return tp;
146}
147
148static void tftp_udp_output(struct tftp_session *spt, struct mbuf *m,
149 struct tftp_t *recv_tp)
150{
151 if (spt->client_addr.ss_family == AF_INET6) {
152 struct sockaddr_in6 sa6, da6;
153
154 sa6.sin6_addr = spt->slirp->vhost_addr6;
155 sa6.sin6_port = recv_tp->udp.uh_dport;
156 da6.sin6_addr = ((struct sockaddr_in6 *)&spt->client_addr)->sin6_addr;
157 da6.sin6_port = spt->client_port;
158
159 udp6_output(NULL, m, &sa6, &da6);
160 } else {
161 struct sockaddr_in sa4, da4;
162
163 sa4.sin_addr = spt->slirp->vhost_addr;
164 sa4.sin_port = recv_tp->udp.uh_dport;
165 da4.sin_addr = ((struct sockaddr_in *)&spt->client_addr)->sin_addr;
166 da4.sin_port = spt->client_port;
167
168 udp_output(NULL, m, &sa4, &da4, IPTOS_LOWDELAY);
169 }
170}
171
172static int tftp_send_oack(struct tftp_session *spt, const char *keys[],
173 uint32_t values[], int nb, struct tftp_t *recv_tp)
174{
175 struct mbuf *m;
176 struct tftp_t *tp;
177 int i, n = 0;
178
179 m = m_get(spt->slirp);
180
181 if (!m)
182 return -1;
183
184 tp = tftp_prep_mbuf_data(spt, m);
185
186 tp->tp_op = htons(TFTP_OACK);
187 for (i = 0; i < nb; i++) {
188 n += snprintf(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%s",
189 keys[i]) +
190 1;
191 n += snprintf(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%u",
192 values[i]) +
193 1;
194 }
195
196 m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX + 2) + n -
197 sizeof(struct udphdr);
198 tftp_udp_output(spt, m, recv_tp);
199
200 return 0;
201}
202
203static void tftp_send_error(struct tftp_session *spt, uint16_t errorcode,
204 const char *msg, struct tftp_t *recv_tp)
205{
206 struct mbuf *m;
207 struct tftp_t *tp;
208
209 DEBUG_TFTP("tftp error msg: %s", msg);
210
211 m = m_get(spt->slirp);
212
213 if (!m) {
214 goto out;
215 }
216
217 tp = tftp_prep_mbuf_data(spt, m);
218
219 tp->tp_op = htons(TFTP_ERROR);
220 tp->x.tp_error.tp_error_code = htons(errorcode);
221 slirp_pstrcpy((char *)tp->x.tp_error.tp_msg, sizeof(tp->x.tp_error.tp_msg),
222 msg);
223
224 m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX + 2) + 3 +
225 strlen(msg) - sizeof(struct udphdr);
226 tftp_udp_output(spt, m, recv_tp);
227
228out:
229 tftp_session_terminate(spt);
230}
231
232static void tftp_send_next_block(struct tftp_session *spt,
233 struct tftp_t *recv_tp)
234{
235 struct mbuf *m;
236 struct tftp_t *tp;
237 int nobytes;
238
239 m = m_get(spt->slirp);
240
241 if (!m) {
242 return;
243 }
244
245 tp = tftp_prep_mbuf_data(spt, m);
246
247 tp->tp_op = htons(TFTP_DATA);
248 tp->x.tp_data.tp_block_nr = htons((spt->block_nr + 1) & 0xffff);
249
250 nobytes = tftp_read_data(spt, spt->block_nr, tp->x.tp_data.tp_buf,
251 spt->block_size);
252
253 if (nobytes < 0) {
254 m_free(m);
255
256 /* send "file not found" error back */
257
258 tftp_send_error(spt, 1, "File not found", tp);
259
260 return;
261 }
262
263 m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX - nobytes) -
264 sizeof(struct udphdr);
265 tftp_udp_output(spt, m, recv_tp);
266
267 if (nobytes == spt->block_size) {
268 tftp_session_update(spt);
269 } else {
270 tftp_session_terminate(spt);
271 }
272
273 spt->block_nr++;
274}
275
276static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas,
277 struct tftp_t *tp, int pktlen)
278{
279 struct tftp_session *spt;
280 int s, k;
281 size_t prefix_len;
282 char *req_fname;
283 const char *option_name[2];
284 uint32_t option_value[2];
285 int nb_options = 0;
286
287 /* check if a session already exists and if so terminate it */
288 s = tftp_session_find(slirp, srcsas, tp);
289 if (s >= 0) {
290 tftp_session_terminate(&slirp->tftp_sessions[s]);
291 }
292
293 s = tftp_session_allocate(slirp, srcsas, tp);
294
295 if (s < 0) {
296 return;
297 }
298
299 spt = &slirp->tftp_sessions[s];
300
301 /* unspecified prefix means service disabled */
302 if (!slirp->tftp_prefix) {
303 tftp_send_error(spt, 2, "Access violation", tp);
304 return;
305 }
306
307 /* skip header fields */
308 k = 0;
309 pktlen -= offsetof(struct tftp_t, x.tp_buf);
310
311 /* prepend tftp_prefix */
312 prefix_len = strlen(slirp->tftp_prefix);
313 spt->filename = g_malloc(prefix_len + TFTP_FILENAME_MAX + 2);
314 memcpy(spt->filename, slirp->tftp_prefix, prefix_len);
315 spt->filename[prefix_len] = '/';
316
317 /* get name */
318 req_fname = spt->filename + prefix_len + 1;
319
320 while (1) {
321 if (k >= TFTP_FILENAME_MAX || k >= pktlen) {
322 tftp_send_error(spt, 2, "Access violation", tp);
323 return;
324 }
325 req_fname[k] = tp->x.tp_buf[k];
326 if (req_fname[k++] == '\0') {
327 break;
328 }
329 }
330
331 DEBUG_TFTP("tftp rrq file: %s", req_fname);
332
333 /* check mode */
334 if ((pktlen - k) < 6) {
335 tftp_send_error(spt, 2, "Access violation", tp);
336 return;
337 }
338
339 if (strcasecmp(&tp->x.tp_buf[k], "octet") != 0) {
340 tftp_send_error(spt, 4, "Unsupported transfer mode", tp);
341 return;
342 }
343
344 k += 6; /* skipping octet */
345
346 /* do sanity checks on the filename */
347 if (!strncmp(req_fname, "../", 3) ||
348 req_fname[strlen(req_fname) - 1] == '/' || strstr(req_fname, "/../")) {
349 tftp_send_error(spt, 2, "Access violation", tp);
350 return;
351 }
352
353 /* check if the file exists */
354 if (tftp_read_data(spt, 0, NULL, 0) < 0) {
355 tftp_send_error(spt, 1, "File not found", tp);
356 return;
357 }
358
359 if (tp->x.tp_buf[pktlen - 1] != 0) {
360 tftp_send_error(spt, 2, "Access violation", tp);
361 return;
362 }
363
364 while (k < pktlen && nb_options < G_N_ELEMENTS(option_name)) {
365 const char *key, *value;
366
367 key = &tp->x.tp_buf[k];
368 k += strlen(key) + 1;
369
370 if (k >= pktlen) {
371 tftp_send_error(spt, 2, "Access violation", tp);
372 return;
373 }
374
375 value = &tp->x.tp_buf[k];
376 k += strlen(value) + 1;
377
378 if (strcasecmp(key, "tsize") == 0) {
379 int tsize = atoi(value);
380 struct stat stat_p;
381
382 if (tsize == 0) {
383 if (stat(spt->filename, &stat_p) == 0)
384 tsize = stat_p.st_size;
385 else {
386 tftp_send_error(spt, 1, "File not found", tp);
387 return;
388 }
389 }
390
391 option_name[nb_options] = "tsize";
392 option_value[nb_options] = tsize;
393 nb_options++;
394 } else if (strcasecmp(key, "blksize") == 0) {
395 int blksize = atoi(value);
396
397 /* Accept blksize up to our maximum size */
398 if (blksize > 0) {
399 spt->block_size = MIN(blksize, TFTP_BLOCKSIZE_MAX);
400 option_name[nb_options] = "blksize";
401 option_value[nb_options] = spt->block_size;
402 nb_options++;
403 }
404 }
405 }
406
407 if (nb_options > 0) {
408 assert(nb_options <= G_N_ELEMENTS(option_name));
409 tftp_send_oack(spt, option_name, option_value, nb_options, tp);
410 return;
411 }
412
413 spt->block_nr = 0;
414 tftp_send_next_block(spt, tp);
415}
416
417static void tftp_handle_ack(Slirp *slirp, struct sockaddr_storage *srcsas,
418 struct tftp_t *tp, int pktlen)
419{
420 int s;
421
422 s = tftp_session_find(slirp, srcsas, tp);
423
424 if (s < 0) {
425 return;
426 }
427
428 tftp_send_next_block(&slirp->tftp_sessions[s], tp);
429}
430
431static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas,
432 struct tftp_t *tp, int pktlen)
433{
434 int s;
435
436 s = tftp_session_find(slirp, srcsas, tp);
437
438 if (s < 0) {
439 return;
440 }
441
442 tftp_session_terminate(&slirp->tftp_sessions[s]);
443}
444
445void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m)
446{
447 struct tftp_t *tp = (struct tftp_t *)m->m_data;
448
449 switch (ntohs(tp->tp_op)) {
450 case TFTP_RRQ:
451 tftp_handle_rrq(m->slirp, srcsas, tp, m->m_len);
452 break;
453
454 case TFTP_ACK:
455 tftp_handle_ack(m->slirp, srcsas, tp, m->m_len);
456 break;
457
458 case TFTP_ERROR:
459 tftp_handle_error(m->slirp, srcsas, tp, m->m_len);
460 break;
461 }
462}
463