1 | /* SPDX-License-Identifier: MIT */ |
2 | /* |
3 | * tftp.c - a simple, read-only tftp server for qemu |
4 | * |
5 | * Copyright (c) 2004 Magnus Damm <damm@opensource.se> |
6 | * |
7 | * Permission is hereby granted, free of charge, to any person obtaining a copy |
8 | * of this software and associated documentation files (the "Software"), to deal |
9 | * in the Software without restriction, including without limitation the rights |
10 | * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell |
11 | * copies of the Software, and to permit persons to whom the Software is |
12 | * furnished to do so, subject to the following conditions: |
13 | * |
14 | * The above copyright notice and this permission notice shall be included in |
15 | * all copies or substantial portions of the Software. |
16 | * |
17 | * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
18 | * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
19 | * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL |
20 | * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
21 | * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, |
22 | * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN |
23 | * THE SOFTWARE. |
24 | */ |
25 | |
26 | #include "slirp.h" |
27 | |
28 | #include <sys/types.h> |
29 | #include <sys/stat.h> |
30 | #include <fcntl.h> |
31 | |
32 | static inline int tftp_session_in_use(struct tftp_session *spt) |
33 | { |
34 | return (spt->slirp != NULL); |
35 | } |
36 | |
37 | static inline void tftp_session_update(struct tftp_session *spt) |
38 | { |
39 | spt->timestamp = curtime; |
40 | } |
41 | |
42 | static void tftp_session_terminate(struct tftp_session *spt) |
43 | { |
44 | if (spt->fd >= 0) { |
45 | close(spt->fd); |
46 | spt->fd = -1; |
47 | } |
48 | g_free(spt->filename); |
49 | spt->slirp = NULL; |
50 | } |
51 | |
52 | static int tftp_session_allocate(Slirp *slirp, struct sockaddr_storage *srcsas, |
53 | struct tftp_t *tp) |
54 | { |
55 | struct tftp_session *spt; |
56 | int k; |
57 | |
58 | for (k = 0; k < TFTP_SESSIONS_MAX; k++) { |
59 | spt = &slirp->tftp_sessions[k]; |
60 | |
61 | if (!tftp_session_in_use(spt)) |
62 | goto found; |
63 | |
64 | /* sessions time out after 5 inactive seconds */ |
65 | if ((int)(curtime - spt->timestamp) > 5000) { |
66 | tftp_session_terminate(spt); |
67 | goto found; |
68 | } |
69 | } |
70 | |
71 | return -1; |
72 | |
73 | found: |
74 | memset(spt, 0, sizeof(*spt)); |
75 | memcpy(&spt->client_addr, srcsas, sockaddr_size(srcsas)); |
76 | spt->fd = -1; |
77 | spt->block_size = 512; |
78 | spt->client_port = tp->udp.uh_sport; |
79 | spt->slirp = slirp; |
80 | |
81 | tftp_session_update(spt); |
82 | |
83 | return k; |
84 | } |
85 | |
86 | static int tftp_session_find(Slirp *slirp, struct sockaddr_storage *srcsas, |
87 | struct tftp_t *tp) |
88 | { |
89 | struct tftp_session *spt; |
90 | int k; |
91 | |
92 | for (k = 0; k < TFTP_SESSIONS_MAX; k++) { |
93 | spt = &slirp->tftp_sessions[k]; |
94 | |
95 | if (tftp_session_in_use(spt)) { |
96 | if (sockaddr_equal(&spt->client_addr, srcsas)) { |
97 | if (spt->client_port == tp->udp.uh_sport) { |
98 | return k; |
99 | } |
100 | } |
101 | } |
102 | } |
103 | |
104 | return -1; |
105 | } |
106 | |
107 | static int tftp_read_data(struct tftp_session *spt, uint32_t block_nr, |
108 | uint8_t *buf, int len) |
109 | { |
110 | int bytes_read = 0; |
111 | |
112 | if (spt->fd < 0) { |
113 | spt->fd = open(spt->filename, O_RDONLY | O_BINARY); |
114 | } |
115 | |
116 | if (spt->fd < 0) { |
117 | return -1; |
118 | } |
119 | |
120 | if (len) { |
121 | lseek(spt->fd, block_nr * spt->block_size, SEEK_SET); |
122 | |
123 | bytes_read = read(spt->fd, buf, len); |
124 | } |
125 | |
126 | return bytes_read; |
127 | } |
128 | |
129 | static struct tftp_t *tftp_prep_mbuf_data(struct tftp_session *spt, |
130 | struct mbuf *m) |
131 | { |
132 | struct tftp_t *tp; |
133 | |
134 | memset(m->m_data, 0, m->m_size); |
135 | |
136 | m->m_data += IF_MAXLINKHDR; |
137 | if (spt->client_addr.ss_family == AF_INET6) { |
138 | m->m_data += sizeof(struct ip6); |
139 | } else { |
140 | m->m_data += sizeof(struct ip); |
141 | } |
142 | tp = (void *)m->m_data; |
143 | m->m_data += sizeof(struct udphdr); |
144 | |
145 | return tp; |
146 | } |
147 | |
148 | static void tftp_udp_output(struct tftp_session *spt, struct mbuf *m, |
149 | struct tftp_t *recv_tp) |
150 | { |
151 | if (spt->client_addr.ss_family == AF_INET6) { |
152 | struct sockaddr_in6 sa6, da6; |
153 | |
154 | sa6.sin6_addr = spt->slirp->vhost_addr6; |
155 | sa6.sin6_port = recv_tp->udp.uh_dport; |
156 | da6.sin6_addr = ((struct sockaddr_in6 *)&spt->client_addr)->sin6_addr; |
157 | da6.sin6_port = spt->client_port; |
158 | |
159 | udp6_output(NULL, m, &sa6, &da6); |
160 | } else { |
161 | struct sockaddr_in sa4, da4; |
162 | |
163 | sa4.sin_addr = spt->slirp->vhost_addr; |
164 | sa4.sin_port = recv_tp->udp.uh_dport; |
165 | da4.sin_addr = ((struct sockaddr_in *)&spt->client_addr)->sin_addr; |
166 | da4.sin_port = spt->client_port; |
167 | |
168 | udp_output(NULL, m, &sa4, &da4, IPTOS_LOWDELAY); |
169 | } |
170 | } |
171 | |
172 | static int tftp_send_oack(struct tftp_session *spt, const char *keys[], |
173 | uint32_t values[], int nb, struct tftp_t *recv_tp) |
174 | { |
175 | struct mbuf *m; |
176 | struct tftp_t *tp; |
177 | int i, n = 0; |
178 | |
179 | m = m_get(spt->slirp); |
180 | |
181 | if (!m) |
182 | return -1; |
183 | |
184 | tp = tftp_prep_mbuf_data(spt, m); |
185 | |
186 | tp->tp_op = htons(TFTP_OACK); |
187 | for (i = 0; i < nb; i++) { |
188 | n += snprintf(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%s" , |
189 | keys[i]) + |
190 | 1; |
191 | n += snprintf(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%u" , |
192 | values[i]) + |
193 | 1; |
194 | } |
195 | |
196 | m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX + 2) + n - |
197 | sizeof(struct udphdr); |
198 | tftp_udp_output(spt, m, recv_tp); |
199 | |
200 | return 0; |
201 | } |
202 | |
203 | static void tftp_send_error(struct tftp_session *spt, uint16_t errorcode, |
204 | const char *msg, struct tftp_t *recv_tp) |
205 | { |
206 | struct mbuf *m; |
207 | struct tftp_t *tp; |
208 | |
209 | DEBUG_TFTP("tftp error msg: %s" , msg); |
210 | |
211 | m = m_get(spt->slirp); |
212 | |
213 | if (!m) { |
214 | goto out; |
215 | } |
216 | |
217 | tp = tftp_prep_mbuf_data(spt, m); |
218 | |
219 | tp->tp_op = htons(TFTP_ERROR); |
220 | tp->x.tp_error.tp_error_code = htons(errorcode); |
221 | slirp_pstrcpy((char *)tp->x.tp_error.tp_msg, sizeof(tp->x.tp_error.tp_msg), |
222 | msg); |
223 | |
224 | m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX + 2) + 3 + |
225 | strlen(msg) - sizeof(struct udphdr); |
226 | tftp_udp_output(spt, m, recv_tp); |
227 | |
228 | out: |
229 | tftp_session_terminate(spt); |
230 | } |
231 | |
232 | static void tftp_send_next_block(struct tftp_session *spt, |
233 | struct tftp_t *recv_tp) |
234 | { |
235 | struct mbuf *m; |
236 | struct tftp_t *tp; |
237 | int nobytes; |
238 | |
239 | m = m_get(spt->slirp); |
240 | |
241 | if (!m) { |
242 | return; |
243 | } |
244 | |
245 | tp = tftp_prep_mbuf_data(spt, m); |
246 | |
247 | tp->tp_op = htons(TFTP_DATA); |
248 | tp->x.tp_data.tp_block_nr = htons((spt->block_nr + 1) & 0xffff); |
249 | |
250 | nobytes = tftp_read_data(spt, spt->block_nr, tp->x.tp_data.tp_buf, |
251 | spt->block_size); |
252 | |
253 | if (nobytes < 0) { |
254 | m_free(m); |
255 | |
256 | /* send "file not found" error back */ |
257 | |
258 | tftp_send_error(spt, 1, "File not found" , tp); |
259 | |
260 | return; |
261 | } |
262 | |
263 | m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX - nobytes) - |
264 | sizeof(struct udphdr); |
265 | tftp_udp_output(spt, m, recv_tp); |
266 | |
267 | if (nobytes == spt->block_size) { |
268 | tftp_session_update(spt); |
269 | } else { |
270 | tftp_session_terminate(spt); |
271 | } |
272 | |
273 | spt->block_nr++; |
274 | } |
275 | |
276 | static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas, |
277 | struct tftp_t *tp, int pktlen) |
278 | { |
279 | struct tftp_session *spt; |
280 | int s, k; |
281 | size_t prefix_len; |
282 | char *req_fname; |
283 | const char *option_name[2]; |
284 | uint32_t option_value[2]; |
285 | int nb_options = 0; |
286 | |
287 | /* check if a session already exists and if so terminate it */ |
288 | s = tftp_session_find(slirp, srcsas, tp); |
289 | if (s >= 0) { |
290 | tftp_session_terminate(&slirp->tftp_sessions[s]); |
291 | } |
292 | |
293 | s = tftp_session_allocate(slirp, srcsas, tp); |
294 | |
295 | if (s < 0) { |
296 | return; |
297 | } |
298 | |
299 | spt = &slirp->tftp_sessions[s]; |
300 | |
301 | /* unspecified prefix means service disabled */ |
302 | if (!slirp->tftp_prefix) { |
303 | tftp_send_error(spt, 2, "Access violation" , tp); |
304 | return; |
305 | } |
306 | |
307 | /* skip header fields */ |
308 | k = 0; |
309 | pktlen -= offsetof(struct tftp_t, x.tp_buf); |
310 | |
311 | /* prepend tftp_prefix */ |
312 | prefix_len = strlen(slirp->tftp_prefix); |
313 | spt->filename = g_malloc(prefix_len + TFTP_FILENAME_MAX + 2); |
314 | memcpy(spt->filename, slirp->tftp_prefix, prefix_len); |
315 | spt->filename[prefix_len] = '/'; |
316 | |
317 | /* get name */ |
318 | req_fname = spt->filename + prefix_len + 1; |
319 | |
320 | while (1) { |
321 | if (k >= TFTP_FILENAME_MAX || k >= pktlen) { |
322 | tftp_send_error(spt, 2, "Access violation" , tp); |
323 | return; |
324 | } |
325 | req_fname[k] = tp->x.tp_buf[k]; |
326 | if (req_fname[k++] == '\0') { |
327 | break; |
328 | } |
329 | } |
330 | |
331 | DEBUG_TFTP("tftp rrq file: %s" , req_fname); |
332 | |
333 | /* check mode */ |
334 | if ((pktlen - k) < 6) { |
335 | tftp_send_error(spt, 2, "Access violation" , tp); |
336 | return; |
337 | } |
338 | |
339 | if (strcasecmp(&tp->x.tp_buf[k], "octet" ) != 0) { |
340 | tftp_send_error(spt, 4, "Unsupported transfer mode" , tp); |
341 | return; |
342 | } |
343 | |
344 | k += 6; /* skipping octet */ |
345 | |
346 | /* do sanity checks on the filename */ |
347 | if (!strncmp(req_fname, "../" , 3) || |
348 | req_fname[strlen(req_fname) - 1] == '/' || strstr(req_fname, "/../" )) { |
349 | tftp_send_error(spt, 2, "Access violation" , tp); |
350 | return; |
351 | } |
352 | |
353 | /* check if the file exists */ |
354 | if (tftp_read_data(spt, 0, NULL, 0) < 0) { |
355 | tftp_send_error(spt, 1, "File not found" , tp); |
356 | return; |
357 | } |
358 | |
359 | if (tp->x.tp_buf[pktlen - 1] != 0) { |
360 | tftp_send_error(spt, 2, "Access violation" , tp); |
361 | return; |
362 | } |
363 | |
364 | while (k < pktlen && nb_options < G_N_ELEMENTS(option_name)) { |
365 | const char *key, *value; |
366 | |
367 | key = &tp->x.tp_buf[k]; |
368 | k += strlen(key) + 1; |
369 | |
370 | if (k >= pktlen) { |
371 | tftp_send_error(spt, 2, "Access violation" , tp); |
372 | return; |
373 | } |
374 | |
375 | value = &tp->x.tp_buf[k]; |
376 | k += strlen(value) + 1; |
377 | |
378 | if (strcasecmp(key, "tsize" ) == 0) { |
379 | int tsize = atoi(value); |
380 | struct stat stat_p; |
381 | |
382 | if (tsize == 0) { |
383 | if (stat(spt->filename, &stat_p) == 0) |
384 | tsize = stat_p.st_size; |
385 | else { |
386 | tftp_send_error(spt, 1, "File not found" , tp); |
387 | return; |
388 | } |
389 | } |
390 | |
391 | option_name[nb_options] = "tsize" ; |
392 | option_value[nb_options] = tsize; |
393 | nb_options++; |
394 | } else if (strcasecmp(key, "blksize" ) == 0) { |
395 | int blksize = atoi(value); |
396 | |
397 | /* Accept blksize up to our maximum size */ |
398 | if (blksize > 0) { |
399 | spt->block_size = MIN(blksize, TFTP_BLOCKSIZE_MAX); |
400 | option_name[nb_options] = "blksize" ; |
401 | option_value[nb_options] = spt->block_size; |
402 | nb_options++; |
403 | } |
404 | } |
405 | } |
406 | |
407 | if (nb_options > 0) { |
408 | assert(nb_options <= G_N_ELEMENTS(option_name)); |
409 | tftp_send_oack(spt, option_name, option_value, nb_options, tp); |
410 | return; |
411 | } |
412 | |
413 | spt->block_nr = 0; |
414 | tftp_send_next_block(spt, tp); |
415 | } |
416 | |
417 | static void tftp_handle_ack(Slirp *slirp, struct sockaddr_storage *srcsas, |
418 | struct tftp_t *tp, int pktlen) |
419 | { |
420 | int s; |
421 | |
422 | s = tftp_session_find(slirp, srcsas, tp); |
423 | |
424 | if (s < 0) { |
425 | return; |
426 | } |
427 | |
428 | tftp_send_next_block(&slirp->tftp_sessions[s], tp); |
429 | } |
430 | |
431 | static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas, |
432 | struct tftp_t *tp, int pktlen) |
433 | { |
434 | int s; |
435 | |
436 | s = tftp_session_find(slirp, srcsas, tp); |
437 | |
438 | if (s < 0) { |
439 | return; |
440 | } |
441 | |
442 | tftp_session_terminate(&slirp->tftp_sessions[s]); |
443 | } |
444 | |
445 | void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m) |
446 | { |
447 | struct tftp_t *tp = (struct tftp_t *)m->m_data; |
448 | |
449 | switch (ntohs(tp->tp_op)) { |
450 | case TFTP_RRQ: |
451 | tftp_handle_rrq(m->slirp, srcsas, tp, m->m_len); |
452 | break; |
453 | |
454 | case TFTP_ACK: |
455 | tftp_handle_ack(m->slirp, srcsas, tp, m->m_len); |
456 | break; |
457 | |
458 | case TFTP_ERROR: |
459 | tftp_handle_error(m->slirp, srcsas, tp, m->m_len); |
460 | break; |
461 | } |
462 | } |
463 | |