MFC r336605:

Fix multiple Coverity warnings in tftpd(8)

* Initialize uninitialized variable (CID 1006502)
* strcpy => strlcpy (CID 1006792, 1006791, 1006790)
* Check function return values (CID 1009442, 1009441, 1009440)
* Delete dead code in receive_packet (not reported by Coverity)
* Remove redundant alarm(3) in receive_packet (not reported by Coverity)

Reported by: Coverity
CID: 1006502, 1006792, 1006791, 1006790, 1009442, 1009441, 1009440
Differential Revision: https://reviews.freebsd.org/D11287

MFC r330710, r330718-r330720

r330710:
tftpd: Flush files as soon as they are fully received

On an RRQ, tftpd doesn't exit as soon as it's finished receiving a file.
Instead, it waits five seconds just in case the client didn't receive the
server's last ACK and decides to resend the final DATA packet.
Unfortunately, this created a 5 second delay from when the client thinks
it's done sending the file, and when the file is available for other
processes.

Fix this bug by closing the file as soon as receipt is finished.

PR: 157700
Reported by: Barry Mishler <barry_mishler@yahoo.com>

r330718:
tftpd: Verify world-writability for WRQ when using relative paths

tftpd(8) says that files may only be written if they already exist and are
publicly writable. tftpd.c verifies that a file is publicly writable if it
uses an absolute pathname. However, if the pathname is relative, that check
is skipped. Fix it.

Note that this is not a security vulnerability, because the transfer
ultimately doesn't work unless the file already exists and is owned by user
nobody. Also, this bug does not affect the default configuration, because
the default uses the "-s" option which makes all pathnames absolute.

PR: 226004

r330719:
tftpd: Abort on an WRQ access violation

On a WRQ (write request) tftpd checks whether the client has access
permission for the file in question. If not, then the write is prevented.
However, tftpd doesn't reply with an ERROR packet, nor does it abort.
Instead, it tries to receive the packet anyway.

The symptom is slightly different depending on the nature of the error. If
the target file is nonexistent and tftpd lacks permission to create it, then
tftpd will willingly receive the file, but not write it anywhere. If the
file exists but is not writable, then tftpd will fail to ACK to WRQ.

PR: 225996

r330720:
tftpd: reject unknown opcodes

If tftpd receives a command with an unknown opcode, it simply exits 1. It
doesn't send an ERROR packet, and the client will hang waiting for one. Fix
it.

PR: 226005

Revert r330897:

This was intended to be a non-functional change. It wasn't. The commit
message was thus wrong. In addition it broke arm, and merged crypto
related code.

Revert with prejudice.

This revert skips files touched in r316370 since that commit was since
MFCed. This revert also skips files that require $FreeBSD$ property
changes.

Thank you to those who helped me get out of this mess including but not
limited to gonzo, kevans, rgrimes.

Requested by: gjb (re)

Partial merge of the SPDX changes

These changes are incomplete but are making it difficult
to determine what other changes can/should be merged.

No objections from: pfg

MFC r311473:

Conditionalize all code that uses tcpd.h behind `LIBWRAP` guard

This will allow the code to stand by itself without libwrap

Copy head@r302406 to stable/11 as part of the 11.0-RELEASE cycle.
Prune svn:mergeinfo from the new branch, as nothing has been merged
here.

Additional commits post-branch will follow.

Approved by: re (implicit)
Sponsored by: The FreeBSD Foundation

Remove the 3rd clause ("advertising clause") of the BSD license as
permitted by the University of Berkeley on July 22, 1999.

Reviewed by: imp
MFC after: 1 week

Mark tftp_log() as __printflike() (which would have caught the bug
fixed in r246106) and deal with the fallout.

MFC after: 2 weeks

Check the return error of set[e][ug]id. While this can never fail in the
current version of FreeBSD, this isn't guarenteed by the API.
Custom security modules, or future implementations of the setuid and
setgid may fail.

Submitted by: Erik Cederstrand
Approved by: cperciva
MFC after: 3 days

Fix warnings found by -Wmising-variable-declarations.

This self-written compiler warning, which is hopefully going to be
committed into LLVM sources soon, warns about potentially missing
`static' keywords, similar to -Wmissing-prototypes.

- bin/pax: Move external declaration of chdname and s_mask into extern.h.
- bin/setfacl: Move setfacl.c-specific stuff out of setfacl.h.
- sbin/mount_fusefs: Remove char *progname; use getprogname().
- others: add `static' where possible.

Remove the duplicate logging of failed read requests, whose error message
also was inappropriate as it triggered for every EACCESS and ENOTFOUND, not
just the case the -n option is intended to deal with and thus really spammed
us with ~20 messages in the default configuration when booting a diskless
FreeBSD client, introduced with r207608 again.

MFC after: 1 week

Make WARNS=6 clean.

MFC after: 1 week

Go ahead and merge the work edwin@ on tftpd into the tree. It is a
lot better than what's in the tree now. Edwin tested it at a prior
employer, but can't test it today. I've found that it works a lot
better with the various uboot versions that I've used in my embedded
work. Here's the pkg-descr from the port that describes the changes:

It all started when we got some new routers, which told me the
following when trying to upload configuration or download images
from it: The TFTP server doesn't support the blocksize option.

My curiousity was triggered, it took me some reading of RFCs and
other documentation to find out what was possible and what could
be done. Was plain TFTP very simple in its handshake, TFTP with
options was kind of messy because of its backwards capability: The
first packet returned could either be an acknowledgement of options,
or the first data packet.

Going through the source code of src/libexec/tftpd and going through
the code of src/usr.bin/tftp showed that there was a lot of duplicate
code, and the addition of options would only increase the amount
of duplicate code. After all, both the client and the server can
act as a sender and receiver.

At the end, it ended up with a nearly complete rewrite of the tftp
client and server. It has been tested against the following TFTP
clients and servers:

- Itself (yay!)
- The standard FreeBSD tftp client and server
- The Fedora Core 6 tftp client and server
- Cisco router tftp client
- Extreme Networks tftp client

It supports the following RFCs:

RFC1350 - THE TFTP PROTOCOL (REVISION 2)
RFC2347 - TFTP Option Extension
RFC2348 - TFTP Blocksize Option
RFC2349 - TFTP Timeout Interval and Transfer Size Options
RFC3617 - Uniform Resource Identifier (URI) Scheme and Applicability
Statement for the Trivial File Transfer Protocol (TFTP)

It supports the following unofficial TFTP Options as described at
http://www.compuphase.com/tftp.htm:

blksize2 - Block size restricted to powers of 2, excluding protocol headers
rollover - Block counter roll-over (roll back to zero or to one)

From the tftp program point of view the following things are changed:

- New commands: "blocksize", "blocksize2", "rollover" and "options"
- Development features: "debug" and "packetdrop"

If you try this tftp/tftpd implementation, please let me know if
it works (or doesn't work) and against which implementaion so I can
get a list of confirmed working systems.

Author: Edwin Groothuis <edwin@FreeBSD.org>

Add the -W options, which acts the same as -w but will generate
unique names based on the submitted filename, a strftime(3) format
string and a two digit sequence number.

By default the strftime(3) format string is %Y%m%d (YYYYMMDD), but
this can be changed by the -F option.

PR: bin/106049 (based on patch in that PR)
Approved by: grog@ (mentor)

o Missed colon in getopt(3) argument makes tftpd(8) crash. Fix that.

PR: misc/81732
Submitted by: Denis Grudkin
MFC after: 2 weeks

NI_WITHSCOPEID cleanup. Neither RFC 2553 nor RFC 3493 defines
NI_WITHSCOPEID, and our getaddrinfo(3) does nothing special
for it, now.

- Use socklen_t.
- No need for 'fromlen' to have file scope.
- Remove an unused variable.

Instead of "OpenFirmware", "openfirmware", etc. use the official spelling
"Open Firmware" from IEEE 1275 and OpenFirmware.org (no pun intended).

Ok'ed by: tmm

The call to setuid(2) subsequently causes setgroups(2) to fail. setgroups(2)
requires super-user access in order to complete successfully.
Move setgroups(2) to execute before setuid(2) so that it is successful.

Call tzset() at startup.

Submitted by: Andrzej ToboÅa <ato@iem.pw.edu.pl>

o Reduce path names in RRQ and WRQ packets by:

Reducing "/+./" strings to "/"
Reducing "/[^/]+/../" to "/"

o Don't send an OACK when the result of the [RW]RQ is an error.

These changes allow tftpd to interact with pxelinux.bin from the syslinux
package.

Whilst the path reducing code doesn't properly handle situations where the
path component before the "/../" is a symlink to (say) ".", I would suggest
that it does the right thing in terms of the clients perception of what
their path string actually represents. This seems better than using
realpath() and breaking environments where symlinks point outside of the
directory hierarchy that tftpd is configured to allow.

- Close fd if fdopen(fd) fails.
- Format return () to resemble the one 5 lines up.

Add two new flags: -w, which allows new files to be created,
and -U, which allows the umask to be set.

Obtained from: Patton Electronics, Co.

Fix a bug which causes wrong filename being written into the syslog
in the case when client sends request with RFC2347 options.

Approved by: re
MFC After: 2 weeks

properly refuse a connection in the -c case if the client ip's subdirectory
does not exist.

PR: bin/38303
Submitted by: Woei-Luen, Shyu <m8535@cn.ee.ccu.edu.tw>
the committed patch differs from the submitted one, any inaccuracies are mine.

Clean up some warnings that don't result in a change in the object file:
Constness, missing prototypes, non-ansi prototypes, missing
initialisers, unnecessary declarations, shadowing.

Reviewed by: md5

Correct indent.

IPv6 support for tftp/tftpd.

Obtained from: KAME
MFC after: 2 weeks

Better handle the case with a network that drops packets by retrying
with a back off. This was discovered when Luigi sent me code to
handle this for Etherboot. The Etherboot patch worked okay but
FreeBSD's tftpd had trouble handling it and would fail to transfer
the file since it would abort on send and not retry.

Submitted by: luigi
MFC after: 1 week

o __P removal
o Use new-style prototypes and function definitions.
o Fix timeout and justquit to have proper signatures for signal
handlers. Mark the args as __unused.
o remove register

Change the failure mode in option parsing to silently bailing out of option
negotiation rather than rejecting the request.

Apple OpenFirmware 3.0f3 (the version in my iMac) adds trailing garbage to the
end of an otherwise valid request. Without this change, the requests were
rejected which prevented me from booting.

Reviewed by: obrien

When we set our UID to `nobody', set an appropriate group also.

Submitted by: peter

RFC2349 (http://www.hypermail.org/rfcs/rfc2349.html) adds support
for negotiation of timeout and file size to the tftp protocol. This
is required by some firmware like EFI boot managers (at least on
HP i2000 Itanium servers) in order to boot an image using tftp. The
attached patch implements the RFC, and in doing so also implements
RFC2347; a generic tftp option extension.

PR: 30710
Submitted by: Espen Skoglund <esk@ira.uka.de>

Fix tftpd and tftp to support file transfers of over 65535 blocks
(about 31 MB - 32 MB).

Submitted (partially)
by: Pascal Hofstee <daeron@wit401305.student.utwente.nl>

Add -c/C which chroots by IP of tftp client, (i.e. /tftproot/127.0.0.1/).

Allow tftpd to run as a specified user, not just `nobody'.
Update documentation to reflect new option. Also fix documentation
style and add missing references.

PR: 21268
Submitted by: "Aleksandr A. Babaylov" <babolo@links.ru>
Reviewed by: imp

$Id$ -> $FreeBSD$

Ensure that things returned by gethostname() and
friends are terminated and allow for a maximum
host name length of MAXHOSTNAMELEN - 1.
Put parenthesis around sizeof args.
Make some variables static.
Fix telnetd -u (broken by my last commit)

Prompted by: bde

Use realhostname() rather than various combinations of
gethostbyaddr() & gethostbyname().

Remove brokeness in ftpd for hosts of MAXHOSTNAMELEN length.

Rename a function name so that it doesn't conflict with a future system call.

openlog() needs to have LOG_NDELAY added, or else the syslog() calls after
the chroot will not get sent to syslogd.

PR: 4910
Reviewed by: phk
Submitted by: Jim Mercer <jim@komodo.reptiles.org>

Use full path in synopsis. Syslog will add trailing \n.

compare return value from getopt against -1 rather than EOF, per the final
posix standard on the topic.

Fix non explloitable buffer overflows (since the largest packet processed
precludes it) to keep people from whining about it in the newsgroups and
mailing lists.

Revert $FreeBSD$ to $Id$

Make the long-awaited change from $Id$ to $FreeBSD$

This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore. This update would have been
insane otherwise.

Truncate the file when opening it with write intent. Otherwise,
there's a good chance that garbage will remain at the end.

Closes PR # bin/2112: tftpd doesn't truncate ...

Reviewed by: fenner

add forgotten $Id$

Reviewed by: Bill Fenner <fennder@parc.xerox.com>
Reviewed by: Garrett Wollman <wollman@freebsd.org>
Submitted by: Warner Losh <imp@village.org>
Close PR bin/1145:
Add -s flag to tftpd. This enables the so-called secure mode
of tftpd where it chroots to a given directory before allowing access
to the files. In addition, it runs as nobody when in this mode.
Reviewed a long time ago by Bill and Garrett. Apply my patch from the
pr, and close the PR.

I think the security check to invalidate ALL write requests was just a little
excessive, and violates the specification defined in the manpage to boot.

This commit was generated by cvs2svn to compensate for changes in r1592,
which included commits to RCS files with non-trunk default branches.

BSD 4.4 Lite Libexec Sources