1/*	$NetBSD: tftp.c,v 1.4 1997/09/17 16:57:07 drochner Exp $	 */
2
3/*
4 * Copyright (c) 1996
5 *	Matthias Drochner.  All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 *    notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 *    notice, this list of conditions and the following disclaimer in the
14 *    documentation and/or other materials provided with the distribution.
15 * 3. All advertising materials mentioning features or use of this software
16 *    must display the following acknowledgement:
17 *	This product includes software developed for the NetBSD Project
18 *	by Matthias Drochner.
19 * 4. The name of the author may not be used to endorse or promote products
20 *    derived from this software without specific prior written permission.
21 *
22 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
23 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
24 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
25 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
26 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
27 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
28 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
29 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
30 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
31 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
32 */
33
34#include <sys/cdefs.h>
35__FBSDID("$FreeBSD: stable/11/stand/libsa/tftp.c 344408 2019-02-21 02:43:48Z kevans $");
36
37/*
38 * Simple TFTP implementation for libsa.
39 * Assumes:
40 *  - socket descriptor (int) at open_file->f_devdata
41 *  - server host IP in global servip
42 * Restrictions:
43 *  - read only
44 *  - lseek only with SEEK_SET or SEEK_CUR
45 *  - no big time differences between transfers (<tftp timeout)
46 */
47
48#include <sys/types.h>
49#include <sys/stat.h>
50#include <netinet/in.h>
51#include <netinet/udp.h>
52#include <netinet/in_systm.h>
53#include <arpa/tftp.h>
54
55#include <string.h>
56
57#include "stand.h"
58#include "net.h"
59#include "netif.h"
60
61#include "tftp.h"
62
63struct tftp_handle;
64struct tftprecv_extra;
65
66static ssize_t recvtftp(struct iodesc *, void **, void **, time_t, void *);
67static int tftp_open(const char *, struct open_file *);
68static int tftp_close(struct open_file *);
69static int tftp_parse_oack(struct tftp_handle *, char *, size_t);
70static int tftp_read(struct open_file *, void *, size_t, size_t *);
71static off_t tftp_seek(struct open_file *, off_t, int);
72static int tftp_set_blksize(struct tftp_handle *, const char *);
73static int tftp_stat(struct open_file *, struct stat *);
74
75struct fs_ops tftp_fsops = {
76	.fs_name = "tftp",
77	.fo_open = tftp_open,
78	.fo_close = tftp_close,
79	.fo_read = tftp_read,
80	.fo_write = null_write,
81	.fo_seek = tftp_seek,
82	.fo_stat = tftp_stat,
83	.fo_readdir = null_readdir
84};
85
86extern struct in_addr servip;
87
88static int	tftpport = 2000;
89static int	is_open = 0;
90
91/*
92 * The legacy TFTP_BLKSIZE value was SEGSIZE(512).
93 * TFTP_REQUESTED_BLKSIZE of 1428 is (Ethernet MTU, less the TFTP, UDP and
94 * IP header lengths).
95 */
96#define	TFTP_REQUESTED_BLKSIZE 1428
97
98/*
99 * Choose a blksize big enough so we can test with Ethernet
100 * Jumbo frames in the future.
101 */
102#define	TFTP_MAX_BLKSIZE 9008
103
104struct tftp_handle {
105	struct iodesc  *iodesc;
106	int		currblock;	/* contents of lastdata */
107	int		islastblock;	/* flag */
108	int		validsize;
109	int		off;
110	char		*path;	/* saved for re-requests */
111	unsigned int	tftp_blksize;
112	unsigned long	tftp_tsize;
113	void		*pkt;
114	struct tftphdr	*tftp_hdr;
115};
116
117struct tftprecv_extra {
118	struct tftp_handle	*tftp_handle;
119	unsigned short		rtype;		/* Received type */
120};
121
122#define	TFTP_MAX_ERRCODE EOPTNEG
123static const int tftperrors[TFTP_MAX_ERRCODE + 1] = {
124	0,			/* ??? */
125	ENOENT,
126	EPERM,
127	ENOSPC,
128	EINVAL,			/* ??? */
129	EINVAL,			/* ??? */
130	EEXIST,
131	EINVAL,			/* ??? */
132	EINVAL,			/* Option negotiation failed. */
133};
134
135static int  tftp_getnextblock(struct tftp_handle *h);
136
137/* send error message back. */
138static void
139tftp_senderr(struct tftp_handle *h, u_short errcode, const char *msg)
140{
141	struct {
142		u_char header[HEADER_SIZE];
143		struct tftphdr t;
144		u_char space[63]; /* +1 from t */
145	} __packed __aligned(4) wbuf;
146	char *wtail;
147	int len;
148
149	len = strlen(msg);
150	if (len > sizeof(wbuf.space))
151		len = sizeof(wbuf.space);
152
153	wbuf.t.th_opcode = htons((u_short)ERROR);
154	wbuf.t.th_code = htons(errcode);
155
156	wtail = wbuf.t.th_msg;
157	bcopy(msg, wtail, len);
158	wtail[len] = '\0';
159	wtail += len + 1;
160
161	sendudp(h->iodesc, &wbuf.t, wtail - (char *)&wbuf.t);
162}
163
164static void
165tftp_sendack(struct tftp_handle *h, u_short block)
166{
167	struct {
168		u_char header[HEADER_SIZE];
169		struct tftphdr  t;
170	} __packed __aligned(4) wbuf;
171	char *wtail;
172
173	wbuf.t.th_opcode = htons((u_short)ACK);
174	wtail = (char *)&wbuf.t.th_block;
175	wbuf.t.th_block = htons(block);
176	wtail += 2;
177
178	sendudp(h->iodesc, &wbuf.t, wtail - (char *)&wbuf.t);
179}
180
181static ssize_t
182recvtftp(struct iodesc *d, void **pkt, void **payload, time_t tleft,
183    void *recv_extra)
184{
185	struct tftprecv_extra *extra;
186	struct tftp_handle *h;
187	struct tftphdr *t;
188	void *ptr = NULL;
189	ssize_t len;
190
191	errno = 0;
192	extra = recv_extra;
193	h = extra->tftp_handle;
194
195	len = readudp(d, &ptr, (void **)&t, tleft);
196
197	if (len < 4) {
198		free(ptr);
199		return (-1);
200	}
201
202	extra->rtype = ntohs(t->th_opcode);
203	switch (ntohs(t->th_opcode)) {
204	case DATA: {
205		int got;
206
207		if (htons(t->th_block) < (u_short)d->xid) {
208			/*
209			 * Apparently our ACK was missed, re-send.
210			 */
211			tftp_sendack(h, htons(t->th_block));
212			free(ptr);
213			return (-1);
214		}
215		if (htons(t->th_block) != (u_short)d->xid) {
216			/*
217			 * Packet from the future, drop this.
218			 */
219			free(ptr);
220			return (-1);
221		}
222		if (d->xid == 1) {
223			/*
224			 * First data packet from new port.
225			 */
226			struct udphdr *uh;
227			uh = (struct udphdr *)t - 1;
228			d->destport = uh->uh_sport;
229		}
230		got = len - (t->th_data - (char *)t);
231		*pkt = ptr;
232		*payload = t;
233		return (got);
234	}
235	case ERROR:
236		if ((unsigned)ntohs(t->th_code) > TFTP_MAX_ERRCODE) {
237			printf("illegal tftp error %d\n", ntohs(t->th_code));
238			errno = EIO;
239		} else {
240#ifdef TFTP_DEBUG
241			printf("tftp-error %d\n", ntohs(t->th_code));
242#endif
243			errno = tftperrors[ntohs(t->th_code)];
244		}
245		free(ptr);
246		return (-1);
247	case OACK: {
248		struct udphdr *uh;
249		int tftp_oack_len;
250
251		/*
252		 * Unexpected OACK. TFTP transfer already in progress.
253		 * Drop the pkt.
254		 */
255		if (d->xid != 1) {
256			free(ptr);
257			return (-1);
258		}
259
260		/*
261		 * Remember which port this OACK came from, because we need
262		 * to send the ACK or errors back to it.
263		 */
264		uh = (struct udphdr *)t - 1;
265		d->destport = uh->uh_sport;
266
267		/* Parse options ACK-ed by the server. */
268		tftp_oack_len = len - sizeof(t->th_opcode);
269		if (tftp_parse_oack(h, t->th_u.tu_stuff, tftp_oack_len) != 0) {
270			tftp_senderr(h, EOPTNEG, "Malformed OACK");
271			errno = EIO;
272			free(ptr);
273			return (-1);
274		}
275		*pkt = ptr;
276		*payload = t;
277		return (0);
278	}
279	default:
280#ifdef TFTP_DEBUG
281		printf("tftp type %d not handled\n", ntohs(t->th_opcode));
282#endif
283		free(ptr);
284		return (-1);
285	}
286}
287
288/* send request, expect first block (or error) */
289static int
290tftp_makereq(struct tftp_handle *h)
291{
292	struct {
293		u_char header[HEADER_SIZE];
294		struct tftphdr  t;
295		u_char space[FNAME_SIZE + 6];
296	} __packed __aligned(4) wbuf;
297	struct tftprecv_extra recv_extra;
298	char *wtail;
299	int l;
300	ssize_t res;
301	void *pkt;
302	struct tftphdr *t;
303	char *tftp_blksize = NULL;
304	int blksize_l;
305
306	/*
307	 * Allow overriding default TFTP block size by setting
308	 * a tftp.blksize environment variable.
309	 */
310	if ((tftp_blksize = getenv("tftp.blksize")) != NULL) {
311		tftp_set_blksize(h, tftp_blksize);
312	}
313
314	wbuf.t.th_opcode = htons((u_short)RRQ);
315	wtail = wbuf.t.th_stuff;
316	l = strlen(h->path);
317#ifdef TFTP_PREPEND_PATH
318	if (l > FNAME_SIZE - (sizeof(TFTP_PREPEND_PATH) - 1))
319		return (ENAMETOOLONG);
320	bcopy(TFTP_PREPEND_PATH, wtail, sizeof(TFTP_PREPEND_PATH) - 1);
321	wtail += sizeof(TFTP_PREPEND_PATH) - 1;
322#else
323	if (l > FNAME_SIZE)
324		return (ENAMETOOLONG);
325#endif
326	bcopy(h->path, wtail, l + 1);
327	wtail += l + 1;
328	bcopy("octet", wtail, 6);
329	wtail += 6;
330	bcopy("blksize", wtail, 8);
331	wtail += 8;
332	blksize_l = sprintf(wtail, "%d", h->tftp_blksize);
333	wtail += blksize_l + 1;
334	bcopy("tsize", wtail, 6);
335	wtail += 6;
336	bcopy("0", wtail, 2);
337	wtail += 2;
338
339	h->iodesc->myport = htons(tftpport + (getsecs() & 0x3ff));
340	h->iodesc->destport = htons(IPPORT_TFTP);
341	h->iodesc->xid = 1;	/* expected block */
342
343	h->currblock = 0;
344	h->islastblock = 0;
345	h->validsize = 0;
346
347	pkt = NULL;
348	recv_extra.tftp_handle = h;
349	res = sendrecv(h->iodesc, &sendudp, &wbuf.t, wtail - (char *)&wbuf.t,
350	    &recvtftp, &pkt, (void **)&t, &recv_extra);
351	if (res == -1) {
352		free(pkt);
353		return (errno);
354	}
355
356	free(h->pkt);
357	h->pkt = pkt;
358	h->tftp_hdr = t;
359
360	if (recv_extra.rtype == OACK)
361		return (tftp_getnextblock(h));
362
363	/* Server ignored our blksize request, revert to TFTP default. */
364	h->tftp_blksize = SEGSIZE;
365
366	switch (recv_extra.rtype) {
367		case DATA: {
368			h->currblock = 1;
369			h->validsize = res;
370			h->islastblock = 0;
371			if (res < h->tftp_blksize) {
372				h->islastblock = 1;	/* very short file */
373				tftp_sendack(h, h->currblock);
374			}
375			return (0);
376		}
377		case ERROR:
378		default:
379			return (errno);
380	}
381
382}
383
384/* ack block, expect next */
385static int
386tftp_getnextblock(struct tftp_handle *h)
387{
388	struct {
389		u_char header[HEADER_SIZE];
390		struct tftphdr t;
391	} __packed __aligned(4) wbuf;
392	struct tftprecv_extra recv_extra;
393	char *wtail;
394	int res;
395	void *pkt;
396	struct tftphdr *t;
397
398	wbuf.t.th_opcode = htons((u_short)ACK);
399	wtail = (char *)&wbuf.t.th_block;
400	wbuf.t.th_block = htons((u_short)h->currblock);
401	wtail += 2;
402
403	h->iodesc->xid = h->currblock + 1;	/* expected block */
404
405	pkt = NULL;
406	recv_extra.tftp_handle = h;
407	res = sendrecv(h->iodesc, &sendudp, &wbuf.t, wtail - (char *)&wbuf.t,
408	    &recvtftp, &pkt, (void **)&t, &recv_extra);
409
410	if (res == -1) {		/* 0 is OK! */
411		free(pkt);
412		return (errno);
413	}
414
415	free(h->pkt);
416	h->pkt = pkt;
417	h->tftp_hdr = t;
418	h->currblock++;
419	h->validsize = res;
420	if (res < h->tftp_blksize)
421		h->islastblock = 1;	/* EOF */
422
423	if (h->islastblock == 1) {
424		/* Send an ACK for the last block */
425		wbuf.t.th_block = htons((u_short)h->currblock);
426		sendudp(h->iodesc, &wbuf.t, wtail - (char *)&wbuf.t);
427	}
428
429	return (0);
430}
431
432static int
433tftp_open(const char *path, struct open_file *f)
434{
435	struct tftp_handle *tftpfile;
436	struct iodesc	*io;
437	int		res;
438	size_t		pathsize;
439	const char	*extraslash;
440
441	if (netproto != NET_TFTP)
442		return (EINVAL);
443
444	if (f->f_dev->dv_type != DEVT_NET)
445		return (EINVAL);
446
447	if (is_open)
448		return (EBUSY);
449
450	tftpfile = calloc(1, sizeof(*tftpfile));
451	if (!tftpfile)
452		return (ENOMEM);
453
454	tftpfile->tftp_blksize = TFTP_REQUESTED_BLKSIZE;
455	tftpfile->iodesc = io = socktodesc(*(int *)(f->f_devdata));
456	if (io == NULL) {
457		free(tftpfile);
458		return (EINVAL);
459	}
460
461	io->destip = servip;
462	tftpfile->off = 0;
463	pathsize = (strlen(rootpath) + 1 + strlen(path) + 1) * sizeof(char);
464	tftpfile->path = malloc(pathsize);
465	if (tftpfile->path == NULL) {
466		free(tftpfile);
467		return (ENOMEM);
468	}
469	if (rootpath[strlen(rootpath) - 1] == '/' || path[0] == '/')
470		extraslash = "";
471	else
472		extraslash = "/";
473	res = snprintf(tftpfile->path, pathsize, "%s%s%s",
474	    rootpath, extraslash, path);
475	if (res < 0 || res > pathsize) {
476		free(tftpfile->path);
477		free(tftpfile);
478		return (ENOMEM);
479	}
480
481	res = tftp_makereq(tftpfile);
482
483	if (res) {
484		free(tftpfile->path);
485		free(tftpfile->pkt);
486		free(tftpfile);
487		return (res);
488	}
489	f->f_fsdata = tftpfile;
490	is_open = 1;
491	return (0);
492}
493
494static int
495tftp_read(struct open_file *f, void *addr, size_t size,
496    size_t *resid /* out */)
497{
498	struct tftp_handle *tftpfile;
499	size_t res;
500	int rc;
501
502	rc = 0;
503	res = size;
504	tftpfile = f->f_fsdata;
505
506	/* Make sure we will not read past file end */
507	if (tftpfile->tftp_tsize > 0 &&
508	    tftpfile->off + size > tftpfile->tftp_tsize) {
509		size = tftpfile->tftp_tsize - tftpfile->off;
510	}
511
512	while (size > 0) {
513		int needblock, count;
514
515		twiddle(32);
516
517		needblock = tftpfile->off / tftpfile->tftp_blksize + 1;
518
519		if (tftpfile->currblock > needblock) {	/* seek backwards */
520			tftp_senderr(tftpfile, 0, "No error: read aborted");
521			rc = tftp_makereq(tftpfile);
522			if (rc != 0)
523				break;
524		}
525
526		while (tftpfile->currblock < needblock) {
527
528			rc = tftp_getnextblock(tftpfile);
529			if (rc) {	/* no answer */
530#ifdef TFTP_DEBUG
531				printf("tftp: read error\n");
532#endif
533				return (rc);
534			}
535			if (tftpfile->islastblock)
536				break;
537		}
538
539		if (tftpfile->currblock == needblock) {
540			int offinblock, inbuffer;
541
542			offinblock = tftpfile->off % tftpfile->tftp_blksize;
543
544			inbuffer = tftpfile->validsize - offinblock;
545			if (inbuffer < 0) {
546#ifdef TFTP_DEBUG
547				printf("tftp: invalid offset %d\n",
548				    tftpfile->off);
549#endif
550				return (EINVAL);
551			}
552			count = (size < inbuffer ? size : inbuffer);
553			bcopy(tftpfile->tftp_hdr->th_data + offinblock,
554			    addr, count);
555
556			addr = (char *)addr + count;
557			tftpfile->off += count;
558			size -= count;
559			res -= count;
560
561			if ((tftpfile->islastblock) && (count == inbuffer))
562				break;	/* EOF */
563		} else {
564#ifdef TFTP_DEBUG
565			printf("tftp: block %d not found\n", needblock);
566#endif
567			return (EINVAL);
568		}
569
570	}
571
572	if (resid != NULL)
573		*resid = res;
574	return (rc);
575}
576
577static int
578tftp_close(struct open_file *f)
579{
580	struct tftp_handle *tftpfile;
581	tftpfile = f->f_fsdata;
582
583	/* let it time out ... */
584
585	if (tftpfile) {
586		free(tftpfile->path);
587		free(tftpfile->pkt);
588		free(tftpfile);
589	}
590	is_open = 0;
591	return (0);
592}
593
594static int
595tftp_stat(struct open_file *f, struct stat *sb)
596{
597	struct tftp_handle *tftpfile;
598	tftpfile = f->f_fsdata;
599
600	sb->st_mode = 0444 | S_IFREG;
601	sb->st_nlink = 1;
602	sb->st_uid = 0;
603	sb->st_gid = 0;
604	sb->st_size = tftpfile->tftp_tsize;
605	return (0);
606}
607
608static off_t
609tftp_seek(struct open_file *f, off_t offset, int where)
610{
611	struct tftp_handle *tftpfile;
612	tftpfile = f->f_fsdata;
613
614	switch (where) {
615	case SEEK_SET:
616		tftpfile->off = offset;
617		break;
618	case SEEK_CUR:
619		tftpfile->off += offset;
620		break;
621	default:
622		errno = EOFFSET;
623		return (-1);
624	}
625	return (tftpfile->off);
626}
627
628static int
629tftp_set_blksize(struct tftp_handle *h, const char *str)
630{
631	char *endptr;
632	int new_blksize;
633	int ret = 0;
634
635	if (h == NULL || str == NULL)
636		return (ret);
637
638	new_blksize =
639	    (unsigned int)strtol(str, &endptr, 0);
640
641	/*
642	 * Only accept blksize value if it is numeric.
643	 * RFC2348 specifies that acceptable values are 8-65464.
644	 * Let's choose a limit less than MAXRSPACE.
645	 */
646	if (*endptr == '\0' && new_blksize >= 8 &&
647	    new_blksize <= TFTP_MAX_BLKSIZE) {
648		h->tftp_blksize = new_blksize;
649		ret = 1;
650	}
651
652	return (ret);
653}
654
655/*
656 * In RFC2347, the TFTP Option Acknowledgement package (OACK)
657 * is used to acknowledge a client's option negotiation request.
658 * The format of an OACK packet is:
659 *    +-------+---~~---+---+---~~---+---+---~~---+---+---~~---+---+
660 *    |  opc  |  opt1  | 0 | value1 | 0 |  optN  | 0 | valueN | 0 |
661 *    +-------+---~~---+---+---~~---+---+---~~---+---+---~~---+---+
662 *
663 *    opc
664 *       The opcode field contains a 6, for Option Acknowledgment.
665 *
666 *    opt1
667 *       The first option acknowledgment, copied from the original
668 *       request.
669 *
670 *    value1
671 *       The acknowledged value associated with the first option.  If
672 *       and how this value may differ from the original request is
673 *       detailed in the specification for the option.
674 *
675 *    optN, valueN
676 *       The final option/value acknowledgment pair.
677 */
678static int
679tftp_parse_oack(struct tftp_handle *h, char *buf, size_t len)
680{
681	/*
682	 *  We parse the OACK strings into an array
683	 *  of name-value pairs.
684	 */
685	char *tftp_options[128] = { 0 };
686	char *val = buf;
687	int i = 0;
688	int option_idx = 0;
689	int blksize_is_set = 0;
690	int tsize = 0;
691
692	unsigned int orig_blksize;
693
694	while (option_idx < 128 && i < len) {
695		if (buf[i] == '\0') {
696			if (&buf[i] > val) {
697				tftp_options[option_idx] = val;
698				val = &buf[i] + 1;
699				++option_idx;
700			}
701		}
702		++i;
703	}
704
705	/* Save the block size we requested for sanity check later. */
706	orig_blksize = h->tftp_blksize;
707
708	/*
709	 * Parse individual TFTP options.
710	 *    * "blksize" is specified in RFC2348.
711	 *    * "tsize" is specified in RFC2349.
712	 */
713	for (i = 0; i < option_idx; i += 2) {
714		if (strcasecmp(tftp_options[i], "blksize") == 0) {
715			if (i + 1 < option_idx)
716				blksize_is_set =
717				    tftp_set_blksize(h, tftp_options[i + 1]);
718		} else if (strcasecmp(tftp_options[i], "tsize") == 0) {
719			if (i + 1 < option_idx)
720				tsize = strtol(tftp_options[i + 1], NULL, 10);
721			if (tsize != 0)
722				h->tftp_tsize = tsize;
723		} else {
724			/*
725			 * Do not allow any options we did not expect to be
726			 * ACKed.
727			 */
728			printf("unexpected tftp option '%s'\n",
729			    tftp_options[i]);
730			return (-1);
731		}
732	}
733
734	if (!blksize_is_set) {
735		/*
736		 * If TFTP blksize was not set, try defaulting
737		 * to the legacy TFTP blksize of SEGSIZE(512)
738		 */
739		h->tftp_blksize = SEGSIZE;
740	} else if (h->tftp_blksize > orig_blksize) {
741		/*
742		 * Server should not be proposing block sizes that
743		 * exceed what we said we can handle.
744		 */
745		printf("unexpected blksize %u\n", h->tftp_blksize);
746		return (-1);
747	}
748
749#ifdef TFTP_DEBUG
750	printf("tftp_blksize: %u\n", h->tftp_blksize);
751	printf("tftp_tsize: %lu\n", h->tftp_tsize);
752#endif
753	return (0);
754}
755