1
/* SPDX-License-Identifier: MIT */
2
/*
3
 * tftp.c - a simple, read-only tftp server for qemu
4
 *
5
 * Copyright (c) 2004 Magnus Damm <[email protected]>
6
 *
7
 * Permission is hereby granted, free of charge, to any person obtaining a copy
8
 * of this software and associated documentation files (the "Software"), to deal
9
 * in the Software without restriction, including without limitation the rights
10
 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
11
 * copies of the Software, and to permit persons to whom the Software is
12
 * furnished to do so, subject to the following conditions:
13
 *
14
 * The above copyright notice and this permission notice shall be included in
15
 * all copies or substantial portions of the Software.
16
 *
17
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
18
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
19
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL
20
 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
21
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
22
 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
23
 * THE SOFTWARE.
24
 */
25

26
#include "slirp.h"
27

28
#include <sys/types.h>
29
#include <sys/stat.h>
30
#include <fcntl.h>
31

32
static inline int tftp_session_in_use(struct tftp_session *spt)
33
{
34
    return (spt->slirp != NULL);
35
}
36

37
static inline void tftp_session_update(struct tftp_session *spt)
38
{
39
    spt->timestamp = curtime;
40
}
41

42
static void tftp_session_terminate(struct tftp_session *spt)
43
{
44
    if (spt->fd >= 0) {
45
        close(spt->fd);
46
        spt->fd = -1;
47
    }
48
    g_free(spt->filename);
49
    spt->slirp = NULL;
50
}
51

52
static int tftp_session_allocate(Slirp *slirp, struct sockaddr_storage *srcsas,
53
                                 struct tftphdr *hdr)
54
{
55
    struct tftp_session *spt;
56
    int k;
57

58
    for (k = 0; k < TFTP_SESSIONS_MAX; k++) {
59
        spt = &slirp->tftp_sessions[k];
60

61
        if (!tftp_session_in_use(spt))
62
            goto found;
63

64
        /* sessions time out after 5 inactive seconds */
65
        if ((int)(curtime - spt->timestamp) > 5000) {
66
            tftp_session_terminate(spt);
67
            goto found;
68
        }
69
    }
70

71
    return -1;
72

73
found:
74
    memset(spt, 0, sizeof(*spt));
75
    memcpy(&spt->client_addr, srcsas, sockaddr_size(srcsas));
76
    spt->fd = -1;
77
    spt->block_size = 512;
78
    spt->client_port = hdr->udp.uh_sport;
79
    spt->slirp = slirp;
80

81
    tftp_session_update(spt);
82

83
    return k;
84
}
85

86
static int tftp_session_find(Slirp *slirp, struct sockaddr_storage *srcsas,
87
                             struct tftphdr *hdr)
88
{
89
    struct tftp_session *spt;
90
    int k;
91

92
    for (k = 0; k < TFTP_SESSIONS_MAX; k++) {
93
        spt = &slirp->tftp_sessions[k];
94

95
        if (tftp_session_in_use(spt)) {
96
            if (sockaddr_equal(&spt->client_addr, srcsas)) {
97
                if (spt->client_port == hdr->udp.uh_sport) {
98
                    return k;
99
                }
100
            }
101
        }
102
    }
103

104
    return -1;
105
}
106

107
void tftp_cleanup(Slirp *slirp)
108
{
109
    struct tftp_session *spt;
110
    int k;
111

112
    for (k = 0; k < TFTP_SESSIONS_MAX; k++) {
113
        spt = &slirp->tftp_sessions[k];
114

115
        if (tftp_session_in_use(spt)) {
116
            tftp_session_terminate(spt);
117
        }
118
    }
119
}
120

121
static int tftp_read_data(struct tftp_session *spt, uint32_t block_nr,
122
                          uint8_t *buf, int len)
123
{
124
    int bytes_read = 0;
125

126
    if (spt->fd < 0) {
127
        spt->fd = open(spt->filename, O_RDONLY | O_BINARY);
128
    }
129

130
    if (spt->fd < 0) {
131
        return -1;
132
    }
133

134
    if (len) {
135
        if (lseek(spt->fd, block_nr * spt->block_size, SEEK_SET) == (off_t)-1) {
136
            return -1;
137
        }
138

139
        bytes_read = read(spt->fd, buf, len);
140
    }
141

142
    return bytes_read;
143
}
144

145
static struct tftp_t *tftp_prep_mbuf_data(struct tftp_session *spt,
146
                                          struct mbuf *m)
147
{
148
    struct tftp_t *tp;
149

150
    memset(m->m_data, 0, m->m_size);
151

152
    m->m_data += IF_MAXLINKHDR;
153
    if (spt->client_addr.ss_family == AF_INET6) {
154
        m->m_data += sizeof(struct ip6);
155
    } else {
156
        m->m_data += sizeof(struct ip);
157
    }
158
    tp = (void *)m->m_data;
159
    m->m_data += sizeof(struct udphdr);
160

161
    return tp;
162
}
163

164
static void tftp_udp_output(struct tftp_session *spt, struct mbuf *m,
165
                            struct tftphdr *hdr)
166
{
167
    if (spt->client_addr.ss_family == AF_INET6) {
168
        struct sockaddr_in6 sa6, da6;
169

170
        sa6.sin6_addr = spt->slirp->vhost_addr6;
171
        sa6.sin6_port = hdr->udp.uh_dport;
172
        da6.sin6_addr = ((struct sockaddr_in6 *)&spt->client_addr)->sin6_addr;
173
        da6.sin6_port = spt->client_port;
174

175
        udp6_output(NULL, m, &sa6, &da6);
176
    } else {
177
        struct sockaddr_in sa4, da4;
178

179
        sa4.sin_addr = spt->slirp->vhost_addr;
180
        sa4.sin_port = hdr->udp.uh_dport;
181
        da4.sin_addr = ((struct sockaddr_in *)&spt->client_addr)->sin_addr;
182
        da4.sin_port = spt->client_port;
183

184
        udp_output(NULL, m, &sa4, &da4, IPTOS_LOWDELAY);
185
    }
186
}
187

188
static int tftp_send_oack(struct tftp_session *spt, const char *keys[],
189
                          uint32_t values[], int nb, struct tftp_t *recv_tp)
190
{
191
    struct mbuf *m;
192
    struct tftp_t *tp;
193
    int i, n = 0;
194

195
    m = m_get(spt->slirp);
196

197
    if (!m)
198
        return -1;
199

200
    tp = tftp_prep_mbuf_data(spt, m);
201

202
    tp->hdr.tp_op = htons(TFTP_OACK);
203
    for (i = 0; i < nb; i++) {
204
        n += slirp_fmt0(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%s", keys[i]);
205
        n += slirp_fmt0(tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%u", values[i]);
206
    }
207

208
    m->m_len = G_SIZEOF_MEMBER(struct tftp_t, hdr.tp_op) + n;
209
    tftp_udp_output(spt, m, &recv_tp->hdr);
210

211
    return 0;
212
}
213

214
static void tftp_send_error(struct tftp_session *spt, uint16_t errorcode,
215
                            const char *msg, struct tftp_t *recv_tp)
216
{
217
    struct mbuf *m;
218
    struct tftp_t *tp;
219

220
    DEBUG_TFTP("tftp error msg: %s", msg);
221

222
    m = m_get(spt->slirp);
223

224
    if (!m) {
225
        goto out;
226
    }
227

228
    tp = tftp_prep_mbuf_data(spt, m);
229

230
    tp->hdr.tp_op = htons(TFTP_ERROR);
231
    tp->x.tp_error.tp_error_code = htons(errorcode);
232
    slirp_pstrcpy((char *)tp->x.tp_error.tp_msg, sizeof(tp->x.tp_error.tp_msg),
233
                  msg);
234

235
    m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX + 2) + 3 +
236
               strlen(msg) - sizeof(struct udphdr);
237
    tftp_udp_output(spt, m, &recv_tp->hdr);
238

239
out:
240
    tftp_session_terminate(spt);
241
}
242

243
static void tftp_send_next_block(struct tftp_session *spt,
244
                                 struct tftphdr *hdr)
245
{
246
    struct mbuf *m;
247
    struct tftp_t *tp;
248
    int nobytes;
249

250
    m = m_get(spt->slirp);
251

252
    if (!m) {
253
        return;
254
    }
255

256
    tp = tftp_prep_mbuf_data(spt, m);
257

258
    tp->hdr.tp_op = htons(TFTP_DATA);
259
    tp->x.tp_data.tp_block_nr = htons((spt->block_nr + 1) & 0xffff);
260

261
    nobytes = tftp_read_data(spt, spt->block_nr, tp->x.tp_data.tp_buf,
262
                             spt->block_size);
263

264
    if (nobytes < 0) {
265
        /* send "file not found" error back */
266

267
        tftp_send_error(spt, 1, "File not found", tp);
268

269
        m_free(m);
270

271
        return;
272
    }
273

274
    m->m_len = sizeof(struct tftp_t) - (TFTP_BLOCKSIZE_MAX - nobytes) -
275
               sizeof(struct udphdr);
276
    tftp_udp_output(spt, m, hdr);
277

278
    if (nobytes == spt->block_size) {
279
        tftp_session_update(spt);
280
    } else {
281
        tftp_session_terminate(spt);
282
    }
283

284
    spt->block_nr++;
285
}
286

287
static void tftp_handle_rrq(Slirp *slirp, struct sockaddr_storage *srcsas,
288
                            struct tftp_t *tp, int pktlen)
289
{
290
    struct tftp_session *spt;
291
    int s, k;
292
    size_t prefix_len;
293
    char *req_fname;
294
    const char *option_name[2];
295
    uint32_t option_value[2];
296
    int nb_options = 0;
297

298
    /* check if a session already exists and if so terminate it */
299
    s = tftp_session_find(slirp, srcsas, &tp->hdr);
300
    if (s >= 0) {
301
        tftp_session_terminate(&slirp->tftp_sessions[s]);
302
    }
303

304
    s = tftp_session_allocate(slirp, srcsas, &tp->hdr);
305

306
    if (s < 0) {
307
        return;
308
    }
309

310
    spt = &slirp->tftp_sessions[s];
311

312
    /* unspecified prefix means service disabled */
313
    if (!slirp->tftp_prefix) {
314
        tftp_send_error(spt, 2, "Access violation", tp);
315
        return;
316
    }
317

318
    /* skip header fields */
319
    k = 0;
320
    pktlen -= offsetof(struct tftp_t, x.tp_buf);
321

322
    /* prepend tftp_prefix */
323
    prefix_len = strlen(slirp->tftp_prefix);
324
    spt->filename = g_malloc(prefix_len + TFTP_FILENAME_MAX + 2);
325
    memcpy(spt->filename, slirp->tftp_prefix, prefix_len);
326
    spt->filename[prefix_len] = '/';
327

328
    /* get name */
329
    req_fname = spt->filename + prefix_len + 1;
330

331
    while (1) {
332
        if (k >= TFTP_FILENAME_MAX || k >= pktlen) {
333
            tftp_send_error(spt, 2, "Access violation", tp);
334
            return;
335
        }
336
        req_fname[k] = tp->x.tp_buf[k];
337
        if (req_fname[k++] == '\0') {
338
            break;
339
        }
340
    }
341

342
    DEBUG_TFTP("tftp rrq file: %s", req_fname);
343

344
    /* check mode */
345
    if ((pktlen - k) < 6) {
346
        tftp_send_error(spt, 2, "Access violation", tp);
347
        return;
348
    }
349

350
    if (g_ascii_strcasecmp(&tp->x.tp_buf[k], "octet") != 0) {
351
        tftp_send_error(spt, 4, "Unsupported transfer mode", tp);
352
        return;
353
    }
354

355
    k += 6; /* skipping octet */
356

357
    /* do sanity checks on the filename */
358
    if (
359
#ifdef G_OS_WIN32
360
        strstr(req_fname, "..\\") ||
361
        req_fname[strlen(req_fname) - 1] == '\\' ||
362
#endif
363
        strstr(req_fname, "../") ||
364
        req_fname[strlen(req_fname) - 1] == '/') {
365
        tftp_send_error(spt, 2, "Access violation", tp);
366
        return;
367
    }
368

369
    /* check if the file exists */
370
    if (tftp_read_data(spt, 0, NULL, 0) < 0) {
371
        tftp_send_error(spt, 1, "File not found", tp);
372
        return;
373
    }
374

375
    if (tp->x.tp_buf[pktlen - 1] != 0) {
376
        tftp_send_error(spt, 2, "Access violation", tp);
377
        return;
378
    }
379

380
    while (k < pktlen && nb_options < G_N_ELEMENTS(option_name)) {
381
        const char *key, *value;
382

383
        key = &tp->x.tp_buf[k];
384
        k += strlen(key) + 1;
385

386
        if (k >= pktlen) {
387
            tftp_send_error(spt, 2, "Access violation", tp);
388
            return;
389
        }
390

391
        value = &tp->x.tp_buf[k];
392
        k += strlen(value) + 1;
393

394
        if (g_ascii_strcasecmp(key, "tsize") == 0) {
395
            int tsize = atoi(value);
396
            struct stat stat_p;
397

398
            if (tsize == 0) {
399
                if (stat(spt->filename, &stat_p) == 0)
400
                    tsize = stat_p.st_size;
401
                else {
402
                    tftp_send_error(spt, 1, "File not found", tp);
403
                    return;
404
                }
405
            }
406

407
            option_name[nb_options] = "tsize";
408
            option_value[nb_options] = tsize;
409
            nb_options++;
410
        } else if (g_ascii_strcasecmp(key, "blksize") == 0) {
411
            int blksize = atoi(value);
412

413
            /* Accept blksize up to our maximum size */
414
            if (blksize > 0) {
415
                spt->block_size = MIN(blksize, TFTP_BLOCKSIZE_MAX);
416
                option_name[nb_options] = "blksize";
417
                option_value[nb_options] = spt->block_size;
418
                nb_options++;
419
            }
420
        }
421
    }
422

423
    if (nb_options > 0) {
424
        assert(nb_options <= G_N_ELEMENTS(option_name));
425
        tftp_send_oack(spt, option_name, option_value, nb_options, tp);
426
        return;
427
    }
428

429
    spt->block_nr = 0;
430
    tftp_send_next_block(spt, &tp->hdr);
431
}
432

433
static void tftp_handle_ack(Slirp *slirp, struct sockaddr_storage *srcsas,
434
                            struct tftphdr *hdr)
435
{
436
    int s;
437

438
    s = tftp_session_find(slirp, srcsas, hdr);
439

440
    if (s < 0) {
441
        return;
442
    }
443

444
    tftp_send_next_block(&slirp->tftp_sessions[s], hdr);
445
}
446

447
static void tftp_handle_error(Slirp *slirp, struct sockaddr_storage *srcsas,
448
                              struct tftphdr *hdr)
449
{
450
    int s;
451

452
    s = tftp_session_find(slirp, srcsas, hdr);
453

454
    if (s < 0) {
455
        return;
456
    }
457

458
    tftp_session_terminate(&slirp->tftp_sessions[s]);
459
}
460

461
void tftp_input(struct sockaddr_storage *srcsas, struct mbuf *m)
462
{
463
    struct tftphdr *hdr = mtod_check(m, sizeof(struct tftphdr));
464

465
    if (hdr == NULL) {
466
        return;
467
    }
468

469
    switch (ntohs(hdr->tp_op)) {
470
    case TFTP_RRQ:
471
        tftp_handle_rrq(m->slirp, srcsas,
472
                        mtod(m, struct tftp_t *),
473
                        m->m_len);
474
        break;
475

476
    case TFTP_ACK:
477
        tftp_handle_ack(m->slirp, srcsas, hdr);
478
        break;
479

480
    case TFTP_ERROR:
481
        tftp_handle_error(m->slirp, srcsas, hdr);
482
        break;
483
    }
484
}
485

486