tftpd: silence gcc overflow warnings

GCC 13 complains that we might be writing too much to an on-stack buffer
when createing a filename.

In practice there is a check that filename isn't too long given the
time format and other static characters so GCC is incorrect, but GCC
isn't wrong that we're potentially trying to put a MAXPATHLEN length
string + some other characters into a MAXPATHLEN buffer (if you ignore
the check GCC can't realistically evaluate at compile time).

Switch to snprintf to populate filename to ensure that future logic
errors don't result in a stack overflow.

Shorten the questionably named yyyymmdd buffer enough to slience the
warning (checking the snprintf return value isn't sufficent) while
preserving maximum flexibility for admins who use the -F option.

MFC after: 3 days
Sponsored by: Klara, Inc.
Reviewed by: brooks
Differential Revision: https://reviews.freebsd.org/D45086

tftpd: Satisfy clang-analyzer.

* Replace `random()` with `arc4random()`.
* Change some variable types.
* Drop some unused assignments.

MFC after: 3 days
Sponsored by: Klara, Inc.
Reviewed by: imp, markj
Differential Revision: https://reviews.freebsd.org/D45132

tftpd: Untangle a conditional.

MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D45026

tftpd: Immediately reject any request shorter than 4 bytes.

MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D44957

tftpd: Use `size_t` where appropriate.

* Limit the use of `ssize_t` to only where it's needed.
* Correct one case of `int` being used for a length.

MFC after: 1 week
Sponsored by: Klara, Inc.
Reviewed by: kevans
Differential Revision: https://reviews.freebsd.org/D44954

Remove copyright strings ifdef'd out

We've ifdef'd out the copyright strings for some time now. Go ahead and
remove the ifdefs. Plus whatever other detritis was left over from other
recent removals. These copyright strings are present in the comments and
are largely from CSRG's attempt at adding their copyright to every
binary file (which modern interpretations of the license doesn't
require).

Sponsored by: Netflix

libexec: Remove ancient SCCS tags.

Remove ancient SCCS tags from the tree, automated scripting, with two
minor fixup to keep things compiling. All the common forms in the tree
were removed with a perl script.

Sponsored by: Netflix

Remove $FreeBSD$: one-line .c pattern

Remove /^[\s*]*__FBSDID\("\$FreeBSD\$"\);?\s*\n/

Revert "tftpd: fix double-colon typo in option string"

It was not a typo: -d takes an optional argument, which is indicated with
a double colon.

This reverts commit 3cbc8e752b92442c784306731e94fd904de3373c.

Spotted by: kevans

tftpd: fix double-colon typo in option string

MFC after: 1 month
X-MFC-With: 273a307d0b80743fb08e23237b3f74dc94a8fa2a
X-MFC-With: 03c2616dc530e5b23f06f9aa421012154590e578

tftpd: unbreak getopt()

Unbreak getopt() broken by recent commit.

Fixes: 273a307d0b80743fb08e23237b3f74dc94a8fa2a
MFC after: 1 month

tftpd: introduce new option -S

Historically, tftpd disallowed write requests to existing files
that are not publicly writable. Such requirement is questionable at least.
Let us make it possible to run tftpd in chrooted environment
keeping files non-world writable.

New option -S enables write requests to existing files
for chrooted run according to generic file permissions.
It is ignored unless tftpd runs chrooted.

MFC after: 1 month
Requested by: marck
Differential: https://reviews.freebsd.org/D41090 (based on)

tftpd: Don't forget to close stderr on startup.

Just like stdin and stdout, stderr is a copy of the listen socket inherited from inetd. We need to close it so inetd can process further requests, be restarted, etc.

Sponsored by: Klara, Inc.
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D38968

tftpd: Don't consume arbitrary requests when failing to fork.

We've already consumed one request, which is sufficient to prevent inetd from endlessly restarting us in this particular and extremely unlikely case.

Sponsored by: Klara, Inc.
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D38967

tftpd: Make the -d option behave as documented.

Sponsored by: Klara, Inc.
Reviewed by: markj
Differential Revision: https://reviews.freebsd.org/D38965

tftpd: whitespace cleanup

tftpd: cleanup

Sponsored by: Klara, Inc.

tftpd: Check for errors from chdir()

MFC after: 1 week
Sponsored by: The FreeBSD Foundation

Fix multiple Coverity warnings in tftpd(8)

* Initialize uninitialized variable (CID 1006502)
* strcpy => strlcpy (CID 1006792, 1006791, 1006790)
* Check function return values (CID 1009442, 1009441, 1009440)
* Delete dead code in receive_packet (not reported by Coverity)
* Remove redundant alarm(3) in receive_packet (not reported by Coverity)

Reported by: Coverity
CID: 1006502, 1006792, 1006791, 1006790, 1009442, 1009441, 1009440
MFC after: 2 weeks
Differential Revision: https://reviews.freebsd.org/D11287

tftpd: reject unknown opcodes

If tftpd receives a command with an unknown opcode, it simply exits 1. It
doesn't send an ERROR packet, and the client will hang waiting for one. Fix
it.

PR: 226005
MFC after: 3 weeks

tftpd: Abort on an WRQ access violation

On a WRQ (write request) tftpd checks whether the client has access
permission for the file in question. If not, then the write is prevented.
However, tftpd doesn't reply with an ERROR packet, nor does it abort.
Instead, it tries to receive the packet anyway.

The symptom is slightly different depending on the nature of the error. If
the target file is nonexistent and tftpd lacks permission to create it, then
tftpd will willingly receive the file, but not write it anywhere. If the
file exists but is not writable, then tftpd will fail to ACK to WRQ.

PR: 225996
MFC after: 3 weeks

tftpd: Verify world-writability for WRQ when using relative paths

tftpd(8) says that files may only be written if they already exist and are
publicly writable. tftpd.c verifies that a file is publicly writable if it
uses an absolute pathname. However, if the pathname is relative, that check
is skipped. Fix it.

Note that this is not a security vulnerability, because the transfer
ultimately doesn't work unless the file already exists and is owned by user
nobody. Also, this bug does not affect the default configuration, because
the default uses the "-s" option which makes all pathnames absolute.

PR: 226004
MFC after: 3 weeks

tftpd: Flush files as soon as they are fully received

On an RRQ, tftpd doesn't exit as soon as it's finished receiving a file.
Instead, it waits five seconds just in case the client didn't receive the
server's last ACK and decides to resend the final DATA packet.
Unfortunately, this created a 5 second delay from when the client thinks
it's done sending the file, and when the file is available for other
processes.

Fix this bug by closing the file as soon as receipt is finished.

PR: 157700
Reported by: Barry Mishler <barry_mishler@yahoo.com>
MFC after: 3 weeks

General further adoption of SPDX licensing ID tags.

Mainly focus on files that use BSD 3-Clause license.

The Software Package Data Exchange (SPDX) group provides a specification
to make it easier for automated tools to detect and summarize well known
opensource licenses. We are gradually adopting the specification, noting
that the tags are considered only advisory and do not, in any way,
superceed or replace the license texts.

Special thanks to Wind River for providing access to "The Duke of
Highlander" tool: an older (2014) run over FreeBSD tree was useful as a
starting point.

Conditionalize all code that uses tcpd.h behind `LIBWRAP` guard

This will allow the code to stand by itself without libwrap

MFC after: 2 weeks

Remove the 3rd clause ("advertising clause") of the BSD license as
permitted by the University of Berkeley on July 22, 1999.

Reviewed by: imp
MFC after: 1 week

Mark tftp_log() as __printflike() (which would have caught the bug
fixed in r246106) and deal with the fallout.

MFC after: 2 weeks

Check the return error of set[e][ug]id. While this can never fail in the
current version of FreeBSD, this isn't guarenteed by the API.
Custom security modules, or future implementations of the setuid and
setgid may fail.

Submitted by: Erik Cederstrand
Approved by: cperciva
MFC after: 3 days

Fix warnings found by -Wmising-variable-declarations.

This self-written compiler warning, which is hopefully going to be
committed into LLVM sources soon, warns about potentially missing
`static' keywords, similar to -Wmissing-prototypes.

- bin/pax: Move external declaration of chdname and s_mask into extern.h.
- bin/setfacl: Move setfacl.c-specific stuff out of setfacl.h.
- sbin/mount_fusefs: Remove char *progname; use getprogname().
- others: add `static' where possible.

A new jail(8) with a configuration file, to replace the work currently done
by /etc/rc.d/jail.

Remove the duplicate logging of failed read requests, whose error message
also was inappropriate as it triggered for every EACCESS and ENOTFOUND, not
just the case the -n option is intended to deal with and thus really spammed
us with ~20 messages in the default configuration when booting a diskless
FreeBSD client, introduced with r207608 again.

MFC after: 1 week

Make WARNS=6 clean.

MFC after: 1 week

Go ahead and merge the work edwin@ on tftpd into the tree. It is a
lot better than what's in the tree now. Edwin tested it at a prior
employer, but can't test it today. I've found that it works a lot
better with the various uboot versions that I've used in my embedded
work. Here's the pkg-descr from the port that describes the changes:

It all started when we got some new routers, which told me the
following when trying to upload configuration or download images
from it: The TFTP server doesn't support the blocksize option.

My curiousity was triggered, it took me some reading of RFCs and
other documentation to find out what was possible and what could
be done. Was plain TFTP very simple in its handshake, TFTP with
options was kind of messy because of its backwards capability: The
first packet returned could either be an acknowledgement of options,
or the first data packet.

Going through the source code of src/libexec/tftpd and going through
the code of src/usr.bin/tftp showed that there was a lot of duplicate
code, and the addition of options would only increase the amount
of duplicate code. After all, both the client and the server can
act as a sender and receiver.

At the end, it ended up with a nearly complete rewrite of the tftp
client and server. It has been tested against the following TFTP
clients and servers:

- Itself (yay!)
- The standard FreeBSD tftp client and server
- The Fedora Core 6 tftp client and server
- Cisco router tftp client
- Extreme Networks tftp client

It supports the following RFCs:

RFC1350 - THE TFTP PROTOCOL (REVISION 2)
RFC2347 - TFTP Option Extension
RFC2348 - TFTP Blocksize Option
RFC2349 - TFTP Timeout Interval and Transfer Size Options
RFC3617 - Uniform Resource Identifier (URI) Scheme and Applicability
Statement for the Trivial File Transfer Protocol (TFTP)

It supports the following unofficial TFTP Options as described at
http://www.compuphase.com/tftp.htm:

blksize2 - Block size restricted to powers of 2, excluding protocol headers
rollover - Block counter roll-over (roll back to zero or to one)

From the tftp program point of view the following things are changed:

- New commands: "blocksize", "blocksize2", "rollover" and "options"
- Development features: "debug" and "packetdrop"

If you try this tftp/tftpd implementation, please let me know if
it works (or doesn't work) and against which implementaion so I can
get a list of confirmed working systems.

Author: Edwin Groothuis <edwin@FreeBSD.org>

Create the altix project branch. The altix project will add support
for the SGI Altix 350 to FreeBSD/ia64. The hardware used for porting
is a two-module system, consisting of a base compute module and a
CPU expansion module. SGI's NUMAFlex architecture can be an excellent
platform to test CPU affinity and NUMA-aware features in FreeBSD.

- Import the HEAD csup code which is the basis for the cvsmode work.

Add the -W options, which acts the same as -w but will generate
unique names based on the submitted filename, a strftime(3) format
string and a two digit sequence number.

By default the strftime(3) format string is %Y%m%d (YYYYMMDD), but
this can be changed by the -F option.

PR: bin/106049 (based on patch in that PR)
Approved by: grog@ (mentor)

o Missed colon in getopt(3) argument makes tftpd(8) crash. Fix that.

PR: misc/81732
Submitted by: Denis Grudkin
MFC after: 2 weeks

NI_WITHSCOPEID cleanup. Neither RFC 2553 nor RFC 3493 defines
NI_WITHSCOPEID, and our getaddrinfo(3) does nothing special
for it, now.

- Use socklen_t.
- No need for 'fromlen' to have file scope.
- Remove an unused variable.

Instead of "OpenFirmware", "openfirmware", etc. use the official spelling
"Open Firmware" from IEEE 1275 and OpenFirmware.org (no pun intended).

Ok'ed by: tmm

The call to setuid(2) subsequently causes setgroups(2) to fail. setgroups(2)
requires super-user access in order to complete successfully.
Move setgroups(2) to execute before setuid(2) so that it is successful.

Call tzset() at startup.

Submitted by: Andrzej ToboÅa <ato@iem.pw.edu.pl>

o Reduce path names in RRQ and WRQ packets by:

Reducing "/+./" strings to "/"
Reducing "/[^/]+/../" to "/"

o Don't send an OACK when the result of the [RW]RQ is an error.

These changes allow tftpd to interact with pxelinux.bin from the syslinux
package.

Whilst the path reducing code doesn't properly handle situations where the
path component before the "/../" is a symlink to (say) ".", I would suggest
that it does the right thing in terms of the clients perception of what
their path string actually represents. This seems better than using
realpath() and breaking environments where symlinks point outside of the
directory hierarchy that tftpd is configured to allow.

- Close fd if fdopen(fd) fails.
- Format return () to resemble the one 5 lines up.

Add two new flags: -w, which allows new files to be created,
and -U, which allows the umask to be set.

Obtained from: Patton Electronics, Co.

Fix a bug which causes wrong filename being written into the syslog
in the case when client sends request with RFC2347 options.

Approved by: re
MFC After: 2 weeks

properly refuse a connection in the -c case if the client ip's subdirectory
does not exist.

PR: bin/38303
Submitted by: Woei-Luen, Shyu <m8535@cn.ee.ccu.edu.tw>
the committed patch differs from the submitted one, any inaccuracies are mine.

Clean up some warnings that don't result in a change in the object file:
Constness, missing prototypes, non-ansi prototypes, missing
initialisers, unnecessary declarations, shadowing.

Reviewed by: md5

Correct indent.

IPv6 support for tftp/tftpd.

Obtained from: KAME
MFC after: 2 weeks

Better handle the case with a network that drops packets by retrying
with a back off. This was discovered when Luigi sent me code to
handle this for Etherboot. The Etherboot patch worked okay but
FreeBSD's tftpd had trouble handling it and would fail to transfer
the file since it would abort on send and not retry.

Submitted by: luigi
MFC after: 1 week

o __P removal
o Use new-style prototypes and function definitions.
o Fix timeout and justquit to have proper signatures for signal
handlers. Mark the args as __unused.
o remove register

Change the failure mode in option parsing to silently bailing out of option
negotiation rather than rejecting the request.

Apple OpenFirmware 3.0f3 (the version in my iMac) adds trailing garbage to the
end of an otherwise valid request. Without this change, the requests were
rejected which prevented me from booting.

Reviewed by: obrien

When we set our UID to `nobody', set an appropriate group also.

Submitted by: peter

RFC2349 (http://www.hypermail.org/rfcs/rfc2349.html) adds support
for negotiation of timeout and file size to the tftp protocol. This
is required by some firmware like EFI boot managers (at least on
HP i2000 Itanium servers) in order to boot an image using tftp. The
attached patch implements the RFC, and in doing so also implements
RFC2347; a generic tftp option extension.

PR: 30710
Submitted by: Espen Skoglund <esk@ira.uka.de>

Fix tftpd and tftp to support file transfers of over 65535 blocks
(about 31 MB - 32 MB).

Submitted (partially)
by: Pascal Hofstee <daeron@wit401305.student.utwente.nl>

Add -c/C which chroots by IP of tftp client, (i.e. /tftproot/127.0.0.1/).

Allow tftpd to run as a specified user, not just `nobody'.
Update documentation to reflect new option. Also fix documentation
style and add missing references.

PR: 21268
Submitted by: "Aleksandr A. Babaylov" <babolo@links.ru>
Reviewed by: imp

$Id$ -> $FreeBSD$

Ensure that things returned by gethostname() and
friends are terminated and allow for a maximum
host name length of MAXHOSTNAMELEN - 1.
Put parenthesis around sizeof args.
Make some variables static.
Fix telnetd -u (broken by my last commit)

Prompted by: bde

Use realhostname() rather than various combinations of
gethostbyaddr() & gethostbyname().

Remove brokeness in ftpd for hosts of MAXHOSTNAMELEN length.

Rename a function name so that it doesn't conflict with a future system call.

openlog() needs to have LOG_NDELAY added, or else the syslog() calls after
the chroot will not get sent to syslogd.

PR: 4910
Reviewed by: phk
Submitted by: Jim Mercer <jim@komodo.reptiles.org>

Use full path in synopsis. Syslog will add trailing \n.

compare return value from getopt against -1 rather than EOF, per the final
posix standard on the topic.

Fix non explloitable buffer overflows (since the largest packet processed
precludes it) to keep people from whining about it in the newsgroups and
mailing lists.

Revert $FreeBSD$ to $Id$

Make the long-awaited change from $Id$ to $FreeBSD$

This will make a number of things easier in the future, as well as (finally!)
avoiding the Id-smashing problem which has plagued developers for so long.

Boy, I'm glad we're not using sup anymore. This update would have been
insane otherwise.

Truncate the file when opening it with write intent. Otherwise,
there's a good chance that garbage will remain at the end.

Closes PR # bin/2112: tftpd doesn't truncate ...

Reviewed by: fenner

add forgotten $Id$

Reviewed by: Bill Fenner <fennder@parc.xerox.com>
Reviewed by: Garrett Wollman <wollman@freebsd.org>
Submitted by: Warner Losh <imp@village.org>
Close PR bin/1145:
Add -s flag to tftpd. This enables the so-called secure mode
of tftpd where it chroots to a given directory before allowing access
to the files. In addition, it runs as nobody when in this mode.
Reviewed a long time ago by Bill and Garrett. Apply my patch from the
pr, and close the PR.

I think the security check to invalidate ALL write requests was just a little
excessive, and violates the specification defined in the manpage to boot.

BSD 4.4 Lite Libexec Sources