1 /* dnsmasq is Copyright (c) 2000-2016 Simon Kelley
3 This program is free software; you can redistribute it and/or modify
4 it under the terms of the GNU General Public License as published by
5 the Free Software Foundation; version 2 dated June, 1991, or
6 (at your option) version 3 dated 29 June, 2007.
8 This program is distributed in the hope that it will be useful,
9 but WITHOUT ANY WARRANTY; without even the implied warranty of
10 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
11 GNU General Public License for more details.
13 You should have received a copy of the GNU General Public License
14 along with this program. If not, see <http://www.gnu.org/licenses/>.
21 static struct tftp_file
*check_tftp_fileperm(ssize_t
*len
, char *prefix
);
22 static void free_transfer(struct tftp_transfer
*transfer
);
23 static ssize_t
tftp_err(int err
, char *packet
, char *mess
, char *file
);
24 static ssize_t
tftp_err_oops(char *packet
, char *file
);
25 static ssize_t
get_block(char *packet
, struct tftp_transfer
*transfer
);
26 static char *next(char **p
, char *end
);
27 static void sanitise(char *buf
);
42 void tftp_request(struct listener
*listen
, time_t now
)
45 char *packet
= daemon
->packet
;
46 char *filename
, *mode
, *p
, *end
, *opt
;
47 union mysockaddr addr
, peer
;
51 int is_err
= 1, if_index
= 0, mtu
= 0;
53 struct tftp_transfer
*transfer
;
54 int port
= daemon
->start_tftp_port
; /* may be zero to use ephemeral port */
55 #if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
56 int mtuflag
= IP_PMTUDISC_DONT
;
58 char namebuff
[IF_NAMESIZE
];
60 char *prefix
= daemon
->tftp_prefix
;
61 struct tftp_prefix
*pref
;
62 struct all_addr addra
;
64 /* Can always get recvd interface for IPv6 */
65 int check_dest
= !option_bool(OPT_NOWILD
) || listen
->family
== AF_INET6
;
67 int check_dest
= !option_bool(OPT_NOWILD
);
70 struct cmsghdr align
; /* this ensures alignment */
72 char control6
[CMSG_SPACE(sizeof(struct in6_pktinfo
))];
74 #if defined(HAVE_LINUX_NETWORK)
75 char control
[CMSG_SPACE(sizeof(struct in_pktinfo
))];
76 #elif defined(HAVE_SOLARIS_NETWORK)
77 char control
[CMSG_SPACE(sizeof(unsigned int))];
78 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
79 char control
[CMSG_SPACE(sizeof(struct sockaddr_dl
))];
83 msg
.msg_controllen
= sizeof(control_u
);
84 msg
.msg_control
= control_u
.control
;
87 msg
.msg_namelen
= sizeof(peer
);
91 iov
.iov_base
= packet
;
92 iov
.iov_len
= daemon
->packet_buff_sz
;
94 /* we overwrote the buffer... */
95 daemon
->srv_save
= NULL
;
97 if ((len
= recvmsg(listen
->tftpfd
, &msg
, 0)) < 2)
100 /* Can always get recvd interface for IPv6 */
105 addr
= listen
->iface
->addr
;
106 name
= listen
->iface
->name
;
107 mtu
= listen
->iface
->mtu
;
108 if (daemon
->tftp_mtu
!= 0 && daemon
->tftp_mtu
< mtu
)
109 mtu
= daemon
->tftp_mtu
;
113 /* we're listening on an address that doesn't appear on an interface,
114 ask the kernel what the socket is bound to */
115 socklen_t tcp_len
= sizeof(union mysockaddr
);
116 if (getsockname(listen
->tftpfd
, (struct sockaddr
*)&addr
, &tcp_len
) == -1)
122 struct cmsghdr
*cmptr
;
124 if (msg
.msg_controllen
< sizeof(struct cmsghdr
))
127 addr
.sa
.sa_family
= listen
->family
;
129 #if defined(HAVE_LINUX_NETWORK)
130 if (listen
->family
== AF_INET
)
131 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
132 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_PKTINFO
)
136 struct in_pktinfo
*p
;
138 p
.c
= CMSG_DATA(cmptr
);
139 addr
.in
.sin_addr
= p
.p
->ipi_spec_dst
;
140 if_index
= p
.p
->ipi_ifindex
;
143 #elif defined(HAVE_SOLARIS_NETWORK)
144 if (listen
->family
== AF_INET
)
145 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
152 p
.c
= CMSG_DATA(cmptr
);
153 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVDSTADDR
)
154 addr
.in
.sin_addr
= *(p
.a
);
155 else if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVIF
)
159 #elif defined(IP_RECVDSTADDR) && defined(IP_RECVIF)
160 if (listen
->family
== AF_INET
)
161 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
166 struct sockaddr_dl
*s
;
168 p
.c
= CMSG_DATA(cmptr
);
169 if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVDSTADDR
)
170 addr
.in
.sin_addr
= *(p
.a
);
171 else if (cmptr
->cmsg_level
== IPPROTO_IP
&& cmptr
->cmsg_type
== IP_RECVIF
)
172 if_index
= p
.s
->sdl_index
;
178 if (listen
->family
== AF_INET6
)
180 for (cmptr
= CMSG_FIRSTHDR(&msg
); cmptr
; cmptr
= CMSG_NXTHDR(&msg
, cmptr
))
181 if (cmptr
->cmsg_level
== IPPROTO_IPV6
&& cmptr
->cmsg_type
== daemon
->v6pktinfo
)
185 struct in6_pktinfo
*p
;
187 p
.c
= CMSG_DATA(cmptr
);
189 addr
.in6
.sin6_addr
= p
.p
->ipi6_addr
;
190 if_index
= p
.p
->ipi6_ifindex
;
195 if (!indextoname(listen
->tftpfd
, if_index
, namebuff
))
200 addra
.addr
.addr4
= addr
.in
.sin_addr
;
203 if (listen
->family
== AF_INET6
)
204 addra
.addr
.addr6
= addr
.in6
.sin6_addr
;
207 if (daemon
->tftp_interfaces
)
209 /* dedicated tftp interface list */
210 for (tmp
= daemon
->tftp_interfaces
; tmp
; tmp
= tmp
->next
)
211 if (tmp
->name
&& wildcard_match(tmp
->name
, name
))
219 /* Do the same as DHCP */
220 if (!iface_check(listen
->family
, &addra
, name
, NULL
))
222 if (!option_bool(OPT_CLEVERBIND
))
223 enumerate_interfaces(0);
224 if (!loopback_exception(listen
->tftpfd
, listen
->family
, &addra
, name
) &&
225 !label_exception(if_index
, listen
->family
, &addra
) )
230 /* allowed interfaces are the same as for DHCP */
231 for (tmp
= daemon
->dhcp_except
; tmp
; tmp
= tmp
->next
)
232 if (tmp
->name
&& wildcard_match(tmp
->name
, name
))
237 strncpy(ifr
.ifr_name
, name
, IF_NAMESIZE
);
238 if (ioctl(listen
->tftpfd
, SIOCGIFMTU
, &ifr
) != -1)
241 if (daemon
->tftp_mtu
!= 0 && daemon
->tftp_mtu
< mtu
)
242 mtu
= daemon
->tftp_mtu
;
246 /* Failed to get interface mtu - can use configured value. */
248 mtu
= daemon
->tftp_mtu
;
252 /* check for per-interface prefix */
253 for (pref
= daemon
->if_prefix
; pref
; pref
= pref
->next
)
254 if (strcmp(pref
->interface
, name
) == 0)
255 prefix
= pref
->prefix
;
258 if (listen
->family
== AF_INET
)
260 addr
.in
.sin_port
= htons(port
);
261 #ifdef HAVE_SOCKADDR_SA_LEN
262 addr
.in
.sin_len
= sizeof(addr
.in
);
268 addr
.in6
.sin6_port
= htons(port
);
269 addr
.in6
.sin6_flowinfo
= 0;
270 addr
.in6
.sin6_scope_id
= 0;
271 #ifdef HAVE_SOCKADDR_SA_LEN
272 addr
.in6
.sin6_len
= sizeof(addr
.in6
);
277 if (!(transfer
= whine_malloc(sizeof(struct tftp_transfer
))))
280 if ((transfer
->sockfd
= socket(listen
->family
, SOCK_DGRAM
, 0)) == -1)
286 transfer
->peer
= peer
;
287 transfer
->timeout
= now
+ 2;
288 transfer
->backoff
= 1;
290 transfer
->blocksize
= 512;
291 transfer
->offset
= 0;
292 transfer
->file
= NULL
;
293 transfer
->opt_blocksize
= transfer
->opt_transize
= 0;
294 transfer
->netascii
= transfer
->carrylf
= 0;
296 prettyprint_addr(&peer
, daemon
->addrbuff
);
298 /* if we have a nailed-down range, iterate until we find a free one. */
301 if (bind(transfer
->sockfd
, &addr
.sa
, sa_len(&addr
)) == -1 ||
302 #if defined(IP_MTU_DISCOVER) && defined(IP_PMTUDISC_DONT)
303 setsockopt(transfer
->sockfd
, IPPROTO_IP
, IP_MTU_DISCOVER
, &mtuflag
, sizeof(mtuflag
)) == -1 ||
305 !fix_fd(transfer
->sockfd
))
307 if (errno
== EADDRINUSE
&& daemon
->start_tftp_port
!= 0)
309 if (++port
<= daemon
->end_tftp_port
)
311 if (listen
->family
== AF_INET
)
312 addr
.in
.sin_port
= htons(port
);
315 addr
.in6
.sin6_port
= htons(port
);
319 my_syslog(MS_TFTP
| LOG_ERR
, _("unable to get free port for TFTP"));
321 free_transfer(transfer
);
330 if (ntohs(*((unsigned short *)packet
)) != OP_RRQ
||
331 !(filename
= next(&p
, end
)) ||
332 !(mode
= next(&p
, end
)) ||
333 (strcasecmp(mode
, "octet") != 0 && strcasecmp(mode
, "netascii") != 0))
335 len
= tftp_err(ERR_ILL
, packet
, _("unsupported request from %s"), daemon
->addrbuff
);
340 if (strcasecmp(mode
, "netascii") == 0)
341 transfer
->netascii
= 1;
343 while ((opt
= next(&p
, end
)))
345 if (strcasecmp(opt
, "blksize") == 0)
347 if ((opt
= next(&p
, end
)) && !option_bool(OPT_TFTP_NOBLOCK
))
349 /* 32 bytes for IP, UDP and TFTP headers, 52 bytes for IPv6 */
350 int overhead
= (listen
->family
== AF_INET
) ? 32 : 52;
351 transfer
->blocksize
= atoi(opt
);
352 if (transfer
->blocksize
< 1)
353 transfer
->blocksize
= 1;
354 if (transfer
->blocksize
> (unsigned)daemon
->packet_buff_sz
- 4)
355 transfer
->blocksize
= (unsigned)daemon
->packet_buff_sz
- 4;
356 if (mtu
!= 0 && transfer
->blocksize
> (unsigned)mtu
- overhead
)
357 transfer
->blocksize
= (unsigned)mtu
- overhead
;
358 transfer
->opt_blocksize
= 1;
362 else if (strcasecmp(opt
, "tsize") == 0 && next(&p
, end
) && !transfer
->netascii
)
364 transfer
->opt_transize
= 1;
369 /* cope with backslashes from windows boxen. */
370 for (p
= filename
; *p
; p
++)
373 else if (option_bool(OPT_TFTP_LC
))
376 strcpy(daemon
->namebuff
, "/");
379 if (prefix
[0] == '/')
380 daemon
->namebuff
[0] = 0;
381 strncat(daemon
->namebuff
, prefix
, (MAXDNAME
-1) - strlen(daemon
->namebuff
));
382 if (prefix
[strlen(prefix
)-1] != '/')
383 strncat(daemon
->namebuff
, "/", (MAXDNAME
-1) - strlen(daemon
->namebuff
));
385 if (option_bool(OPT_TFTP_APREF
))
387 size_t oldlen
= strlen(daemon
->namebuff
);
390 strncat(daemon
->namebuff
, daemon
->addrbuff
, (MAXDNAME
-1) - strlen(daemon
->namebuff
));
391 strncat(daemon
->namebuff
, "/", (MAXDNAME
-1) - strlen(daemon
->namebuff
));
393 /* remove unique-directory if it doesn't exist */
394 if (stat(daemon
->namebuff
, &statbuf
) == -1 || !S_ISDIR(statbuf
.st_mode
))
395 daemon
->namebuff
[oldlen
] = 0;
398 /* Absolute pathnames OK if they match prefix */
399 if (filename
[0] == '/')
401 if (strstr(filename
, daemon
->namebuff
) == filename
)
402 daemon
->namebuff
[0] = 0;
407 else if (filename
[0] == '/')
408 daemon
->namebuff
[0] = 0;
409 strncat(daemon
->namebuff
, filename
, (MAXDNAME
-1) - strlen(daemon
->namebuff
));
411 /* check permissions and open file */
412 if ((transfer
->file
= check_tftp_fileperm(&len
, prefix
)))
414 if ((len
= get_block(packet
, transfer
)) == -1)
415 len
= tftp_err_oops(packet
, daemon
->namebuff
);
421 while (sendto(transfer
->sockfd
, packet
, len
, 0,
422 (struct sockaddr
*)&peer
, sa_len(&peer
)) == -1 && errno
== EINTR
);
425 free_transfer(transfer
);
428 transfer
->next
= daemon
->tftp_trans
;
429 daemon
->tftp_trans
= transfer
;
433 static struct tftp_file
*check_tftp_fileperm(ssize_t
*len
, char *prefix
)
435 char *packet
= daemon
->packet
, *namebuff
= daemon
->namebuff
;
436 struct tftp_file
*file
;
437 struct tftp_transfer
*t
;
438 uid_t uid
= geteuid();
442 /* trick to ban moving out of the subtree */
443 if (prefix
&& strstr(namebuff
, "/../"))
446 if ((fd
= open(namebuff
, O_RDONLY
)) == -1)
450 *len
= tftp_err(ERR_FNF
, packet
, _("file %s not found"), namebuff
);
453 else if (errno
== EACCES
)
459 /* stat the file descriptor to avoid stat->open races */
460 if (fstat(fd
, &statbuf
) == -1)
463 /* running as root, must be world-readable */
466 if (!(statbuf
.st_mode
& S_IROTH
))
469 /* in secure mode, must be owned by user running dnsmasq */
470 else if (option_bool(OPT_TFTP_SECURE
) && uid
!= statbuf
.st_uid
)
473 /* If we're doing many tranfers from the same file, only
474 open it once this saves lots of file descriptors
475 when mass-booting a big cluster, for instance.
476 Be conservative and only share when inode and name match
477 this keeps error messages sane. */
478 for (t
= daemon
->tftp_trans
; t
; t
= t
->next
)
479 if (t
->file
->dev
== statbuf
.st_dev
&&
480 t
->file
->inode
== statbuf
.st_ino
&&
481 strcmp(t
->file
->filename
, namebuff
) == 0)
488 if (!(file
= whine_malloc(sizeof(struct tftp_file
) + strlen(namebuff
) + 1)))
495 file
->size
= statbuf
.st_size
;
496 file
->dev
= statbuf
.st_dev
;
497 file
->inode
= statbuf
.st_ino
;
499 strcpy(file
->filename
, namebuff
);
504 *len
= tftp_err(ERR_PERM
, packet
, _("cannot access %s: %s"), namebuff
);
510 *len
= tftp_err_oops(packet
, namebuff
);
516 void check_tftp_listeners(time_t now
)
518 struct tftp_transfer
*transfer
, *tmp
, **up
;
522 unsigned short op
, block
;
523 } *mess
= (struct ack
*)daemon
->packet
;
525 /* Check for activity on any existing transfers */
526 for (transfer
= daemon
->tftp_trans
, up
= &daemon
->tftp_trans
; transfer
; transfer
= tmp
)
528 tmp
= transfer
->next
;
530 prettyprint_addr(&transfer
->peer
, daemon
->addrbuff
);
532 if (poll_check(transfer
->sockfd
, POLLIN
))
534 /* we overwrote the buffer... */
535 daemon
->srv_save
= NULL
;
537 if ((len
= recv(transfer
->sockfd
, daemon
->packet
, daemon
->packet_buff_sz
, 0)) >= (ssize_t
)sizeof(struct ack
))
539 if (ntohs(mess
->op
) == OP_ACK
&& ntohs(mess
->block
) == (unsigned short)transfer
->block
)
541 /* Got ack, ensure we take the (re)transmit path */
542 transfer
->timeout
= now
;
543 transfer
->backoff
= 0;
544 if (transfer
->block
++ != 0)
545 transfer
->offset
+= transfer
->blocksize
- transfer
->expansion
;
547 else if (ntohs(mess
->op
) == OP_ERR
)
549 char *p
= daemon
->packet
+ sizeof(struct ack
);
550 char *end
= daemon
->packet
+ len
;
551 char *err
= next(&p
, end
);
553 /* Sanitise error message */
559 my_syslog(MS_TFTP
| LOG_ERR
, _("error %d %s received from %s"),
560 (int)ntohs(mess
->block
), err
,
563 /* Got err, ensure we take abort */
564 transfer
->timeout
= now
;
565 transfer
->backoff
= 100;
570 if (difftime(now
, transfer
->timeout
) >= 0.0)
574 /* timeout, retransmit */
575 transfer
->timeout
+= 1 + (1<<transfer
->backoff
);
577 /* we overwrote the buffer... */
578 daemon
->srv_save
= NULL
;
580 if ((len
= get_block(daemon
->packet
, transfer
)) == -1)
582 len
= tftp_err_oops(daemon
->packet
, transfer
->file
->filename
);
585 /* don't complain about timeout when we're awaiting the last
586 ACK, some clients never send it */
587 else if (++transfer
->backoff
> 7 && len
!= 0)
594 while(sendto(transfer
->sockfd
, daemon
->packet
, len
, 0,
595 (struct sockaddr
*)&transfer
->peer
, sa_len(&transfer
->peer
)) == -1 && errno
== EINTR
);
597 if (endcon
|| len
== 0)
599 strcpy(daemon
->namebuff
, transfer
->file
->filename
);
600 sanitise(daemon
->namebuff
);
601 my_syslog(MS_TFTP
| LOG_INFO
, endcon
? _("failed sending %s to %s") : _("sent %s to %s"), daemon
->namebuff
, daemon
->addrbuff
);
605 free_transfer(transfer
);
608 /* put on queue to be sent to script and deleted */
609 transfer
->next
= daemon
->tftp_done_trans
;
610 daemon
->tftp_done_trans
= transfer
;
616 up
= &transfer
->next
;
620 static void free_transfer(struct tftp_transfer
*transfer
)
622 close(transfer
->sockfd
);
623 if (transfer
->file
&& (--transfer
->file
->refcount
) == 0)
625 close(transfer
->file
->fd
);
626 free(transfer
->file
);
631 static char *next(char **p
, char *end
)
638 (len
= strlen(ret
)) == 0)
645 static void sanitise(char *buf
)
647 unsigned char *q
, *r
;
648 for (q
= r
= (unsigned char *)buf
; *r
; r
++)
649 if (isprint((int)*r
))
655 static ssize_t
tftp_err(int err
, char *packet
, char *message
, char *file
)
658 unsigned short op
, err
;
660 } *mess
= (struct errmess
*)packet
;
662 char *errstr
= strerror(errno
);
666 mess
->op
= htons(OP_ERR
);
667 mess
->err
= htons(err
);
668 ret
+= (snprintf(mess
->message
, 500, message
, file
, errstr
) + 1);
669 my_syslog(MS_TFTP
| LOG_ERR
, "%s", mess
->message
);
674 static ssize_t
tftp_err_oops(char *packet
, char *file
)
676 /* May have >1 refs to file, so potentially mangle a copy of the name */
677 strcpy(daemon
->namebuff
, file
);
678 return tftp_err(ERR_NOTDEF
, packet
, _("cannot read %s: %s"), daemon
->namebuff
);
681 /* return -1 for error, zero for done. */
682 static ssize_t
get_block(char *packet
, struct tftp_transfer
*transfer
)
684 if (transfer
->block
== 0)
691 } *mess
= (struct oackmess
*)packet
;
694 mess
->op
= htons(OP_OACK
);
695 if (transfer
->opt_blocksize
)
697 p
+= (sprintf(p
, "blksize") + 1);
698 p
+= (sprintf(p
, "%d", transfer
->blocksize
) + 1);
700 if (transfer
->opt_transize
)
702 p
+= (sprintf(p
,"tsize") + 1);
703 p
+= (sprintf(p
, "%u", (unsigned int)transfer
->file
->size
) + 1);
710 /* send data packet */
712 unsigned short op
, block
;
713 unsigned char data
[];
714 } *mess
= (struct datamess
*)packet
;
716 size_t size
= transfer
->file
->size
- transfer
->offset
;
718 if (transfer
->offset
> transfer
->file
->size
)
719 return 0; /* finished */
721 if (size
> transfer
->blocksize
)
722 size
= transfer
->blocksize
;
724 mess
->op
= htons(OP_DATA
);
725 mess
->block
= htons((unsigned short)(transfer
->block
));
727 if (lseek(transfer
->file
->fd
, transfer
->offset
, SEEK_SET
) == (off_t
)-1 ||
728 !read_write(transfer
->file
->fd
, mess
->data
, size
, 1))
731 transfer
->expansion
= 0;
733 /* Map '\n' to CR-LF in netascii mode */
734 if (transfer
->netascii
)
739 for (i
= 0, newcarrylf
= 0; i
< size
; i
++)
740 if (mess
->data
[i
] == '\n' && ( i
!= 0 || !transfer
->carrylf
))
742 transfer
->expansion
++;
744 if (size
!= transfer
->blocksize
)
745 size
++; /* room in this block */
746 else if (i
== size
- 1)
747 newcarrylf
= 1; /* don't expand LF again if it moves to the next block */
749 /* make space and insert CR */
750 memmove(&mess
->data
[i
+1], &mess
->data
[i
], size
- (i
+ 1));
751 mess
->data
[i
] = '\r';
755 transfer
->carrylf
= newcarrylf
;
764 int do_tftp_script_run(void)
766 struct tftp_transfer
*transfer
;
768 if ((transfer
= daemon
->tftp_done_trans
))
770 daemon
->tftp_done_trans
= transfer
->next
;
772 queue_tftp(transfer
->file
->size
, transfer
->file
->filename
, &transfer
->peer
);
774 free_transfer(transfer
);