|
1 /* |
|
2 * tftp.c - a simple, read-only tftp server for qemu |
|
3 * |
|
4 * Copyright (c) 2004 Magnus Damm <damm@opensource.se> |
|
5 * |
|
6 * Permission is hereby granted, free of charge, to any person obtaining a copy |
|
7 * of this software and associated documentation files (the "Software"), to deal |
|
8 * in the Software without restriction, including without limitation the rights |
|
9 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell |
|
10 * copies of the Software, and to permit persons to whom the Software is |
|
11 * furnished to do so, subject to the following conditions: |
|
12 * |
|
13 * The above copyright notice and this permission notice shall be included in |
|
14 * all copies or substantial portions of the Software. |
|
15 * |
|
16 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR |
|
17 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, |
|
18 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL |
|
19 * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER |
|
20 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, |
|
21 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN |
|
22 * THE SOFTWARE. |
|
23 */ |
|
24 |
|
25 #include <slirp.h> |
|
26 #include "qemu-common.h" // for pstrcpy |
|
27 |
|
28 struct tftp_session { |
|
29 int in_use; |
|
30 unsigned char filename[TFTP_FILENAME_MAX]; |
|
31 |
|
32 struct in_addr client_ip; |
|
33 u_int16_t client_port; |
|
34 |
|
35 int timestamp; |
|
36 }; |
|
37 |
|
38 static struct tftp_session tftp_sessions[TFTP_SESSIONS_MAX]; |
|
39 |
|
40 const char *tftp_prefix; |
|
41 |
|
42 static void tftp_session_update(struct tftp_session *spt) |
|
43 { |
|
44 spt->timestamp = curtime; |
|
45 spt->in_use = 1; |
|
46 } |
|
47 |
|
48 static void tftp_session_terminate(struct tftp_session *spt) |
|
49 { |
|
50 spt->in_use = 0; |
|
51 } |
|
52 |
|
53 static int tftp_session_allocate(struct tftp_t *tp) |
|
54 { |
|
55 struct tftp_session *spt; |
|
56 int k; |
|
57 |
|
58 for (k = 0; k < TFTP_SESSIONS_MAX; k++) { |
|
59 spt = &tftp_sessions[k]; |
|
60 |
|
61 if (!spt->in_use) |
|
62 goto found; |
|
63 |
|
64 /* sessions time out after 5 inactive seconds */ |
|
65 if ((int)(curtime - spt->timestamp) > 5000) |
|
66 goto found; |
|
67 } |
|
68 |
|
69 return -1; |
|
70 |
|
71 found: |
|
72 memset(spt, 0, sizeof(*spt)); |
|
73 memcpy(&spt->client_ip, &tp->ip.ip_src, sizeof(spt->client_ip)); |
|
74 spt->client_port = tp->udp.uh_sport; |
|
75 |
|
76 tftp_session_update(spt); |
|
77 |
|
78 return k; |
|
79 } |
|
80 |
|
81 static int tftp_session_find(struct tftp_t *tp) |
|
82 { |
|
83 struct tftp_session *spt; |
|
84 int k; |
|
85 |
|
86 for (k = 0; k < TFTP_SESSIONS_MAX; k++) { |
|
87 spt = &tftp_sessions[k]; |
|
88 |
|
89 if (spt->in_use) { |
|
90 if (!memcmp(&spt->client_ip, &tp->ip.ip_src, sizeof(spt->client_ip))) { |
|
91 if (spt->client_port == tp->udp.uh_sport) { |
|
92 return k; |
|
93 } |
|
94 } |
|
95 } |
|
96 } |
|
97 |
|
98 return -1; |
|
99 } |
|
100 |
|
101 static int tftp_read_data(struct tftp_session *spt, u_int16_t block_nr, |
|
102 u_int8_t *buf, int len) |
|
103 { |
|
104 int fd; |
|
105 int bytes_read = 0; |
|
106 char buffer[1024]; |
|
107 int n; |
|
108 |
|
109 n = snprintf(buffer, sizeof(buffer), "%s/%s", |
|
110 tftp_prefix, spt->filename); |
|
111 if (n >= sizeof(buffer)) |
|
112 return -1; |
|
113 |
|
114 fd = open(buffer, O_RDONLY | O_BINARY); |
|
115 |
|
116 if (fd < 0) { |
|
117 return -1; |
|
118 } |
|
119 |
|
120 if (len) { |
|
121 lseek(fd, block_nr * 512, SEEK_SET); |
|
122 |
|
123 bytes_read = read(fd, buf, len); |
|
124 } |
|
125 |
|
126 close(fd); |
|
127 |
|
128 return bytes_read; |
|
129 } |
|
130 |
|
131 static int tftp_send_oack(struct tftp_session *spt, |
|
132 const char *key, uint32_t value, |
|
133 struct tftp_t *recv_tp) |
|
134 { |
|
135 struct sockaddr_in saddr, daddr; |
|
136 struct mbuf *m; |
|
137 struct tftp_t *tp; |
|
138 int n = 0; |
|
139 |
|
140 m = m_get(); |
|
141 |
|
142 if (!m) |
|
143 return -1; |
|
144 |
|
145 memset(m->m_data, 0, m->m_size); |
|
146 |
|
147 m->m_data += IF_MAXLINKHDR; |
|
148 tp = (void *)m->m_data; |
|
149 m->m_data += sizeof(struct udpiphdr); |
|
150 |
|
151 tp->tp_op = htons(TFTP_OACK); |
|
152 n += snprintf((char *)tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%s", |
|
153 key) + 1; |
|
154 n += snprintf((char *)tp->x.tp_buf + n, sizeof(tp->x.tp_buf) - n, "%u", |
|
155 value) + 1; |
|
156 |
|
157 saddr.sin_addr = recv_tp->ip.ip_dst; |
|
158 saddr.sin_port = recv_tp->udp.uh_dport; |
|
159 |
|
160 daddr.sin_addr = spt->client_ip; |
|
161 daddr.sin_port = spt->client_port; |
|
162 |
|
163 m->m_len = sizeof(struct tftp_t) - 514 + n - |
|
164 sizeof(struct ip) - sizeof(struct udphdr); |
|
165 udp_output2(NULL, m, &saddr, &daddr, IPTOS_LOWDELAY); |
|
166 |
|
167 return 0; |
|
168 } |
|
169 |
|
170 |
|
171 |
|
172 static int tftp_send_error(struct tftp_session *spt, |
|
173 u_int16_t errorcode, const char *msg, |
|
174 struct tftp_t *recv_tp) |
|
175 { |
|
176 struct sockaddr_in saddr, daddr; |
|
177 struct mbuf *m; |
|
178 struct tftp_t *tp; |
|
179 int nobytes; |
|
180 |
|
181 m = m_get(); |
|
182 |
|
183 if (!m) { |
|
184 return -1; |
|
185 } |
|
186 |
|
187 memset(m->m_data, 0, m->m_size); |
|
188 |
|
189 m->m_data += IF_MAXLINKHDR; |
|
190 tp = (void *)m->m_data; |
|
191 m->m_data += sizeof(struct udpiphdr); |
|
192 |
|
193 tp->tp_op = htons(TFTP_ERROR); |
|
194 tp->x.tp_error.tp_error_code = htons(errorcode); |
|
195 pstrcpy((char *)tp->x.tp_error.tp_msg, sizeof(tp->x.tp_error.tp_msg), msg); |
|
196 |
|
197 saddr.sin_addr = recv_tp->ip.ip_dst; |
|
198 saddr.sin_port = recv_tp->udp.uh_dport; |
|
199 |
|
200 daddr.sin_addr = spt->client_ip; |
|
201 daddr.sin_port = spt->client_port; |
|
202 |
|
203 nobytes = 2; |
|
204 |
|
205 m->m_len = sizeof(struct tftp_t) - 514 + 3 + strlen(msg) - |
|
206 sizeof(struct ip) - sizeof(struct udphdr); |
|
207 |
|
208 udp_output2(NULL, m, &saddr, &daddr, IPTOS_LOWDELAY); |
|
209 |
|
210 tftp_session_terminate(spt); |
|
211 |
|
212 return 0; |
|
213 } |
|
214 |
|
215 static int tftp_send_data(struct tftp_session *spt, |
|
216 u_int16_t block_nr, |
|
217 struct tftp_t *recv_tp) |
|
218 { |
|
219 struct sockaddr_in saddr, daddr; |
|
220 struct mbuf *m; |
|
221 struct tftp_t *tp; |
|
222 int nobytes; |
|
223 |
|
224 if (block_nr < 1) { |
|
225 return -1; |
|
226 } |
|
227 |
|
228 m = m_get(); |
|
229 |
|
230 if (!m) { |
|
231 return -1; |
|
232 } |
|
233 |
|
234 memset(m->m_data, 0, m->m_size); |
|
235 |
|
236 m->m_data += IF_MAXLINKHDR; |
|
237 tp = (void *)m->m_data; |
|
238 m->m_data += sizeof(struct udpiphdr); |
|
239 |
|
240 tp->tp_op = htons(TFTP_DATA); |
|
241 tp->x.tp_data.tp_block_nr = htons(block_nr); |
|
242 |
|
243 saddr.sin_addr = recv_tp->ip.ip_dst; |
|
244 saddr.sin_port = recv_tp->udp.uh_dport; |
|
245 |
|
246 daddr.sin_addr = spt->client_ip; |
|
247 daddr.sin_port = spt->client_port; |
|
248 |
|
249 nobytes = tftp_read_data(spt, block_nr - 1, tp->x.tp_data.tp_buf, 512); |
|
250 |
|
251 if (nobytes < 0) { |
|
252 m_free(m); |
|
253 |
|
254 /* send "file not found" error back */ |
|
255 |
|
256 tftp_send_error(spt, 1, "File not found", tp); |
|
257 |
|
258 return -1; |
|
259 } |
|
260 |
|
261 m->m_len = sizeof(struct tftp_t) - (512 - nobytes) - |
|
262 sizeof(struct ip) - sizeof(struct udphdr); |
|
263 |
|
264 udp_output2(NULL, m, &saddr, &daddr, IPTOS_LOWDELAY); |
|
265 |
|
266 if (nobytes == 512) { |
|
267 tftp_session_update(spt); |
|
268 } |
|
269 else { |
|
270 tftp_session_terminate(spt); |
|
271 } |
|
272 |
|
273 return 0; |
|
274 } |
|
275 |
|
276 static void tftp_handle_rrq(struct tftp_t *tp, int pktlen) |
|
277 { |
|
278 struct tftp_session *spt; |
|
279 int s, k, n; |
|
280 u_int8_t *src, *dst; |
|
281 |
|
282 s = tftp_session_allocate(tp); |
|
283 |
|
284 if (s < 0) { |
|
285 return; |
|
286 } |
|
287 |
|
288 spt = &tftp_sessions[s]; |
|
289 |
|
290 src = tp->x.tp_buf; |
|
291 dst = spt->filename; |
|
292 n = pktlen - ((uint8_t *)&tp->x.tp_buf[0] - (uint8_t *)tp); |
|
293 |
|
294 /* get name */ |
|
295 |
|
296 for (k = 0; k < n; k++) { |
|
297 if (k < TFTP_FILENAME_MAX) { |
|
298 dst[k] = src[k]; |
|
299 } |
|
300 else { |
|
301 return; |
|
302 } |
|
303 |
|
304 if (src[k] == '\0') { |
|
305 break; |
|
306 } |
|
307 } |
|
308 |
|
309 if (k >= n) { |
|
310 return; |
|
311 } |
|
312 |
|
313 k++; |
|
314 |
|
315 /* check mode */ |
|
316 if ((n - k) < 6) { |
|
317 return; |
|
318 } |
|
319 |
|
320 if (memcmp(&src[k], "octet\0", 6) != 0) { |
|
321 tftp_send_error(spt, 4, "Unsupported transfer mode", tp); |
|
322 return; |
|
323 } |
|
324 |
|
325 k += 6; /* skipping octet */ |
|
326 |
|
327 /* do sanity checks on the filename */ |
|
328 |
|
329 if ((spt->filename[0] != '/') |
|
330 || (spt->filename[strlen((char *)spt->filename) - 1] == '/') |
|
331 || strstr((char *)spt->filename, "/../")) { |
|
332 tftp_send_error(spt, 2, "Access violation", tp); |
|
333 return; |
|
334 } |
|
335 |
|
336 /* only allow exported prefixes */ |
|
337 |
|
338 if (!tftp_prefix) { |
|
339 tftp_send_error(spt, 2, "Access violation", tp); |
|
340 return; |
|
341 } |
|
342 |
|
343 /* check if the file exists */ |
|
344 |
|
345 if (tftp_read_data(spt, 0, spt->filename, 0) < 0) { |
|
346 tftp_send_error(spt, 1, "File not found", tp); |
|
347 return; |
|
348 } |
|
349 |
|
350 if (src[n - 1] != 0) { |
|
351 tftp_send_error(spt, 2, "Access violation", tp); |
|
352 return; |
|
353 } |
|
354 |
|
355 while (k < n) { |
|
356 const char *key, *value; |
|
357 |
|
358 key = (char *)src + k; |
|
359 k += strlen(key) + 1; |
|
360 |
|
361 if (k >= n) { |
|
362 tftp_send_error(spt, 2, "Access violation", tp); |
|
363 return; |
|
364 } |
|
365 |
|
366 value = (char *)src + k; |
|
367 k += strlen(value) + 1; |
|
368 |
|
369 if (strcmp(key, "tsize") == 0) { |
|
370 int tsize = atoi(value); |
|
371 struct stat stat_p; |
|
372 |
|
373 if (tsize == 0 && tftp_prefix) { |
|
374 char buffer[1024]; |
|
375 int len; |
|
376 |
|
377 len = snprintf(buffer, sizeof(buffer), "%s/%s", |
|
378 tftp_prefix, spt->filename); |
|
379 |
|
380 if (stat(buffer, &stat_p) == 0) |
|
381 tsize = stat_p.st_size; |
|
382 else { |
|
383 tftp_send_error(spt, 1, "File not found", tp); |
|
384 return; |
|
385 } |
|
386 } |
|
387 |
|
388 tftp_send_oack(spt, "tsize", tsize, tp); |
|
389 } |
|
390 } |
|
391 |
|
392 tftp_send_data(spt, 1, tp); |
|
393 } |
|
394 |
|
395 static void tftp_handle_ack(struct tftp_t *tp, int pktlen) |
|
396 { |
|
397 int s; |
|
398 |
|
399 s = tftp_session_find(tp); |
|
400 |
|
401 if (s < 0) { |
|
402 return; |
|
403 } |
|
404 |
|
405 if (tftp_send_data(&tftp_sessions[s], |
|
406 ntohs(tp->x.tp_data.tp_block_nr) + 1, |
|
407 tp) < 0) { |
|
408 return; |
|
409 } |
|
410 } |
|
411 |
|
412 void tftp_input(struct mbuf *m) |
|
413 { |
|
414 struct tftp_t *tp = (struct tftp_t *)m->m_data; |
|
415 |
|
416 switch(ntohs(tp->tp_op)) { |
|
417 case TFTP_RRQ: |
|
418 tftp_handle_rrq(tp, m->m_len); |
|
419 break; |
|
420 |
|
421 case TFTP_ACK: |
|
422 tftp_handle_ack(tp, m->m_len); |
|
423 break; |
|
424 } |
|
425 } |