From e14eaacce69b9a168deefacafd9b1b768c40cb60 Mon Sep 17 00:00:00 2001 From: cinap_lenrek Date: Sun, 13 Jul 2014 01:00:02 +0200 Subject: [PATCH 1/2] tftpd: fix error string packet overflow in nak(), fix syslog reporting --- sys/src/cmd/ip/tftpd.c | 16 +++++++++------- 1 file changed, 9 insertions(+), 7 deletions(-) diff --git a/sys/src/cmd/ip/tftpd.c b/sys/src/cmd/ip/tftpd.c index 355e98340..7a6ec6f77 100644 --- a/sys/src/cmd/ip/tftpd.c +++ b/sys/src/cmd/ip/tftpd.c @@ -11,7 +11,6 @@ enum { Maxpath= 128, - Maxerr= 256, Debug= 0, @@ -561,7 +560,7 @@ sendfile(int fd, char *name, char *mode, int opts) { int file, block, ret, rexmit, n, txtry; uchar buf[Maxsegsize+Hdrsize]; - char errbuf[Maxerr]; + char errbuf[ERRMAX]; file = -1; syslog(dbg, flog, "tftpd %d send file '%s' %s to %s", @@ -642,7 +641,7 @@ recvfile(int fd, char *name, char *mode) { ushort op, block, inblock; uchar buf[Maxsegsize+8]; - char errbuf[Maxerr]; + char errbuf[ERRMAX]; int n, ret, file; syslog(dbg, flog, "receive file '%s' %s from %s", name, mode, raddr); @@ -651,7 +650,7 @@ recvfile(int fd, char *name, char *mode) if(file < 0) { errstr(errbuf, sizeof errbuf); nak(fd, 0, errbuf); - syslog(dbg, flog, "can't create %s: %r", name); + syslog(dbg, flog, "can't create %s: %s", name, errbuf); return; } @@ -729,13 +728,16 @@ nak(int fd, int code, char *msg) char buf[128]; int n; + n = 5 + strlen(msg); + if(n > sizeof(buf)) + n = sizeof(buf); buf[0] = 0; buf[1] = Tftp_ERROR; buf[2] = 0; buf[3] = code; - strcpy(buf+4, msg); - n = strlen(msg) + 4 + 1; - if(write(fd, buf, n) < n) + memmove(buf+4, msg, n - 5); + buf[n-1] = 0; + if(write(fd, buf, n) != n) sysfatal("write nak: %r"); } From 4b7b1218bf85c1d2894a85bc1b15f9b52d618512 Mon Sep 17 00:00:00 2001 From: cinap_lenrek Date: Sun, 13 Jul 2014 01:03:17 +0200 Subject: [PATCH 2/2] ftpd: dont skip unmountnet() and return proper error string from dialdata() --- sys/src/cmd/ip/ftpd.c | 32 +++++++++++++++----------------- 1 file changed, 15 insertions(+), 17 deletions(-) diff --git a/sys/src/cmd/ip/ftpd.c b/sys/src/cmd/ip/ftpd.c index e3d52f8c2..8626ab47e 100644 --- a/sys/src/cmd/ip/ftpd.c +++ b/sys/src/cmd/ip/ftpd.c @@ -33,7 +33,6 @@ enum /* maximum ms we'll wait for a command */ Maxwait= 1000*60*30, /* inactive for 30 minutes, we hang up */ - Maxerr= 128, Maxpath= 512, }; @@ -161,7 +160,7 @@ logit(char *fmt, ...) { char buf[8192]; va_list arg; - char errstr[128]; + char errstr[ERRMAX]; rerrstr(errstr, sizeof errstr); va_start(arg, fmt); @@ -1078,7 +1077,7 @@ list(char *arg, int lflag) dfd = dialdata(); if(dfd < 0){ - reply("425 Error opening data connection:%r"); + reply("425 Error opening data connection: %r"); return; } reply("150 Opened data connection (%s)", data); @@ -1373,7 +1372,7 @@ retrieve(char *arg, int arg2) reply("150 Opening data connection for %s (%s)", arg, data); dfd = dialdata(); if(dfd < 0){ - reply("425 Error opening data connection:%r"); + reply("425 Error opening data connection: %r"); close(fd); return; } @@ -1445,7 +1444,7 @@ store(char *arg, int fd) reply("150 Opening data connection for %s (%s)", arg, data); dfd = dialdata(); if(dfd < 0){ - reply("425 Error opening data connection:%r"); + reply("425 Error opening data connection: %r"); close(fd); return; } @@ -1697,30 +1696,29 @@ dialdata(void) { int fd, cfd; char ldir[40]; - char err[Maxerr]; + char err[ERRMAX]; if(mountnet() < 0) return -1; - if(!passive.inuse){ + if(!passive.inuse) fd = dial(data, "20", 0, 0); - errstr(err, sizeof err); - } else { + else { + fd = -1; alarm(5*60*1000); cfd = listen(passive.adir, ldir); alarm(0); - errstr(err, sizeof err); - if(cfd < 0) - return -1; - fd = accept(cfd, ldir); - errstr(err, sizeof err); - close(cfd); + if(cfd >= 0){ + fd = accept(cfd, ldir); + close(cfd); + } } + err[0] = 0; + errstr(err, sizeof err); if(fd < 0) logit("can't dial %s: %s", data, err); - unmountnet(); - werrstr(err, sizeof err); + errstr(err, sizeof err); return fd; }