Package: tftpd
Version: 0.17-18+b2
Severity: normal
Dear Maintainer,
* What led up to the situation?
When trying to put new files to tftpd server it always fails with "Access
violation" due two
bugs in code.
* What exactly did you do (or not do) that was effective (or
ineffective)?
sudo apt-get install tfptd
sudo mkdir -p /srv/tftp/upload
sudo chown nobody /srv/tftp/upload
cd
echo test > test.txt
tftp 127.0.0.1
tftp> put test.txt upload/test.txt
Error code 2: Access violation
* What was the outcome of this action?
Error code 2: Access violation
* What outcome did you expect instead?
Sent 6 bytes in 0.0 seconds
Problem details:
There are two bugs in tftpd.c source code:
1. Write check always fail when target file does not exist:
if ((stbuf.st_mode & S_IWOTH) == 0)
return (EACCESS);
This is wrong because for not-existing file the stbuf.st_mode is invalid...
2. If files to be written already exist it will again file with "Access
violation".
It is because this bug (or feature?) in tftpd.c source (again some if!):
if ((stbuf.st_mode & S_IWOTH) == 0)
return (EACCESS);
The problem is that written file is created with -rw------- permission but
this check require -xxxxxxrw-
I created patch to fix these two problems.
WARNING! This patch may interoduce security bugs to existing systems, because:
1. in current tftpd only write to existing file with -xxxxxxrw- permission
succeeded. All other scenarios failed.
2. In my patch it is allowed to get all readable files in tftpd root -
originally only file with -xxxxxxrxx were allowed
to get.
-- System Information:
Debian Release: 9.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-8-amd64 (SMP w/1 CPU core)
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968), LANGUAGE=en_US:en
(charmap=ANSI_X3.4-1968)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages tftpd depends on:
ii libc6 2.24-11+deb9u3
ii openbsd-inetd [inet-superserver] 0.20160825-2
tftpd recommends no packages.
tftpd suggests no packages.
-- no debconf information
--- netkit-tftp-0.17/tftpd/tftpd.c.orig 2019-01-14 09:23:15.021857154 +0100
+++ netkit-tftp-0.17/tftpd/tftpd.c 2019-01-14 09:29:55.835950391 +0100
@@ -350,6 +350,9 @@
int fd;
const char *cp;
const char **dirp;
+ int not_exist;
+
+ not_exist = 0;
syslog(LOG_NOTICE, "tftpd: trying to get file: %s\n", filename);
@@ -387,6 +390,7 @@
if (mode != WRQ) {
return (errno == ENOENT ? ENOTFOUND : EACCESS);
}
+ not_exist = (errno == ENOENT) ? 1 : 0;
}
#if 0
/*
@@ -406,10 +410,10 @@
}
#endif
if (mode == RRQ) {
- if ((stbuf.st_mode & S_IROTH) == 0)
+ if (access(filename,R_OK))
return (EACCESS);
} else {
- if ((stbuf.st_mode & S_IWOTH) == 0)
+ if (not_exist == 0 && access(filename,W_OK))
return (EACCESS);
}
