From nobody Wed May 27 09:03:34 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gQNvV2wTYz6fh7D for ; Wed, 27 May 2026 09:03:34 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gQNvV1k7nz3WsY for ; Wed, 27 May 2026 09:03:34 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779872614; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=xsKtCfaPBGM6x3Jcwa+dd2tcND8kiU4xm/Qxfk3Q9Pg=; b=eOlGLhIbTdHg4xu4YjT1uYzfM0Z9xTaEjCgKzEwftXaEzsNhHLkTB83wHzriS+pZJL55Hu /O1LWKk038KIX6yPjvbL1xlonLdR7onfr6SSIhqj+2Q/pqx3bjrAZQoPxwhsmrJJnUVEtY C9PWP/4SIHw0v7s6sfOvNQc2ANJFQTrpRFCmUGA84jUyXPxfosa1EAZzZkzmJCR2xxPeOy n91tNkbd6xZppRrirvdG/UaMnf2edWyRB0up1ILnqkxR+PhPO5b8El7TBBtE+1zyKn6NHv QMox5nYatcZUXuB46MY1Z/rAI/qg72SF83Kk8ekYfUZaDWAvKp245gEoKc+7cQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779872614; a=rsa-sha256; cv=none; b=jMmGQIWJCxY8JZyKburPUNbL832uhePm60Mg+mvH6EajcTq6zERbehMuXeaixlkv6yUUYA XV9HOqtArkl0zhI8QziPjptinvoARcvLnopftoyWmcwVYzXhJRPPAn3ukrQt3FmMVtvwHf RSYFLjzofiNAuwmJsCRWhvmsuNaWoDqVitD1A9t9U/+fZYITKfxgouoX4LqNG9pS/r17po YZWBlAdyM84j8mz39gKgaPNQrFUQ6HIMI8dd9yiIrD0aR2te2Nn+h96XUCTf7OajejvKXp XUL5QYwipB0yxxBbsAoJ2eRQjGTmAt5Djh95ij5DZUgoc4hOMwtWTfApLlmSrg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779872614; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=xsKtCfaPBGM6x3Jcwa+dd2tcND8kiU4xm/Qxfk3Q9Pg=; b=vf+k8XiYwElHBOcZVFD8cbGieXnB1ij0x4UyYbFKDIuYydpshGIR2qefiKcRBzQom4DV1/ fwvUrh10WGRl6MXSlNFKA43rzBTe3je3od/Co0uJJR7y2JbvsIu6I4lf5KTlpVtOQv/KRh R49oZB6xXondutk2UDYG1DUOZFNYyBgbuUxqfgcZAt7YfLYRxxZfqrwJQV3u3ms040C0qf wryJDPMWtSol1y3zoi5MmJx53Vhb/VpnwcaIFJOU4lgKvurjR7xJGDieEgMXtc27cz3nD+ ns+ZtJdFqZMorudwJpL9+QTvkKVjWhp4IMO07LGN+WVYkxoRH9UX2QKoHXIwpg== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gQNvV15XjzspL for ; Wed, 27 May 2026 09:03:34 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 25bd7 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 27 May 2026 09:03:34 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav Subject: git: dd9272210d45 - stable/15 - tftpd: Add missing bounds checks List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/stable/15 X-Git-Reftype: branch X-Git-Commit: dd9272210d456df3e2ce98e4c5696e15170edcf4 Auto-Submitted: auto-generated Date: Wed, 27 May 2026 09:03:34 +0000 Message-Id: <6a16b366.25bd7.793f6a1c@gitrepo.freebsd.org> The branch stable/15 has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=dd9272210d456df3e2ce98e4c5696e15170edcf4 commit dd9272210d456df3e2ce98e4c5696e15170edcf4 Author: Dag-Erling Smørgrav AuthorDate: 2026-05-22 17:57:31 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2026-05-27 09:03:21 +0000 tftpd: Add missing bounds checks In send_[rw]rq(), we were using strlcpy() to avoid overflowing our packet buffer, then failing to check the result and blithely advancing our pointer by the full length. Luckily, this code is only ever used by tftp(1), not tftpd(8). MFC after: 1 week Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D57075 (cherry picked from commit 933893771344e1647eeda152016b938fdc30ccdc) --- libexec/tftpd/tftp-io.c | 62 +++++++++++++++++++++++++++---------------------- 1 file changed, 34 insertions(+), 28 deletions(-) diff --git a/libexec/tftpd/tftp-io.c b/libexec/tftpd/tftp-io.c index 50102e652d2f..3384071d6df2 100644 --- a/libexec/tftpd/tftp-io.c +++ b/libexec/tftpd/tftp-io.c @@ -173,11 +173,11 @@ send_error(int peer, int error) int send_wrq(int peer, char *filename, char *mode) { - int n; + char buf[MAXPKTSIZE]; struct tftphdr *tp; char *bp; - char buf[MAXPKTSIZE]; - int size; + size_t len; + int n, size; if (debug & DEBUG_PACKETS) tftp_log(LOG_DEBUG, "Sending WRQ: filename: '%s', mode '%s'", @@ -191,17 +191,17 @@ send_wrq(int peer, char *filename, char *mode) size = offsetof(struct tftphdr, th_stuff); bp = tp->th_stuff; - strlcpy(bp, filename, sizeof(buf) - size); - bp += strlen(filename); - *bp = 0; - bp++; - size += strlen(filename) + 1; - - strlcpy(bp, mode, sizeof(buf) - size); - bp += strlen(mode); - *bp = 0; - bp++; - size += strlen(mode) + 1; + len = strlcpy(bp, filename, sizeof(buf) - size); + if (len >= sizeof(buf) - size) + goto overflow; + bp += len + 1; + size += len + 1; + + len = strlcpy(bp, mode, sizeof(buf) - size); + if (len >= sizeof(buf) - size) + goto overflow; + bp += len + 1; + size += len + 1; if (options_rfc_enabled) size += make_options(peer, bp, sizeof(buf) - size); @@ -213,6 +213,9 @@ send_wrq(int peer, char *filename, char *mode) return (1); } return (0); +overflow: + tftp_log(LOG_ERR, "%s: file name too long", __func__); + return (1); } /* @@ -221,11 +224,11 @@ send_wrq(int peer, char *filename, char *mode) int send_rrq(int peer, char *filename, char *mode) { - int n; + char buf[MAXPKTSIZE]; struct tftphdr *tp; char *bp; - char buf[MAXPKTSIZE]; - int size; + size_t len; + int n, size; if (debug & DEBUG_PACKETS) tftp_log(LOG_DEBUG, "Sending RRQ: filename: '%s', mode '%s'", @@ -239,17 +242,17 @@ send_rrq(int peer, char *filename, char *mode) size = offsetof(struct tftphdr, th_stuff); bp = tp->th_stuff; - strlcpy(bp, filename, sizeof(buf) - size); - bp += strlen(filename); - *bp = 0; - bp++; - size += strlen(filename) + 1; - - strlcpy(bp, mode, sizeof(buf) - size); - bp += strlen(mode); - *bp = 0; - bp++; - size += strlen(mode) + 1; + len = strlcpy(bp, filename, sizeof(buf) - size); + if (len >= sizeof(buf) - size) + goto overflow; + bp += len + 1; + size += len + 1; + + len = strlcpy(bp, mode, sizeof(buf) - size); + if (len >= sizeof(buf) - size) + goto overflow; + bp += len + 1; + size += len + 1; if (options_rfc_enabled) { options_set_request(OPT_TSIZE, "0"); @@ -263,6 +266,9 @@ send_rrq(int peer, char *filename, char *mode) return (1); } return (0); +overflow: + tftp_log(LOG_ERR, "%s: file name too long", __func__); + return (1); } /*