From nobody Wed May 27 09:03:48 2026 X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gQNvm4FLbz6fh7c for ; Wed, 27 May 2026 09:03:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gQNvm0xvXz3X9f for ; Wed, 27 May 2026 09:03:48 +0000 (UTC) (envelope-from git@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779872628; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=6CWdKASWeRYoZbMdtcCnYaNfipuBy2+Q/M3Af3s+bDg=; b=p+EGe+5DGYQfJTPE0FlluKQMfpDEdHqJ8AZB1EqBJL47x69xfH84lpvEotmEICG9HK8RoM g2mQkIGhmyYggGhNs5MbDHL7ya1D2+eMFxkG6EfH8FCdZ1oSSXB240gLNi3WzJMcoPguPl Pu0Xh74Mjhs9ds/tWQF6OAU1dDpc1OgRL/EUL3YX0smZOONw2u6nrkdoIf1PAgq1hB3vxN Ws4bIDtRM8Cpzw5q07jNaRIpt+81kwdiV9ZnukNtkPACsNzgkzAn2SD4M/30siMDx5L57f c6fKBz+V4i73Bdi4x5udU8mHsHCSQ74x3LZoFtGL5YqHB/avHIPXBTKKVy4w7A== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779872628; a=rsa-sha256; cv=none; b=yyOwAwEg0zSEwSanZ7j2ozr+e56gVz95AnSXsHUHXMjfucLHsbqkmYyll07lMoYte6PHHp n3DGm3io+hnLdP1pnD4VNtrY3yxVXK8F8dR8kE5kcI6ZfmUwZYTbPVMJ+GTOksgGGoCzaR T4shwxCnXOY6nph1xt031GM06NE0nGT2YBj8/3Me7QaSWrXP/Q2dEuppby5c7XSe1D3JhY FV6GF6WGGjlwO+LE3Pl7LS9JfY53STNFQTCNejKT875Sm5EOYGrl7DiG5Rggq7511oW74U ftMZh30rj3sCs+sMbUUcl3Cv5SE57ivjqDN70HSwjfLzA1L/lkeavi3prm09Nw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1779872628; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=6CWdKASWeRYoZbMdtcCnYaNfipuBy2+Q/M3Af3s+bDg=; b=HvLg7H4frdV2MeTIfcFXoF+sMqwkG3Q9M7Pseiq5l8w6e2VkaVYVxyNoJL3FWZWIZfSj+O /wW6DUD5UHfnkCr0PokszkGW+R1XIm6Z3DSV0wCa7B49z+ucMLNGn/DKfOX75TxisCVwep +z7zPZzLBq+HUbamsObaK4q9krAuwfetcybEjoMZdltFg9ghv6vlN0qaTXvi82QzggJWDM /SM6UHBYrmzJwAK+XppeZQWn/zrGu75vUB+1ExEan2GkC1jepaldPo1DGwwkA+MJKuop3A 2AFFnZO86kc/gETPDBADxJ74g4REiMWT1bEo92VkzdiyzI0Q9FEoHM41rYqFAw== Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gQNvm0VLfzt16 for ; Wed, 27 May 2026 09:03:48 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from git (uid 1279) (envelope-from git@FreeBSD.org) id 25578 by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org); Wed, 27 May 2026 09:03:48 +0000 To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-branches@FreeBSD.org From: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav Subject: git: 2d9d04064354 - stable/14 - tftpd: Add missing bounds checks List-Id: Commit messages for all branches of the src repository List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all List-Help: List-Post: List-Subscribe: List-Unsubscribe: X-BeenThere: dev-commits-src-all@freebsd.org Sender: owner-dev-commits-src-all@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: des X-Git-Repository: src X-Git-Refname: refs/heads/stable/14 X-Git-Reftype: branch X-Git-Commit: 2d9d0406435446ecffaab9c2908b3506ce709b8b Auto-Submitted: auto-generated Date: Wed, 27 May 2026 09:03:48 +0000 Message-Id: <6a16b374.25578.26e12173@gitrepo.freebsd.org> The branch stable/14 has been updated by des: URL: https://cgit.FreeBSD.org/src/commit/?id=2d9d0406435446ecffaab9c2908b3506ce709b8b commit 2d9d0406435446ecffaab9c2908b3506ce709b8b Author: Dag-Erling Smørgrav AuthorDate: 2026-05-22 17:57:31 +0000 Commit: Dag-Erling Smørgrav CommitDate: 2026-05-27 09:03:30 +0000 tftpd: Add missing bounds checks In send_[rw]rq(), we were using strlcpy() to avoid overflowing our packet buffer, then failing to check the result and blithely advancing our pointer by the full length. Luckily, this code is only ever used by tftp(1), not tftpd(8). MFC after: 1 week Reviewed by: markj Differential Revision: https://reviews.freebsd.org/D57075 (cherry picked from commit 933893771344e1647eeda152016b938fdc30ccdc) --- libexec/tftpd/tftp-io.c | 62 +++++++++++++++++++++++++++---------------------- 1 file changed, 34 insertions(+), 28 deletions(-) diff --git a/libexec/tftpd/tftp-io.c b/libexec/tftpd/tftp-io.c index aaacc9dd7f45..8a560cbb76b0 100644 --- a/libexec/tftpd/tftp-io.c +++ b/libexec/tftpd/tftp-io.c @@ -174,11 +174,11 @@ send_error(int peer, int error) int send_wrq(int peer, char *filename, char *mode) { - int n; + char buf[MAXPKTSIZE]; struct tftphdr *tp; char *bp; - char buf[MAXPKTSIZE]; - int size; + size_t len; + int n, size; if (debug & DEBUG_PACKETS) tftp_log(LOG_DEBUG, "Sending WRQ: filename: '%s', mode '%s'", @@ -192,17 +192,17 @@ send_wrq(int peer, char *filename, char *mode) size = offsetof(struct tftphdr, th_stuff); bp = tp->th_stuff; - strlcpy(bp, filename, sizeof(buf) - size); - bp += strlen(filename); - *bp = 0; - bp++; - size += strlen(filename) + 1; - - strlcpy(bp, mode, sizeof(buf) - size); - bp += strlen(mode); - *bp = 0; - bp++; - size += strlen(mode) + 1; + len = strlcpy(bp, filename, sizeof(buf) - size); + if (len >= sizeof(buf) - size) + goto overflow; + bp += len + 1; + size += len + 1; + + len = strlcpy(bp, mode, sizeof(buf) - size); + if (len >= sizeof(buf) - size) + goto overflow; + bp += len + 1; + size += len + 1; if (options_rfc_enabled) size += make_options(peer, bp, sizeof(buf) - size); @@ -214,6 +214,9 @@ send_wrq(int peer, char *filename, char *mode) return (1); } return (0); +overflow: + tftp_log(LOG_ERR, "%s: file name too long", __func__); + return (1); } /* @@ -222,11 +225,11 @@ send_wrq(int peer, char *filename, char *mode) int send_rrq(int peer, char *filename, char *mode) { - int n; + char buf[MAXPKTSIZE]; struct tftphdr *tp; char *bp; - char buf[MAXPKTSIZE]; - int size; + size_t len; + int n, size; if (debug & DEBUG_PACKETS) tftp_log(LOG_DEBUG, "Sending RRQ: filename: '%s', mode '%s'", @@ -240,17 +243,17 @@ send_rrq(int peer, char *filename, char *mode) size = offsetof(struct tftphdr, th_stuff); bp = tp->th_stuff; - strlcpy(bp, filename, sizeof(buf) - size); - bp += strlen(filename); - *bp = 0; - bp++; - size += strlen(filename) + 1; - - strlcpy(bp, mode, sizeof(buf) - size); - bp += strlen(mode); - *bp = 0; - bp++; - size += strlen(mode) + 1; + len = strlcpy(bp, filename, sizeof(buf) - size); + if (len >= sizeof(buf) - size) + goto overflow; + bp += len + 1; + size += len + 1; + + len = strlcpy(bp, mode, sizeof(buf) - size); + if (len >= sizeof(buf) - size) + goto overflow; + bp += len + 1; + size += len + 1; if (options_rfc_enabled) { options_set_request(OPT_TSIZE, "0"); @@ -264,6 +267,9 @@ send_rrq(int peer, char *filename, char *mode) return (1); } return (0); +overflow: + tftp_log(LOG_ERR, "%s: file name too long", __func__); + return (1); } /*