From nobody Fri May 22 17:58:12 2026
X-Original-To: dev-commits-src-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gMY0h3tZPz6fLyP
	for <dev-commits-src-all@mlmmj.nyi.freebsd.org>; Fri, 22 May 2026 17:58:12 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4gMY0h1dhyz4Mr3
	for <dev-commits-src-all@FreeBSD.org>; Fri, 22 May 2026 17:58:12 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1779472692;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=CFMfDy87DaRPRsmnERMCtT3mNg55CoOxu0BiEMgJXZs=;
	b=vn9i7+FFEks/BBIS8s0wvPfeGI/8vakfURNpz/l/iu7gsuGDjrVYBux7uW3nqXTUaS5e1x
	KEthkTtL69IZcCaofKt0igg99FnX2FQFBK4W11nsAQb7k+cC7a4EL+N2IcxgEiGRay7WZh
	CtXO91ziwl4GZJ6OegyVawJUQoysyvgsKq7zPr+SGtb7F+cEVvAiKGAeQKF4iSgYYhJUyW
	JjuUhf+9rCQPGRqQslszk45ygm1hmAHRff/E4HXH6Cl1Klaz6oXXhPWM2jj5L39iUgEudT
	Awb/n5NPaLIRtDER6UAmQFB0SCGL8BS8UKFF/ckJQ+tjANAOlXGZwIkHRq585g==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1779472692; a=rsa-sha256; cv=none;
	b=ffvV9QzdEdTjd8uyRmsBec+3HMoRkFyJCAKqRdGtH3UNFrxB3+Mp+jVufEmZYa16za+alk
	Za1tWiRhye5Z/8BvIYugONX6BstRQW/0h3En43D/VwUMNhE9KC3007DXikI4KtKyh3d4qQ
	0uTRu67CS/uCwSc8XAwrHrX2KK7Qkz0IKbILlaBEAk5u43LsarThaW4PO1ajmOcs2eQT6c
	lUBWfIMsHX3kTIbdeXJQm5jPOz5HrEQGLWpNE6GW9GGi6wdCF82f2EWShPcwQ6DJzfLn6e
	PU2+idrieB7crd7Wo4kEqTpkRi6JrjmyBgG8iwg8xD36vPX3VfeB0ituDJW1MA==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1779472692;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=CFMfDy87DaRPRsmnERMCtT3mNg55CoOxu0BiEMgJXZs=;
	b=t7n5JQKlxQnGmtbKiirfTKe19kD8+eubt2UyyqQ6/JoX6Xrww0wRP19Rl42dMpEgJwlH4o
	hBEIoP9rfqMz22wY+AkLDi4Y0Ia+mnQ2qQUlDFlfu1642lmYaRl5uwdtVPtPNMtajilOZ4
	yJsPVN5a/6UJ1shpvggJzYAN+Q4gEIo5EZbgT3cyw624avok1byOdJv5t6mmytNdC7Vrtk
	acm6CXYiEjxF/nw+R31VcV7A8R8PvFJTiCT7CIwZQ2V/62KYkz/wUA001cW81rrIBezN74
	2pubFvts9Ig4ptE9QIHfOEqsFrN6tTjwex4zzaGeaqFVydYStqr8BUb0hKtHCw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTP id 4gMY0h0ys9zX2R
	for <dev-commits-src-all@FreeBSD.org>; Fri, 22 May 2026 17:58:12 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from git (uid 1279)
	(envelope-from git@FreeBSD.org)
	id 39235
	by gitrepo.freebsd.org (DragonFly Mail Agent v0.13+ on gitrepo.freebsd.org);
	Fri, 22 May 2026 17:58:12 +0000
To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org
From: Dag-Erling=?utf-8?Q? Sm=C3=B8rg?=rav <des@FreeBSD.org>
Subject: git: 933893771344 - main - tftpd: Add missing bounds checks
List-Id: Commit messages for all branches of the src repository <dev-commits-src-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-src-all
List-Help: <mailto:dev-commits-src-all+help@freebsd.org>
List-Post: <mailto:dev-commits-src-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@freebsd.org>
X-BeenThere: dev-commits-src-all@freebsd.org
Sender: owner-dev-commits-src-all@FreeBSD.org
List-Id: <dev-commits-src-all.FreeBSD.org>
List-Post: <mailto:dev-commits-src-all@FreeBSD.org>
List-Help: <mailto:dev-commits-src-all+help@FreeBSD.org>
List-Subscribe: <mailto:dev-commits-src-all+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:dev-commits-src-all+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: des
X-Git-Repository: src
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 933893771344e1647eeda152016b938fdc30ccdc
Auto-Submitted: auto-generated
Date: Fri, 22 May 2026 17:58:12 +0000
Message-Id: <6a109934.39235.25ca255c@gitrepo.freebsd.org>

The branch main has been updated by des:

URL: https://cgit.FreeBSD.org/src/commit/?id=933893771344e1647eeda152016b938fdc30ccdc

commit 933893771344e1647eeda152016b938fdc30ccdc
Author:     Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2026-05-22 17:57:31 +0000
Commit:     Dag-Erling Smørgrav <des@FreeBSD.org>
CommitDate: 2026-05-22 17:57:31 +0000

    tftpd: Add missing bounds checks
    
    In send_[rw]rq(), we were using strlcpy() to avoid overflowing our
    packet buffer, then failing to check the result and blithely advancing
    our pointer by the full length.
    
    Luckily, this code is only ever used by tftp(1), not tftpd(8).
    
    MFC after:      1 week
    Reviewed by:    markj
    Differential Revision:  https://reviews.freebsd.org/D57075
---
 libexec/tftpd/tftp-io.c | 62 +++++++++++++++++++++++++++----------------------
 1 file changed, 34 insertions(+), 28 deletions(-)

diff --git a/libexec/tftpd/tftp-io.c b/libexec/tftpd/tftp-io.c
index 50102e652d2f..3384071d6df2 100644
--- a/libexec/tftpd/tftp-io.c
+++ b/libexec/tftpd/tftp-io.c
@@ -173,11 +173,11 @@ send_error(int peer, int error)
 int
 send_wrq(int peer, char *filename, char *mode)
 {
-	int n;
+	char buf[MAXPKTSIZE];
 	struct tftphdr *tp;
 	char *bp;
-	char buf[MAXPKTSIZE];
-	int size;
+	size_t len;
+	int n, size;
 
 	if (debug & DEBUG_PACKETS)
 		tftp_log(LOG_DEBUG, "Sending WRQ: filename: '%s', mode '%s'",
@@ -191,17 +191,17 @@ send_wrq(int peer, char *filename, char *mode)
 	size = offsetof(struct tftphdr, th_stuff);
 
 	bp = tp->th_stuff;
-	strlcpy(bp, filename, sizeof(buf) - size);
-	bp += strlen(filename);
-	*bp = 0;
-	bp++;
-	size += strlen(filename) + 1;
-
-	strlcpy(bp, mode, sizeof(buf) - size);
-	bp += strlen(mode);
-	*bp = 0;
-	bp++;
-	size += strlen(mode) + 1;
+	len = strlcpy(bp, filename, sizeof(buf) - size);
+	if (len >= sizeof(buf) - size)
+		goto overflow;
+	bp += len + 1;
+	size += len + 1;
+
+	len = strlcpy(bp, mode, sizeof(buf) - size);
+	if (len >= sizeof(buf) - size)
+		goto overflow;
+	bp += len + 1;
+	size += len + 1;
 
 	if (options_rfc_enabled)
 		size += make_options(peer, bp, sizeof(buf) - size);
@@ -213,6 +213,9 @@ send_wrq(int peer, char *filename, char *mode)
 		return (1);
 	}
 	return (0);
+overflow:
+	tftp_log(LOG_ERR, "%s: file name too long", __func__);
+	return (1);
 }
 
 /*
@@ -221,11 +224,11 @@ send_wrq(int peer, char *filename, char *mode)
 int
 send_rrq(int peer, char *filename, char *mode)
 {
-	int n;
+	char buf[MAXPKTSIZE];
 	struct tftphdr *tp;
 	char *bp;
-	char buf[MAXPKTSIZE];
-	int size;
+	size_t len;
+	int n, size;
 
 	if (debug & DEBUG_PACKETS)
 		tftp_log(LOG_DEBUG, "Sending RRQ: filename: '%s', mode '%s'",
@@ -239,17 +242,17 @@ send_rrq(int peer, char *filename, char *mode)
 	size = offsetof(struct tftphdr, th_stuff);
 
 	bp = tp->th_stuff;
-	strlcpy(bp, filename, sizeof(buf) - size);
-	bp += strlen(filename);
-	*bp = 0;
-	bp++;
-	size += strlen(filename) + 1;
-
-	strlcpy(bp, mode, sizeof(buf) - size);
-	bp += strlen(mode);
-	*bp = 0;
-	bp++;
-	size += strlen(mode) + 1;
+	len = strlcpy(bp, filename, sizeof(buf) - size);
+	if (len >= sizeof(buf) - size)
+		goto overflow;
+	bp += len + 1;
+	size += len + 1;
+
+	len = strlcpy(bp, mode, sizeof(buf) - size);
+	if (len >= sizeof(buf) - size)
+		goto overflow;
+	bp += len + 1;
+	size += len + 1;
 
 	if (options_rfc_enabled) {
 		options_set_request(OPT_TSIZE, "0");
@@ -263,6 +266,9 @@ send_rrq(int peer, char *filename, char *mode)
 		return (1);
 	}
 	return (0);
+overflow:
+	tftp_log(LOG_ERR, "%s: file name too long", __func__);
+	return (1);
 }
 
 /*