File atftp-CVE-2021-41054.patch of Package atftp

Overview Repositories Revisions Requests Users Attributes Meta

File atftp-CVE-2021-41054.patch of Package atftp

From d255bf90834fb45be52decf9bc0b4fb46c90f205 Mon Sep 17 00:00:00 2001
From: Martin Dummer <md11@users.sourceforge.net>
Date: Sun, 12 Sep 2021 22:52:26 +0200
Subject: [PATCH 81/85] fix buffer overflow in atftpd

Andreas B. Mundt <andi@debian.org> reports:

I've found a problem in atftpd that might be relevant for security.
The daemon can be crashed by any client sending a crafted combination
of TFTP options to the server.  As TFTP is usually only used in the LAN,
it's probably not too dramatic.

Observations and how to reproduce the issue
===========================================

Install bullseye packages and prepare tftp-root:
  sudo apt install atftp atftpd
  mkdir tmp
  touch tmp/file.txt

Run server:
  /usr/sbin/atftpd --user=$(id -un) --group=$(id -gn) --daemon --no-fork --trace \
                    --logfile=/dev/stdout --verbose=7 --port 2000 tmp

Fetch file from client:
  /usr/bin/atftp -g --trace --option "blksize 8" \
                  --remote-file file.txt -l /dev/null 127.0.0.1 2000

Crash server by adding another option to the tiny blksize:
   /usr/bin/atftp -g --trace --option "blksize 8" --option "timeout 3" \
                   --remote-file file.txt -l /dev/null 127.0.0.1 2000

Analysis
========

The reason for the crash is a buffer overflow.  The size of the buffer keeping the data
to be sent with every segment is calculated by adding 4 bytes to the blksize (for opcode
and block number).  However, the same buffer is used for the OACK, which for a blksize=8
overflows as soon as another option is set.

Signed-off-by: Martin Dummer <md11@users.sourceforge.net>
---
 tftpd_file.c | 34 ++++++++++++++++++++++++++++++----
 1 file changed, 30 insertions(+), 4 deletions(-)

diff --git a/tftpd_file.c b/tftpd_file.c
index ff40e8d..37a0906 100644
--- a/tftpd_file.c
+++ b/tftpd_file.c
@@ -168,11 +168,24 @@ int tftpd_receive_file(struct thread_data *data)
           logger(LOG_DEBUG, "timeout option -> %d", timeout);
      }
 
-     /* blksize options */
+     /*
+      *  blksize option, must be the last option evaluated,
+      *  because data->data_buffer_size may be modified here,
+      *  and may be smaller than the buffer containing options
+      */
      if ((result = opt_get_blksize(data->tftp_options)) > -1)
      {
-          if ((result < 8) || (result > 65464))
+          /*
+           *  If we receive more options, we have to make sure our buffer for
+           *  the OACK is not too small.  Use the string representation of
+           *  the options here for simplicity, which puts us on the save side.
+           *  FIXME: Use independent buffers for OACK and data.
+           */
+          opt_options_to_string(data->tftp_options, string, MAXLEN);
+          if ((result < strlen(string)-2) || (result > 65464))
           {
+               logger(LOG_NOTICE, "options <%s> require roughly a blksize of %d for the OACK.",
+                      string, strlen(string)-2);
                tftp_send_error(sockfd, sa, EOPTNEG, data->data_buffer, data->data_buffer_size);
                if (data->trace)
                     logger(LOG_DEBUG, "sent ERROR <code: %d, msg: %s>", EOPTNEG,
@@ -531,11 +544,24 @@ int tftpd_send_file(struct thread_data *data)
           logger(LOG_INFO, "timeout option -> %d", timeout);
      }
 
-     /* blksize options */
+     /*
+      *  blksize option, must be the last option evaluated,
+      *  because data->data_buffer_size may be modified here,
+      *  and may be smaller than the buffer containing options
+      */
      if ((result = opt_get_blksize(data->tftp_options)) > -1)
      {
-          if ((result < 8) || (result > 65464))
+          /*
+           *  If we receive more options, we have to make sure our buffer for
+           *  the OACK is not too small.  Use the string representation of
+           *  the options here for simplicity, which puts us on the save side.
+           *  FIXME: Use independent buffers for OACK and data.
+           */
+          opt_options_to_string(data->tftp_options, string, MAXLEN);
+          if ((result < strlen(string)-2) || (result > 65464))
           {
+               logger(LOG_NOTICE, "options <%s> require roughly a blksize of %d for the OACK.",
+                      string, strlen(string)-2);
                tftp_send_error(sockfd, sa, EOPTNEG, data->data_buffer, data->data_buffer_size);
                if (data->trace)
                     logger(LOG_DEBUG, "sent ERROR <code: %d, msg: %s>", EOPTNEG,
-- 
2.33.0

Places

File atftp-CVE-2021-41054.patch of Package atftp

Places