xref: /freebsd/libexec/tftpd/tftpd.c (revision 7ef62cebc2f965b0f640263e179276928885e33d)
1 /*-
2  * SPDX-License-Identifier: BSD-3-Clause
3  *
4  * Copyright (c) 1983, 1993
5  *	The Regents of the University of California.  All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  * 3. Neither the name of the University nor the names of its contributors
16  *    may be used to endorse or promote products derived from this software
17  *    without specific prior written permission.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
20  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
23  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29  * SUCH DAMAGE.
30  */
31 
32 #ifndef lint
33 static const char copyright[] =
34 "@(#) Copyright (c) 1983, 1993\n\
35 	The Regents of the University of California.  All rights reserved.\n";
36 #endif /* not lint */
37 
38 #ifndef lint
39 #if 0
40 static char sccsid[] = "@(#)tftpd.c	8.1 (Berkeley) 6/4/93";
41 #endif
42 #endif /* not lint */
43 #include <sys/cdefs.h>
44 __FBSDID("$FreeBSD$");
45 
46 /*
47  * Trivial file transfer protocol server.
48  *
49  * This version includes many modifications by Jim Guyton
50  * <guyton@rand-unix>.
51  */
52 
53 #include <sys/param.h>
54 #include <sys/ioctl.h>
55 #include <sys/socket.h>
56 #include <sys/stat.h>
57 #include <sys/time.h>
58 
59 #include <netinet/in.h>
60 #include <arpa/tftp.h>
61 
62 #include <ctype.h>
63 #include <errno.h>
64 #include <fcntl.h>
65 #include <netdb.h>
66 #include <pwd.h>
67 #include <stdint.h>
68 #include <stdio.h>
69 #include <stdlib.h>
70 #include <string.h>
71 #include <syslog.h>
72 #include <time.h>
73 #include <unistd.h>
74 
75 #include "tftp-file.h"
76 #include "tftp-io.h"
77 #include "tftp-utils.h"
78 #include "tftp-transfer.h"
79 #include "tftp-options.h"
80 
81 #ifdef	LIBWRAP
82 #include <tcpd.h>
83 #endif
84 
85 static void	tftp_wrq(int peer, char *, ssize_t);
86 static void	tftp_rrq(int peer, char *, ssize_t);
87 
88 /*
89  * Null-terminated directory prefix list for absolute pathname requests and
90  * search list for relative pathname requests.
91  *
92  * MAXDIRS should be at least as large as the number of arguments that
93  * inetd allows (currently 20).
94  */
95 #define MAXDIRS	20
96 static struct dirlist {
97 	const char	*name;
98 	int	len;
99 } dirs[MAXDIRS+1];
100 static int	suppress_naks;
101 static int	logging;
102 static int	ipchroot;
103 static int	check_woth = 1;
104 static int	create_new = 0;
105 static const char *newfile_format = "%Y%m%d";
106 static int	increase_name = 0;
107 static mode_t	mask = S_IWGRP | S_IWOTH;
108 
109 struct formats;
110 static void	tftp_recvfile(int peer, const char *mode);
111 static void	tftp_xmitfile(int peer, const char *mode);
112 static int	validate_access(int peer, char **, int);
113 static char	peername[NI_MAXHOST];
114 
115 static FILE *file;
116 
117 static struct formats {
118 	const char	*f_mode;
119 	int	f_convert;
120 } formats[] = {
121 	{ "netascii",	1 },
122 	{ "octet",	0 },
123 	{ NULL,		0 }
124 };
125 
126 int
127 main(int argc, char *argv[])
128 {
129 	struct tftphdr *tp;
130 	int		peer;
131 	socklen_t	peerlen, len;
132 	ssize_t		n;
133 	int		ch;
134 	char		*chroot_dir = NULL;
135 	struct passwd	*nobody;
136 	const char	*chuser = "nobody";
137 	char		recvbuffer[MAXPKTSIZE];
138 	int		allow_ro = 1, allow_wo = 1, on = 1;
139 	pid_t		pid;
140 
141 	tzset();			/* syslog in localtime */
142 	acting_as_client = 0;
143 
144 	tftp_openlog("tftpd", LOG_PID | LOG_NDELAY, LOG_FTP);
145 	while ((ch = getopt(argc, argv, "cCd::F:lnoOp:s:Su:U:wW")) != -1) {
146 		switch (ch) {
147 		case 'c':
148 			ipchroot = 1;
149 			break;
150 		case 'C':
151 			ipchroot = 2;
152 			break;
153 		case 'd':
154 			if (optarg == NULL)
155 				debug++;
156 			else if (atoi(optarg) != 0)
157 				debug += atoi(optarg);
158 			else
159 				debug |= debug_finds(optarg);
160 			break;
161 		case 'F':
162 			newfile_format = optarg;
163 			break;
164 		case 'l':
165 			logging = 1;
166 			break;
167 		case 'n':
168 			suppress_naks = 1;
169 			break;
170 		case 'o':
171 			options_rfc_enabled = 0;
172 			break;
173 		case 'O':
174 			options_extra_enabled = 0;
175 			break;
176 		case 'p':
177 			packetdroppercentage = atoi(optarg);
178 			tftp_log(LOG_INFO,
179 			    "Randomly dropping %d out of 100 packets",
180 			    packetdroppercentage);
181 			break;
182 		case 's':
183 			chroot_dir = optarg;
184 			break;
185 		case 'S':
186 			check_woth = -1;
187 			break;
188 		case 'u':
189 			chuser = optarg;
190 			break;
191 		case 'U':
192 			mask = strtol(optarg, NULL, 0);
193 			break;
194 		case 'w':
195 			create_new = 1;
196 			break;
197 		case 'W':
198 			create_new = 1;
199 			increase_name = 1;
200 			break;
201 		default:
202 			tftp_log(LOG_WARNING,
203 				"ignoring unknown option -%c", ch);
204 		}
205 	}
206 	if (optind < argc) {
207 		struct dirlist *dirp;
208 
209 		/* Get list of directory prefixes. Skip relative pathnames. */
210 		for (dirp = dirs; optind < argc && dirp < &dirs[MAXDIRS];
211 		     optind++) {
212 			if (argv[optind][0] == '/') {
213 				dirp->name = argv[optind];
214 				dirp->len  = strlen(dirp->name);
215 				dirp++;
216 			}
217 		}
218 	}
219 	else if (chroot_dir) {
220 		dirs->name = "/";
221 		dirs->len = 1;
222 	}
223 	if (ipchroot > 0 && chroot_dir == NULL) {
224 		tftp_log(LOG_ERR, "-c requires -s");
225 		exit(1);
226 	}
227 
228 	umask(mask);
229 
230 	if (ioctl(0, FIONBIO, &on) < 0) {
231 		tftp_log(LOG_ERR, "ioctl(FIONBIO): %s", strerror(errno));
232 		exit(1);
233 	}
234 
235 	/* Find out who we are talking to and what we are going to do */
236 	peerlen = sizeof(peer_sock);
237 	n = recvfrom(0, recvbuffer, MAXPKTSIZE, 0,
238 	    (struct sockaddr *)&peer_sock, &peerlen);
239 	if (n < 0) {
240 		tftp_log(LOG_ERR, "recvfrom: %s", strerror(errno));
241 		exit(1);
242 	}
243 	getnameinfo((struct sockaddr *)&peer_sock, peer_sock.ss_len,
244 	    peername, sizeof(peername), NULL, 0, NI_NUMERICHOST);
245 
246 	/*
247 	 * Now that we have read the message out of the UDP
248 	 * socket, we fork and exit.  Thus, inetd will go back
249 	 * to listening to the tftp port, and the next request
250 	 * to come in will start up a new instance of tftpd.
251 	 *
252 	 * We do this so that inetd can run tftpd in "wait" mode.
253 	 * The problem with tftpd running in "nowait" mode is that
254 	 * inetd may get one or more successful "selects" on the
255 	 * tftp port before we do our receive, so more than one
256 	 * instance of tftpd may be started up.  Worse, if tftpd
257 	 * break before doing the above "recvfrom", inetd would
258 	 * spawn endless instances, clogging the system.
259 	 */
260 	pid = fork();
261 	if (pid < 0) {
262 		tftp_log(LOG_ERR, "fork: %s", strerror(errno));
263 		exit(1);
264 	} else if (pid != 0) {
265 		exit(0);
266 	}
267 	/* child */
268 
269 #ifdef	LIBWRAP
270 	/*
271 	 * See if the client is allowed to talk to me.
272 	 * (This needs to be done before the chroot())
273 	 */
274 	{
275 		struct request_info req;
276 
277 		request_init(&req, RQ_CLIENT_ADDR, peername, 0);
278 		request_set(&req, RQ_DAEMON, "tftpd", 0);
279 
280 		if (hosts_access(&req) == 0) {
281 			if (debug & DEBUG_ACCESS)
282 				tftp_log(LOG_WARNING,
283 				    "Access denied by 'tftpd' entry "
284 				    "in /etc/hosts.allow");
285 
286 			/*
287 			 * Full access might be disabled, but maybe the
288 			 * client is allowed to do read-only access.
289 			 */
290 			request_set(&req, RQ_DAEMON, "tftpd-ro", 0);
291 			allow_ro = hosts_access(&req);
292 
293 			request_set(&req, RQ_DAEMON, "tftpd-wo", 0);
294 			allow_wo = hosts_access(&req);
295 
296 			if (allow_ro == 0 && allow_wo == 0) {
297 				tftp_log(LOG_WARNING,
298 				    "Unauthorized access from %s", peername);
299 				exit(1);
300 			}
301 
302 			if (debug & DEBUG_ACCESS) {
303 				if (allow_ro)
304 					tftp_log(LOG_WARNING,
305 					    "But allowed readonly access "
306 					    "via 'tftpd-ro' entry");
307 				if (allow_wo)
308 					tftp_log(LOG_WARNING,
309 					    "But allowed writeonly access "
310 					    "via 'tftpd-wo' entry");
311 			}
312 		} else
313 			if (debug & DEBUG_ACCESS)
314 				tftp_log(LOG_WARNING,
315 				    "Full access allowed"
316 				    "in /etc/hosts.allow");
317 	}
318 #endif
319 
320 	/*
321 	 * Since we exit here, we should do that only after the above
322 	 * recvfrom to keep inetd from constantly forking should there
323 	 * be a problem.  See the above comment about system clogging.
324 	 */
325 	if (chroot_dir) {
326 		if (ipchroot > 0) {
327 			char *tempchroot;
328 			struct stat sb;
329 			int statret;
330 			struct sockaddr_storage ss;
331 			char hbuf[NI_MAXHOST];
332 
333 			statret = -1;
334 			memcpy(&ss, &peer_sock, peer_sock.ss_len);
335 			unmappedaddr((struct sockaddr_in6 *)&ss);
336 			getnameinfo((struct sockaddr *)&ss, ss.ss_len,
337 				    hbuf, sizeof(hbuf), NULL, 0,
338 				    NI_NUMERICHOST);
339 			asprintf(&tempchroot, "%s/%s", chroot_dir, hbuf);
340 			if (ipchroot == 2)
341 				statret = stat(tempchroot, &sb);
342 			if (ipchroot == 1 ||
343 			    (statret == 0 && (sb.st_mode & S_IFDIR)))
344 				chroot_dir = tempchroot;
345 		}
346 		/* Must get this before chroot because /etc might go away */
347 		if ((nobody = getpwnam(chuser)) == NULL) {
348 			tftp_log(LOG_ERR, "%s: no such user", chuser);
349 			exit(1);
350 		}
351 		if (chroot(chroot_dir)) {
352 			tftp_log(LOG_ERR, "chroot: %s: %s",
353 			    chroot_dir, strerror(errno));
354 			exit(1);
355 		}
356 		if (chdir("/") != 0) {
357 			tftp_log(LOG_ERR, "chdir: %s", strerror(errno));
358 			exit(1);
359 		}
360 		if (setgroups(1, &nobody->pw_gid) != 0) {
361 			tftp_log(LOG_ERR, "setgroups failed");
362 			exit(1);
363 		}
364 		if (setuid(nobody->pw_uid) != 0) {
365 			tftp_log(LOG_ERR, "setuid failed");
366 			exit(1);
367 		}
368 		if (check_woth == -1)
369 			check_woth = 0;
370 	}
371 	if (check_woth == -1)
372 		check_woth = 1;
373 
374 	len = sizeof(me_sock);
375 	if (getsockname(0, (struct sockaddr *)&me_sock, &len) == 0) {
376 		switch (me_sock.ss_family) {
377 		case AF_INET:
378 			((struct sockaddr_in *)&me_sock)->sin_port = 0;
379 			break;
380 		case AF_INET6:
381 			((struct sockaddr_in6 *)&me_sock)->sin6_port = 0;
382 			break;
383 		default:
384 			/* unsupported */
385 			break;
386 		}
387 	} else {
388 		memset(&me_sock, 0, sizeof(me_sock));
389 		me_sock.ss_family = peer_sock.ss_family;
390 		me_sock.ss_len = peer_sock.ss_len;
391 	}
392 	close(STDIN_FILENO);
393 	close(STDOUT_FILENO);
394 	close(STDERR_FILENO);
395 	peer = socket(peer_sock.ss_family, SOCK_DGRAM, 0);
396 	if (peer < 0) {
397 		tftp_log(LOG_ERR, "socket: %s", strerror(errno));
398 		exit(1);
399 	}
400 	if (bind(peer, (struct sockaddr *)&me_sock, me_sock.ss_len) < 0) {
401 		tftp_log(LOG_ERR, "bind: %s", strerror(errno));
402 		exit(1);
403 	}
404 
405 	tp = (struct tftphdr *)recvbuffer;
406 	tp->th_opcode = ntohs(tp->th_opcode);
407 	if (tp->th_opcode == RRQ) {
408 		if (allow_ro)
409 			tftp_rrq(peer, tp->th_stuff, n - 1);
410 		else {
411 			tftp_log(LOG_WARNING,
412 			    "%s read access denied", peername);
413 			exit(1);
414 		}
415 	} else if (tp->th_opcode == WRQ) {
416 		if (allow_wo)
417 			tftp_wrq(peer, tp->th_stuff, n - 1);
418 		else {
419 			tftp_log(LOG_WARNING,
420 			    "%s write access denied", peername);
421 			exit(1);
422 		}
423 	} else
424 		send_error(peer, EBADOP);
425 	exit(1);
426 }
427 
428 static void
429 reduce_path(char *fn)
430 {
431 	char *slash, *ptr;
432 
433 	/* Reduce all "/+./" to "/" (just in case we've got "/./../" later */
434 	while ((slash = strstr(fn, "/./")) != NULL) {
435 		for (ptr = slash; ptr > fn && ptr[-1] == '/'; ptr--)
436 			;
437 		slash += 2;
438 		while (*slash)
439 			*++ptr = *++slash;
440 	}
441 
442 	/* Now reduce all "/something/+../" to "/" */
443 	while ((slash = strstr(fn, "/../")) != NULL) {
444 		if (slash == fn)
445 			break;
446 		for (ptr = slash; ptr > fn && ptr[-1] == '/'; ptr--)
447 			;
448 		for (ptr--; ptr >= fn; ptr--)
449 			if (*ptr == '/')
450 				break;
451 		if (ptr < fn)
452 			break;
453 		slash += 3;
454 		while (*slash)
455 			*++ptr = *++slash;
456 	}
457 }
458 
459 static char *
460 parse_header(int peer, char *recvbuffer, ssize_t size,
461 	char **filename, char **mode)
462 {
463 	char	*cp;
464 	int	i;
465 	struct formats *pf;
466 
467 	*mode = NULL;
468 	cp = recvbuffer;
469 
470 	i = get_field(peer, recvbuffer, size);
471 	if (i >= PATH_MAX) {
472 		tftp_log(LOG_ERR, "Bad option - filename too long");
473 		send_error(peer, EBADOP);
474 		exit(1);
475 	}
476 	*filename = recvbuffer;
477 	tftp_log(LOG_INFO, "Filename: '%s'", *filename);
478 	cp += i;
479 
480 	i = get_field(peer, cp, size);
481 	*mode = cp;
482 	cp += i;
483 
484 	/* Find the file transfer mode */
485 	for (cp = *mode; *cp; cp++)
486 		if (isupper(*cp))
487 			*cp = tolower(*cp);
488 	for (pf = formats; pf->f_mode; pf++)
489 		if (strcmp(pf->f_mode, *mode) == 0)
490 			break;
491 	if (pf->f_mode == NULL) {
492 		tftp_log(LOG_ERR,
493 		    "Bad option - Unknown transfer mode (%s)", *mode);
494 		send_error(peer, EBADOP);
495 		exit(1);
496 	}
497 	tftp_log(LOG_INFO, "Mode: '%s'", *mode);
498 
499 	return (cp + 1);
500 }
501 
502 /*
503  * WRQ - receive a file from the client
504  */
505 void
506 tftp_wrq(int peer, char *recvbuffer, ssize_t size)
507 {
508 	char *cp;
509 	int has_options = 0, ecode;
510 	char *filename, *mode;
511 	char fnbuf[PATH_MAX];
512 
513 	cp = parse_header(peer, recvbuffer, size, &filename, &mode);
514 	size -= (cp - recvbuffer) + 1;
515 
516 	strlcpy(fnbuf, filename, sizeof(fnbuf));
517 	reduce_path(fnbuf);
518 	filename = fnbuf;
519 
520 	if (size > 0) {
521 		if (options_rfc_enabled)
522 			has_options = !parse_options(peer, cp, size);
523 		else
524 			tftp_log(LOG_INFO, "Options found but not enabled");
525 	}
526 
527 	ecode = validate_access(peer, &filename, WRQ);
528 	if (ecode == 0) {
529 		if (has_options)
530 			send_oack(peer);
531 		else
532 			send_ack(peer, 0);
533 	}
534 	if (logging) {
535 		tftp_log(LOG_INFO, "%s: write request for %s: %s", peername,
536 			    filename, errtomsg(ecode));
537 	}
538 
539 	if (ecode) {
540 		send_error(peer, ecode);
541 		exit(1);
542 	}
543 	tftp_recvfile(peer, mode);
544 	exit(0);
545 }
546 
547 /*
548  * RRQ - send a file to the client
549  */
550 void
551 tftp_rrq(int peer, char *recvbuffer, ssize_t size)
552 {
553 	char *cp;
554 	int has_options = 0, ecode;
555 	char *filename, *mode;
556 	char	fnbuf[PATH_MAX];
557 
558 	cp = parse_header(peer, recvbuffer, size, &filename, &mode);
559 	size -= (cp - recvbuffer) + 1;
560 
561 	strlcpy(fnbuf, filename, sizeof(fnbuf));
562 	reduce_path(fnbuf);
563 	filename = fnbuf;
564 
565 	if (size > 0) {
566 		if (options_rfc_enabled)
567 			has_options = !parse_options(peer, cp, size);
568 		else
569 			tftp_log(LOG_INFO, "Options found but not enabled");
570 	}
571 
572 	ecode = validate_access(peer, &filename, RRQ);
573 	if (ecode == 0) {
574 		if (has_options) {
575 			int n;
576 			char lrecvbuffer[MAXPKTSIZE];
577 			struct tftphdr *rp = (struct tftphdr *)lrecvbuffer;
578 
579 			send_oack(peer);
580 			n = receive_packet(peer, lrecvbuffer, MAXPKTSIZE,
581 				NULL, timeoutpacket);
582 			if (n < 0) {
583 				if (debug & DEBUG_SIMPLE)
584 					tftp_log(LOG_DEBUG, "Aborting: %s",
585 					    rp_strerror(n));
586 				return;
587 			}
588 			if (rp->th_opcode != ACK) {
589 				if (debug & DEBUG_SIMPLE)
590 					tftp_log(LOG_DEBUG,
591 					    "Expected ACK, got %s on OACK",
592 					    packettype(rp->th_opcode));
593 				return;
594 			}
595 		}
596 	}
597 
598 	if (logging)
599 		tftp_log(LOG_INFO, "%s: read request for %s: %s", peername,
600 			    filename, errtomsg(ecode));
601 
602 	if (ecode) {
603 		/*
604 		 * Avoid storms of naks to a RRQ broadcast for a relative
605 		 * bootfile pathname from a diskless Sun.
606 		 */
607 		if (suppress_naks && *filename != '/' && ecode == ENOTFOUND)
608 			exit(0);
609 		send_error(peer, ecode);
610 		exit(1);
611 	}
612 	tftp_xmitfile(peer, mode);
613 }
614 
615 /*
616  * Find the next value for YYYYMMDD.nn when the file to be written should
617  * be unique. Due to the limitations of nn, we will fail if nn reaches 100.
618  * Besides, that is four updates per hour on a file, which is kind of
619  * execessive anyway.
620  */
621 static int
622 find_next_name(char *filename, int *fd)
623 {
624 	int i;
625 	time_t tval;
626 	size_t len;
627 	struct tm lt;
628 	char yyyymmdd[MAXPATHLEN];
629 	char newname[MAXPATHLEN];
630 
631 	/* Create the YYYYMMDD part of the filename */
632 	time(&tval);
633 	lt = *localtime(&tval);
634 	len = strftime(yyyymmdd, sizeof(yyyymmdd), newfile_format, &lt);
635 	if (len == 0) {
636 		syslog(LOG_WARNING,
637 			"Filename suffix too long (%d characters maximum)",
638 			MAXPATHLEN);
639 		return (EACCESS);
640 	}
641 
642 	/* Make sure the new filename is not too long */
643 	if (strlen(filename) > MAXPATHLEN - len - 5) {
644 		syslog(LOG_WARNING,
645 			"Filename too long (%zd characters, %zd maximum)",
646 			strlen(filename), MAXPATHLEN - len - 5);
647 		return (EACCESS);
648 	}
649 
650 	/* Find the first file which doesn't exist */
651 	for (i = 0; i < 100; i++) {
652 		sprintf(newname, "%s.%s.%02d", filename, yyyymmdd, i);
653 		*fd = open(newname,
654 		    O_WRONLY | O_CREAT | O_EXCL,
655 		    S_IRUSR | S_IWUSR | S_IRGRP |
656 		    S_IWGRP | S_IROTH | S_IWOTH);
657 		if (*fd > 0)
658 			return 0;
659 	}
660 
661 	return (EEXIST);
662 }
663 
664 /*
665  * Validate file access.  Since we
666  * have no uid or gid, for now require
667  * file to exist and be publicly
668  * readable/writable.
669  * If we were invoked with arguments
670  * from inetd then the file must also be
671  * in one of the given directory prefixes.
672  * Note also, full path name must be
673  * given as we have no login directory.
674  */
675 int
676 validate_access(int peer, char **filep, int mode)
677 {
678 	struct stat stbuf;
679 	int	fd;
680 	int	error;
681 	struct dirlist *dirp;
682 	static char pathname[MAXPATHLEN];
683 	char *filename = *filep;
684 
685 	/*
686 	 * Prevent tricksters from getting around the directory restrictions
687 	 */
688 	if (strstr(filename, "/../"))
689 		return (EACCESS);
690 
691 	if (*filename == '/') {
692 		/*
693 		 * Allow the request if it's in one of the approved locations.
694 		 * Special case: check the null prefix ("/") by looking
695 		 * for length = 1 and relying on the arg. processing that
696 		 * it's a /.
697 		 */
698 		for (dirp = dirs; dirp->name != NULL; dirp++) {
699 			if (dirp->len == 1 ||
700 			    (!strncmp(filename, dirp->name, dirp->len) &&
701 			     filename[dirp->len] == '/'))
702 				    break;
703 		}
704 		/* If directory list is empty, allow access to any file */
705 		if (dirp->name == NULL && dirp != dirs)
706 			return (EACCESS);
707 		if (stat(filename, &stbuf) < 0)
708 			return (errno == ENOENT ? ENOTFOUND : EACCESS);
709 		if ((stbuf.st_mode & S_IFMT) != S_IFREG)
710 			return (ENOTFOUND);
711 		if (mode == RRQ) {
712 			if ((stbuf.st_mode & S_IROTH) == 0)
713 				return (EACCESS);
714 		} else {
715 			if (check_woth && ((stbuf.st_mode & S_IWOTH) == 0))
716 				return (EACCESS);
717 		}
718 	} else {
719 		int err;
720 
721 		/*
722 		 * Relative file name: search the approved locations for it.
723 		 * Don't allow write requests that avoid directory
724 		 * restrictions.
725 		 */
726 
727 		if (!strncmp(filename, "../", 3))
728 			return (EACCESS);
729 
730 		/*
731 		 * If the file exists in one of the directories and isn't
732 		 * readable, continue looking. However, change the error code
733 		 * to give an indication that the file exists.
734 		 */
735 		err = ENOTFOUND;
736 		for (dirp = dirs; dirp->name != NULL; dirp++) {
737 			snprintf(pathname, sizeof(pathname), "%s/%s",
738 				dirp->name, filename);
739 			if (stat(pathname, &stbuf) == 0 &&
740 			    (stbuf.st_mode & S_IFMT) == S_IFREG) {
741 				if (mode == RRQ) {
742 					if ((stbuf.st_mode & S_IROTH) != 0)
743 						break;
744 				} else {
745 					if (!check_woth || ((stbuf.st_mode & S_IWOTH) != 0))
746 						break;
747 				}
748 				err = EACCESS;
749 			}
750 		}
751 		if (dirp->name != NULL)
752 			*filep = filename = pathname;
753 		else if (mode == RRQ)
754 			return (err);
755 		else if (err != ENOTFOUND || !create_new)
756 			return (err);
757 	}
758 
759 	/*
760 	 * This option is handled here because it (might) require(s) the
761 	 * size of the file.
762 	 */
763 	option_tsize(peer, NULL, mode, &stbuf);
764 
765 	if (mode == RRQ)
766 		fd = open(filename, O_RDONLY);
767 	else {
768 		if (create_new) {
769 			if (increase_name) {
770 				error = find_next_name(filename, &fd);
771 				if (error > 0)
772 					return (error + 100);
773 			} else
774 				fd = open(filename,
775 				    O_WRONLY | O_TRUNC | O_CREAT,
776 				    S_IRUSR | S_IWUSR | S_IRGRP |
777 				    S_IWGRP | S_IROTH | S_IWOTH );
778 		} else
779 			fd = open(filename, O_WRONLY | O_TRUNC);
780 	}
781 	if (fd < 0)
782 		return (errno + 100);
783 	file = fdopen(fd, (mode == RRQ)? "r":"w");
784 	if (file == NULL) {
785 		close(fd);
786 		return (errno + 100);
787 	}
788 	return (0);
789 }
790 
791 static void
792 tftp_xmitfile(int peer, const char *mode)
793 {
794 	uint16_t block;
795 	time_t now;
796 	struct tftp_stats ts;
797 
798 	memset(&ts, 0, sizeof(ts));
799 	now = time(NULL);
800 	if (debug & DEBUG_SIMPLE)
801 		tftp_log(LOG_DEBUG, "Transmitting file");
802 
803 	read_init(0, file, mode);
804 	block = 1;
805 	tftp_send(peer, &block, &ts);
806 	read_close();
807 	if (debug & DEBUG_SIMPLE)
808 		tftp_log(LOG_INFO, "Sent %jd bytes in %jd seconds",
809 		    (intmax_t)ts.amount, (intmax_t)time(NULL) - now);
810 }
811 
812 static void
813 tftp_recvfile(int peer, const char *mode)
814 {
815 	uint16_t block;
816 	struct timeval now1, now2;
817 	struct tftp_stats ts;
818 
819 	gettimeofday(&now1, NULL);
820 	if (debug & DEBUG_SIMPLE)
821 		tftp_log(LOG_DEBUG, "Receiving file");
822 
823 	write_init(0, file, mode);
824 
825 	block = 0;
826 	tftp_receive(peer, &block, &ts, NULL, 0);
827 
828 	gettimeofday(&now2, NULL);
829 
830 	if (debug & DEBUG_SIMPLE) {
831 		double f;
832 		if (now1.tv_usec > now2.tv_usec) {
833 			now2.tv_usec += 1000000;
834 			now2.tv_sec--;
835 		}
836 
837 		f = now2.tv_sec - now1.tv_sec +
838 		    (now2.tv_usec - now1.tv_usec) / 100000.0;
839 		tftp_log(LOG_INFO,
840 		    "Download of %jd bytes in %d blocks completed after %0.1f seconds\n",
841 		    (intmax_t)ts.amount, block, f);
842 	}
843 
844 	return;
845 }
846