fix buffer overflow in atftpd
Andreas B. Mundt <andi@...> reports:
I've found a problem in atftpd that might be relevant for security.
The daemon can be crashed by any client sending a crafted combination
of TFTP options to the server. As TFTP is usually only used in the LAN,
it's probably not too dramatic.
Observations and how to reproduce the issue
===========================================
Install bullseye packages and prepare tftp-root:
sudo apt install atftp atftpd
mkdir tmp
touch tmp/file.txt
Run server:
/usr/sbin/atftpd --user=$(id -un) --group=$(id -gn) --daemon --no-fork --trace \
--logfile=/dev/stdout --verbose=7 --port 2000 tmp
Fetch file from client:
/usr/bin/atftp -g --trace --option "blksize 8" \
--remote-file file.txt -l /dev/null 127.0.0.1 2000
Crash server by adding another option to the tiny blksize:
/usr/bin/atftp -g --trace --option "blksize 8" --option "timeout 3" \
--remote-file file.txt -l /dev/null 127.0.0.1 2000
Analysis
========
The reason for the crash is a buffer overflow. The size of the buffer keeping the data
to be sent with every segment is calculated by adding 4 bytes to the blksize (for opcode
and block number). However, the same buffer is used for the OACK, which for a blksize=8
overflows as soon as another option is set.
Signed-off-by: Martin Dummer <md11@...>
Martin Dummer
2021-09-12
| changed | tftpd_file.c |