Menu

Commit [d255bf]  Maximize  Restore  History

fix buffer overflow in atftpd

Andreas B. Mundt <andi@...> reports:

I've found a problem in atftpd that might be relevant for security.
The daemon can be crashed by any client sending a crafted combination
of TFTP options to the server. As TFTP is usually only used in the LAN,
it's probably not too dramatic.

Observations and how to reproduce the issue
===========================================

Install bullseye packages and prepare tftp-root:
sudo apt install atftp atftpd
mkdir tmp
touch tmp/file.txt

Run server:
/usr/sbin/atftpd --user=$(id -un) --group=$(id -gn) --daemon --no-fork --trace \
--logfile=/dev/stdout --verbose=7 --port 2000 tmp

Fetch file from client:
/usr/bin/atftp -g --trace --option "blksize 8" \
--remote-file file.txt -l /dev/null 127.0.0.1 2000

Crash server by adding another option to the tiny blksize:
/usr/bin/atftp -g --trace --option "blksize 8" --option "timeout 3" \
--remote-file file.txt -l /dev/null 127.0.0.1 2000

Analysis
========

The reason for the crash is a buffer overflow. The size of the buffer keeping the data
to be sent with every segment is calculated by adding 4 bytes to the blksize (for opcode
and block number). However, the same buffer is used for the OACK, which for a blksize=8
overflows as soon as another option is set.

Signed-off-by: Martin Dummer <md11@...>

Martin Dummer Martin Dummer 2021-09-12

changed tftpd_file.c
tftpd_file.c Diff Switch to side-by-side view
Loading...