leandrof/u-boot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
8f1bc28408
u-boot/net/tftp.c
Grant Likely 8f1bc28408 tftp: don't implicity trust the format of recevied packets 
The TFTP OACK code trusts that the incoming packet is formated as
ASCII text and can be processed by string functions. It also has a
loop limit overflow bug where if the packet length is less than 8, it
ends up looping over *all* of memory to find the 'blksize' string.

This patch solves the problem by forcing the packet to be null
terminated and using strstr() to search for the sub string.

Signed-off-by: Grant Likely <grant.likely@secretlab.ca>
2007-08-30 09:16:16 +02:00

618 lines
14 KiB
C
Raw Blame History

/*
* Copyright 1994, 1995, 2000 Neil Russell.
* (See License)
* Copyright 2000, 2001 DENX Software Engineering, Wolfgang Denk, wd@denx.de
*/
#include <common.h>
#include <command.h>
#include <net.h>
#include "tftp.h"
#include "bootp.h"
#undef ET_DEBUG
#if defined(CONFIG_CMD_NET)
#define WELL_KNOWN_PORT 69 /* Well known TFTP port # */
#define TIMEOUT 5 /* Seconds to timeout for a lost pkt */
#ifndef CONFIG_NET_RETRY_COUNT
# define TIMEOUT_COUNT 10 /* # of timeouts before giving up */
#else
# define TIMEOUT_COUNT (CONFIG_NET_RETRY_COUNT * 2)
#endif
/* (for checking the image size) */
#define HASHES_PER_LINE 65 /* Number of "loading" hashes per line */
/*
* TFTP operations.
*/
#define TFTP_RRQ 1
#define TFTP_WRQ 2
#define TFTP_DATA 3
#define TFTP_ACK 4
#define TFTP_ERROR 5
#define TFTP_OACK 6
static int TftpServerPort; /* The UDP port at their end */
static int TftpOurPort; /* The UDP port at our end */
static int TftpTimeoutCount;
static ulong TftpBlock; /* packet sequence number */
static ulong TftpLastBlock; /* last packet sequence number received */
static ulong TftpBlockWrap; /* count of sequence number wraparounds */
static ulong TftpBlockWrapOffset; /* memory offset due to wrapping */
static int TftpState;
#define STATE_RRQ 1
#define STATE_DATA 2
#define STATE_TOO_LARGE 3
#define STATE_BAD_MAGIC 4
#define STATE_OACK 5
#define TFTP_BLOCK_SIZE 512 /* default TFTP block size */
#define TFTP_SEQUENCE_SIZE ((ulong)(1<<16)) /* sequence number is 16 bit */
#define DEFAULT_NAME_LEN (8 + 4 + 1)
static char default_filename[DEFAULT_NAME_LEN];
static char *tftp_filename;
#ifdef CFG_DIRECT_FLASH_TFTP
extern flash_info_t flash_info[];
#endif
/* 512 is poor choice for ethernet, MTU is typically 1500.
* Minus eth.hdrs thats 1468. Can get 2x better throughput with
* almost-MTU block sizes. At least try... fall back to 512 if need be.
*/
#define TFTP_MTU_BLOCKSIZE 1468
static unsigned short TftpBlkSize=TFTP_BLOCK_SIZE;
static unsigned short TftpBlkSizeOption=TFTP_MTU_BLOCKSIZE;
#ifdef CONFIG_MCAST_TFTP
#include <malloc.h>
#define MTFTP_BITMAPSIZE 0x1000
static unsigned *Bitmap;
static int PrevBitmapHole,Mapsize=MTFTP_BITMAPSIZE;
static uchar ProhibitMcast=0, MasterClient=0;
static uchar Multicast=0;
extern IPaddr_t Mcast_addr;
static int Mcast_port;
static ulong TftpEndingBlock; /* can get 'last' block before done..*/
static void parse_multicast_oack(char *pkt,int len);
static void
mcast_cleanup(void)
{
if (Mcast_addr) eth_mcast_join(Mcast_addr, 0);
if (Bitmap) free(Bitmap);
Bitmap=NULL;
Mcast_addr = Multicast = Mcast_port = 0;
TftpEndingBlock = -1;
}
#endif /* CONFIG_MCAST_TFTP */
static __inline__ void
store_block (unsigned block, uchar * src, unsigned len)
{
ulong offset = block * TftpBlkSize + TftpBlockWrapOffset;
ulong newsize = offset + len;
#ifdef CFG_DIRECT_FLASH_TFTP
int i, rc = 0;
for (i=0; i<CFG_MAX_FLASH_BANKS; i++) {
/* start address in flash? */
if (load_addr + offset >= flash_info[i].start[0]) {
rc = 1;
break;
}
}
if (rc) { /* Flash is destination for this packet */
rc = flash_write ((char *)src, (ulong)(load_addr+offset), len);
if (rc) {
flash_perror (rc);
NetState = NETLOOP_FAIL;
return;
}
}
else
#endif /* CFG_DIRECT_FLASH_TFTP */
{
(void)memcpy((void *)(load_addr + offset), src, len);
}
#ifdef CONFIG_MCAST_TFTP
if (Multicast)
ext2_set_bit(block, Bitmap);
#endif
if (NetBootFileXferSize < newsize)
NetBootFileXferSize = newsize;
}
static void TftpSend (void);
static void TftpTimeout (void);
/**********************************************************************/
static void
TftpSend (void)
{
volatile uchar * pkt;
volatile uchar * xp;
int len = 0;
volatile ushort *s;
#ifdef CONFIG_MCAST_TFTP
/* Multicast TFTP.. non-MasterClients do not ACK data. */
if (Multicast
&& (TftpState == STATE_DATA)
&& (MasterClient == 0))
return;
#endif
/*
* We will always be sending some sort of packet, so
* cobble together the packet headers now.
*/
pkt = NetTxPacket + NetEthHdrSize() + IP_HDR_SIZE;
switch (TftpState) {
case STATE_RRQ:
xp = pkt;
s = (ushort *)pkt;
*s++ = htons(TFTP_RRQ);
pkt = (uchar *)s;
strcpy ((char *)pkt, tftp_filename);
pkt += strlen(tftp_filename) + 1;
strcpy ((char *)pkt, "octet");
pkt += 5 /*strlen("octet")*/ + 1;
strcpy ((char *)pkt, "timeout");
pkt += 7 /*strlen("timeout")*/ + 1;
sprintf((char *)pkt, "%d", TIMEOUT);
#ifdef ET_DEBUG
printf("send option \"timeout %s\"\n", (char *)pkt);
#endif
pkt += strlen((char *)pkt) + 1;
/* try for more effic. blk size */
pkt += sprintf((char *)pkt,"blksize%c%d%c",
0,TftpBlkSizeOption,0);
#ifdef CONFIG_MCAST_TFTP
/* Check all preconditions before even trying the option */
if (!ProhibitMcast
&& (Bitmap=malloc(Mapsize))
&& eth_get_dev()->mcast) {
free(Bitmap);
Bitmap=NULL;
pkt += sprintf((char *)pkt,"multicast%c%c",0,0);
}
#endif /* CONFIG_MCAST_TFTP */
len = pkt - xp;
break;
case STATE_OACK:
#ifdef CONFIG_MCAST_TFTP
/* My turn! Start at where I need blocks I missed.*/
if (Multicast)
TftpBlock=ext2_find_next_zero_bit(Bitmap,(Mapsize*8),0);
/*..falling..*/
#endif
case STATE_DATA:
xp = pkt;
s = (ushort *)pkt;
*s++ = htons(TFTP_ACK);
*s++ = htons(TftpBlock);
pkt = (uchar *)s;
len = pkt - xp;
break;
case STATE_TOO_LARGE:
xp = pkt;
s = (ushort *)pkt;
*s++ = htons(TFTP_ERROR);
*s++ = htons(3);
pkt = (uchar *)s;
strcpy ((char *)pkt, "File too large");
pkt += 14 /*strlen("File too large")*/ + 1;
len = pkt - xp;
break;
case STATE_BAD_MAGIC:
xp = pkt;
s = (ushort *)pkt;
*s++ = htons(TFTP_ERROR);
*s++ = htons(2);
pkt = (uchar *)s;
strcpy ((char *)pkt, "File has bad magic");
pkt += 18 /*strlen("File has bad magic")*/ + 1;
len = pkt - xp;
break;
}
NetSendUDPPacket(NetServerEther, NetServerIP, TftpServerPort, TftpOurPort, len);
}
static void
TftpHandler (uchar * pkt, unsigned dest, unsigned src, unsigned len)
{
char * blksize;
ushort proto;
ushort *s;
if (dest != TftpOurPort) {
#ifdef CONFIG_MCAST_TFTP
if (Multicast
&& (!Mcast_port || (dest != Mcast_port)))
#endif
return;
}
if (TftpState != STATE_RRQ && src != TftpServerPort) {
return;
}
if (len < 2) {
return;
}
len -= 2;
/* warning: don't use increment (++) in ntohs() macros!! */
s = (ushort *)pkt;
proto = *s++;
pkt = (uchar *)s;
switch (ntohs(proto)) {
case TFTP_RRQ:
case TFTP_WRQ:
case TFTP_ACK:
break;
default:
break;
case TFTP_OACK:
#ifdef ET_DEBUG
printf("Got OACK:\n");
print_buffer (0, pkt, 1, len, 16);
#endif
TftpState = STATE_OACK;
TftpServerPort = src;
/* Check for 'blksize' option */
pkt[len] = 0; /* NULL terminate so string ops work */
blksize = strstr((char*)pkt, "blksize");
if ((blksize) && (blksize + 8 < (char*)pkt + len)) {
TftpBlkSize = simple_strtoul(blksize + 8, NULL, 10);
#ifdef ET_DEBUG
printf("Blocksize ack: %d\n", TftpBlkSize);
#endif
}
#ifdef CONFIG_MCAST_TFTP
parse_multicast_oack((char *)pkt,len-1);
if ((Multicast) && (!MasterClient))
TftpState = STATE_DATA; /* passive.. */
else
#endif
TftpSend (); /* Send ACK */
break;
case TFTP_DATA:
if (len < 2)
return;
len -= 2;
TftpBlock = ntohs(*(ushort *)pkt);
/*
* RFC1350 specifies that the first data packet will
* have sequence number 1. If we receive a sequence
* number of 0 this means that there was a wrap
* around of the (16 bit) counter.
*/
if (TftpBlock == 0) {
TftpBlockWrap++;
TftpBlockWrapOffset += TftpBlkSize * TFTP_SEQUENCE_SIZE;
printf ("\n\t %lu MB received\n\t ", TftpBlockWrapOffset>>20);
} else {
if (((TftpBlock - 1) % 10) == 0) {
putc ('#');
} else if ((TftpBlock % (10 * HASHES_PER_LINE)) == 0) {
puts ("\n\t ");
}
}
#ifdef ET_DEBUG
if (TftpState == STATE_RRQ) {
puts ("Server did not acknowledge timeout option!\n");
}
#endif
if (TftpState == STATE_RRQ || TftpState == STATE_OACK) {
/* first block received */
TftpState = STATE_DATA;
TftpServerPort = src;
TftpLastBlock = 0;
TftpBlockWrap = 0;
TftpBlockWrapOffset = 0;
#ifdef CONFIG_MCAST_TFTP
if (Multicast) { /* start!=1 common if mcast */
TftpLastBlock = TftpBlock - 1;
} else
#endif
if (TftpBlock != 1) { /* Assertion */
printf ("\nTFTP error: "
"First block is not block 1 (%ld)\n"
"Starting again\n\n",
TftpBlock);
NetStartAgain ();
break;
}
}
if (TftpBlock == TftpLastBlock) {
/*
* Same block again; ignore it.
*/
break;
}
TftpLastBlock = TftpBlock;
NetSetTimeout (TIMEOUT * CFG_HZ, TftpTimeout);
store_block (TftpBlock - 1, pkt + 2, len);
/*
* Acknoledge the block just received, which will prompt
* the server for the next one.
*/
#ifdef CONFIG_MCAST_TFTP
/* if I am the MasterClient, actively calculate what my next
* needed block is; else I'm passive; not ACKING
*/
if (Multicast) {
if (len < TftpBlkSize) {
TftpEndingBlock = TftpBlock;
} else if (MasterClient) {
TftpBlock = PrevBitmapHole =
ext2_find_next_zero_bit(
Bitmap,
(Mapsize*8),
PrevBitmapHole);
if (TftpBlock > ((Mapsize*8) - 1)) {
printf ("tftpfile too big\n");
/* try to double it and retry */
Mapsize<<=1;
mcast_cleanup();
NetStartAgain ();
return;
}
TftpLastBlock = TftpBlock;
}
}
#endif
TftpSend ();
#ifdef CONFIG_MCAST_TFTP
if (Multicast) {
if (MasterClient && (TftpBlock >= TftpEndingBlock)) {
puts ("\nMulticast tftp done\n");
mcast_cleanup();
NetState = NETLOOP_SUCCESS;
}
}
else
#endif
if (len < TftpBlkSize) {
/*
* We received the whole thing. Try to
* run it.
*/
puts ("\ndone\n");
NetState = NETLOOP_SUCCESS;
}
break;
case TFTP_ERROR:
printf ("\nTFTP error: '%s' (%d)\n",
pkt + 2, ntohs(*(ushort *)pkt));
puts ("Starting again\n\n");
#ifdef CONFIG_MCAST_TFTP
mcast_cleanup();
#endif
NetStartAgain ();
break;
}
}
static void
TftpTimeout (void)
{
if (++TftpTimeoutCount > TIMEOUT_COUNT) {
puts ("\nRetry count exceeded; starting again\n");
#ifdef CONFIG_MCAST_TFTP
mcast_cleanup();
#endif
NetStartAgain ();
} else {
puts ("T ");
NetSetTimeout (TIMEOUT * CFG_HZ, TftpTimeout);
TftpSend ();
}
}
void
TftpStart (void)
{
#ifdef CONFIG_TFTP_PORT
char *ep; /* Environment pointer */
#endif
if (BootFile[0] == '\0') {
sprintf(default_filename, "%02lX%02lX%02lX%02lX.img",
NetOurIP & 0xFF,
(NetOurIP >> 8) & 0xFF,
(NetOurIP >> 16) & 0xFF,
(NetOurIP >> 24) & 0xFF );
tftp_filename = default_filename;
printf ("*** Warning: no boot file name; using '%s'\n",
tftp_filename);
} else {
tftp_filename = BootFile;
}
#if defined(CONFIG_NET_MULTI)
printf ("Using %s device\n", eth_get_name());
#endif
puts ("TFTP from server "); print_IPaddr (NetServerIP);
puts ("; our IP address is "); print_IPaddr (NetOurIP);
/* Check if we need to send across this subnet */
if (NetOurGatewayIP && NetOurSubnetMask) {
IPaddr_t OurNet = NetOurIP & NetOurSubnetMask;
IPaddr_t ServerNet = NetServerIP & NetOurSubnetMask;
if (OurNet != ServerNet) {
puts ("; sending through gateway ");
print_IPaddr (NetOurGatewayIP) ;
}
}
putc ('\n');
printf ("Filename '%s'.", tftp_filename);
if (NetBootFileSize) {
printf (" Size is 0x%x Bytes = ", NetBootFileSize<<9);
print_size (NetBootFileSize<<9, "");
}
putc ('\n');
printf ("Load address: 0x%lx\n", load_addr);
puts ("Loading: *\b");
NetSetTimeout (TIMEOUT * CFG_HZ, TftpTimeout);
NetSetHandler (TftpHandler);
TftpServerPort = WELL_KNOWN_PORT;
TftpTimeoutCount = 0;
TftpState = STATE_RRQ;
/* Use a pseudo-random port unless a specific port is set */
TftpOurPort = 1024 + (get_timer(0) % 3072);
#ifdef CONFIG_TFTP_PORT
if ((ep = getenv("tftpdstp")) != NULL) {
TftpServerPort = simple_strtol(ep, NULL, 10);
}
if ((ep = getenv("tftpsrcp")) != NULL) {
TftpOurPort= simple_strtol(ep, NULL, 10);
}
#endif
TftpBlock = 0;
/* zero out server ether in case the server ip has changed */
memset(NetServerEther, 0, 6);
/* Revert TftpBlkSize to dflt */
TftpBlkSize = TFTP_BLOCK_SIZE;
#ifdef CONFIG_MCAST_TFTP
mcast_cleanup();
#endif
TftpSend ();
}
#ifdef CONFIG_MCAST_TFTP
/* Credits: atftp project.
*/
/* pick up BcastAddr, Port, and whether I am [now] the master-client. *
* Frame:
* +-------+-----------+---+-------~~-------+---+
* | opc | multicast | 0 | addr, port, mc | 0 |
* +-------+-----------+---+-------~~-------+---+
* The multicast addr/port becomes what I listen to, and if 'mc' is '1' then
* I am the new master-client so must send ACKs to DataBlocks. If I am not
* master-client, I'm a passive client, gathering what DataBlocks I may and
* making note of which ones I got in my bitmask.
* In theory, I never go from master->passive..
* .. this comes in with pkt already pointing just past opc
*/
static void parse_multicast_oack(char *pkt, int len)
{
int i;
IPaddr_t addr;
char *mc_adr, *port, *mc;
mc_adr=port=mc=NULL;
/* march along looking for 'multicast\0', which has to start at least
* 14 bytes back from the end.
*/
for (i=0;i<len-14;i++)
if (strcmp (pkt+i,"multicast") == 0)
break;
if (i >= (len-14)) /* non-Multicast OACK, ign. */
return;
i+=10; /* strlen multicast */
mc_adr = pkt+i;
for (;i<len;i++) {
if (*(pkt+i) == ',') {
*(pkt+i) = '\0';
if (port) {
mc = pkt+i+1;
break;
} else {
port = pkt+i+1;
}
}
}
if (!port || !mc_adr || !mc ) return;
if (Multicast && MasterClient) {
printf ("I got a OACK as master Client, WRONG!\n");
return;
}
/* ..I now accept packets destined for this MCAST addr, port */
if (!Multicast) {
if (Bitmap) {
printf ("Internal failure! no mcast.\n");
free(Bitmap);
Bitmap=NULL;
ProhibitMcast=1;
return ;
}
/* I malloc instead of pre-declare; so that if the file ends
* up being too big for this bitmap I can retry
*/
if (!(Bitmap = malloc (Mapsize))) {
printf ("No Bitmap, no multicast. Sorry.\n");
ProhibitMcast=1;
return;
}
memset (Bitmap,0,Mapsize);
PrevBitmapHole = 0;
Multicast = 1;
}
addr = string_to_ip(mc_adr);
if (Mcast_addr != addr) {
if (Mcast_addr)
eth_mcast_join(Mcast_addr, 0);
if (eth_mcast_join(Mcast_addr=addr, 1)) {
printf ("Fail to set mcast, revert to TFTP\n");
ProhibitMcast=1;
mcast_cleanup();
NetStartAgain();
}
}
MasterClient = (unsigned char)simple_strtoul((char *)mc,NULL,10);
Mcast_port = (unsigned short)simple_strtoul(port,NULL,10);
printf ("Multicast: %s:%d [%d]\n", mc_adr, Mcast_port, MasterClient);
return;
}
#endif /* Multicast TFTP */
#endif
Reference in New Issue View Git Blame Copy Permalink