git: 9f231af307b8 - main - tftpd: Immediately reject any request shorter than 4 bytes.

From: Dag-Erling Smørgrav <des_at_FreeBSD.org>
Date: Thu, 25 Apr 2024 18:36:27 UTC
The branch main has been updated by des:

URL: https://cgit.FreeBSD.org/src/commit/?id=9f231af307b80eb222d9761bbd81fa4e130bb3d7

commit 9f231af307b80eb222d9761bbd81fa4e130bb3d7
Author:     Dag-Erling Smørgrav <des@FreeBSD.org>
AuthorDate: 2024-04-25 18:35:28 +0000
Commit:     Dag-Erling Smørgrav <des@FreeBSD.org>
CommitDate: 2024-04-25 18:36:13 +0000

    tftpd: Immediately reject any request shorter than 4 bytes.
    
    MFC after:      1 week
    Sponsored by:   Klara, Inc.
    Reviewed by:    kevans
    Differential Revision:  https://reviews.freebsd.org/D44957
---
 libexec/tftpd/tests/functional.c | 19 +++++++++++++++++++
 libexec/tftpd/tftpd.c            |  5 +++++
 2 files changed, 24 insertions(+)

diff --git a/libexec/tftpd/tests/functional.c b/libexec/tftpd/tests/functional.c
index 3b70962854ba..d3d2f46ffdee 100644
--- a/libexec/tftpd/tests/functional.c
+++ b/libexec/tftpd/tests/functional.c
@@ -1219,6 +1219,22 @@ TFTPD_TC_DEFINE(wrq_window_rfc7440,)
 	require_bufeq(contents, sizeof(contents), buffer, (size_t)r);
 }
 
+/*
+ * Send less than four bytes
+ */
+TFTPD_TC_DEFINE(short_packet1, /* no head */, exitcode = 1)
+{
+	SEND_STR("\1");
+}
+TFTPD_TC_DEFINE(short_packet2, /* no head */, exitcode = 1)
+{
+	SEND_STR("\1\2");
+}
+TFTPD_TC_DEFINE(short_packet3, /* no head */, exitcode = 1)
+{
+	SEND_STR("\1\2\3");
+}
+
 
 /*
  * Main
@@ -1256,6 +1272,9 @@ ATF_TP_ADD_TCS(tp)
 	TFTPD_TC_ADD(tp, wrq_small);
 	TFTPD_TC_ADD(tp, wrq_truncate);
 	TFTPD_TC_ADD(tp, wrq_window_rfc7440);
+	TFTPD_TC_ADD(tp, short_packet1);
+	TFTPD_TC_ADD(tp, short_packet2);
+	TFTPD_TC_ADD(tp, short_packet3);
 
 	return (atf_no_error());
 }
diff --git a/libexec/tftpd/tftpd.c b/libexec/tftpd/tftpd.c
index 45e7344c86ed..13f53024b147 100644
--- a/libexec/tftpd/tftpd.c
+++ b/libexec/tftpd/tftpd.c
@@ -228,6 +228,11 @@ main(int argc, char *argv[])
 	}
 	getnameinfo((struct sockaddr *)&peer_sock, peer_sock.ss_len,
 	    peername, sizeof(peername), NULL, 0, NI_NUMERICHOST);
+	if ((size_t)n < 4 /* tftphdr */) {
+		tftp_log(LOG_ERR, "Rejecting %zd-byte request from %s",
+		    n, peername);
+		exit(1);
+	}
 
 	/*
 	 * Now that we have read the message out of the UDP