1 /************************************************************************ 2 Copyright 1988, 1991 by Carnegie Mellon University 3 4 All Rights Reserved 5 6 Permission to use, copy, modify, and distribute this software and its 7 documentation for any purpose and without fee is hereby granted, provided 8 that the above copyright notice appear in all copies and that both that 9 copyright notice and this permission notice appear in supporting 10 documentation, and that the name of Carnegie Mellon University not be used 11 in advertising or publicity pertaining to distribution of the software 12 without specific, written prior permission. 13 14 CARNEGIE MELLON UNIVERSITY DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS 15 SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. 16 IN NO EVENT SHALL CMU BE LIABLE FOR ANY SPECIAL, INDIRECT OR CONSEQUENTIAL 17 DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR 18 PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS 19 ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS 20 SOFTWARE. 21 ************************************************************************/ 22 23 #include <sys/cdefs.h> 24 #ifndef lint 25 __RCSID("$NetBSD: bootpd.c,v 1.23 2009/04/15 00:23:28 lukem Exp $"); 26 #endif 27 28 /* 29 * BOOTP (bootstrap protocol) server daemon. 30 * 31 * Answers BOOTP request packets from booting client machines. 32 * See [SRI-NIC]<RFC>RFC951.TXT for a description of the protocol. 33 * See [SRI-NIC]<RFC>RFC1048.TXT for vendor-information extensions. 34 * See RFC 1395 for option tags 14-17. 35 * See accompanying man page -- bootpd.8 36 * 37 * HISTORY 38 * See ./Changes 39 * 40 * BUGS 41 * See ./ToDo 42 */ 43 44 45 46 #include <sys/types.h> 47 #include <sys/param.h> 48 #include <sys/socket.h> 49 #include <sys/ioctl.h> 50 #include <sys/file.h> 51 #include <sys/time.h> 52 #include <sys/stat.h> 53 #include <sys/poll.h> 54 55 #include <net/if.h> 56 #include <netinet/in.h> 57 #include <arpa/inet.h> /* inet_ntoa */ 58 59 #ifndef NO_UNISTD 60 #include <unistd.h> 61 #endif 62 #include <stdlib.h> 63 #include <signal.h> 64 #include <stdio.h> 65 #include <string.h> 66 #include <strings.h> 67 #include <errno.h> 68 #include <ctype.h> 69 #include <netdb.h> 70 #include <syslog.h> 71 #include <assert.h> 72 73 #ifdef NO_SETSID 74 # include <fcntl.h> /* for O_RDONLY, etc */ 75 #endif 76 77 #ifdef SVR4 78 /* Using sigset() avoids the need to re-arm each time. */ 79 #define signal sigset 80 #endif 81 82 #include "bootp.h" 83 #include "hash.h" 84 #include "hwaddr.h" 85 #include "bootpd.h" 86 #include "dovend.h" 87 #include "getif.h" 88 #include "readfile.h" 89 #include "report.h" 90 #include "tzone.h" 91 #include "patchlevel.h" 92 93 #ifndef CONFIG_FILE 94 #define CONFIG_FILE "/etc/bootptab" 95 #endif 96 #ifndef DUMPTAB_FILE 97 #define DUMPTAB_FILE "/tmp/bootpd.dump" 98 #endif 99 100 101 102 /* 103 * Externals, forward declarations, and global variables 104 */ 105 106 extern void dumptab(const char *); 107 108 PRIVATE void catcher(int); 109 PRIVATE int chk_access(char *, int32 *); 110 #ifdef VEND_CMU 111 PRIVATE void dovend_cmu(struct bootp *, struct host *); 112 #endif 113 PRIVATE void dovend_rfc1048(struct bootp *, struct host *, int32); 114 PRIVATE void handle_reply(void); 115 PRIVATE void handle_request(void); 116 PRIVATE void sendreply(int forward, int32 dest_override); 117 PRIVATE void usage(void); 118 int main(int, char **); 119 120 /* 121 * IP port numbers for client and server obtained from /etc/services 122 */ 123 124 u_short bootps_port, bootpc_port; 125 126 127 /* 128 * Internet socket and interface config structures 129 */ 130 131 struct sockaddr_in bind_addr; /* Listening */ 132 struct sockaddr_in recv_addr; /* Packet source */ 133 struct sockaddr_in send_addr; /* destination */ 134 135 136 /* 137 * option defaults 138 */ 139 int debug = 0; /* Debugging flag (level) */ 140 int actualtimeout = 15 * 60000; /* fifteen minutes */ 141 142 /* 143 * General 144 */ 145 146 int s; /* Socket file descriptor */ 147 char *pktbuf; /* Receive packet buffer */ 148 int pktlen; 149 const char *progname; 150 char *chdir_path; 151 char hostname[MAXHOSTNAMELEN + 1]; /* System host name */ 152 struct in_addr my_ip_addr; 153 154 /* Flags set by signal catcher. */ 155 PRIVATE int do_readtab = 0; 156 PRIVATE int do_dumptab = 0; 157 158 /* 159 * Globals below are associated with the bootp database file (bootptab). 160 */ 161 162 const char *bootptab = CONFIG_FILE; 163 const char *bootpd_dump = DUMPTAB_FILE; 164 165 166 167 /* 168 * Initialization such as command-line processing is done and then the 169 * main server loop is started. 170 */ 171 172 int 173 main(int argc, char **argv) 174 { 175 int timeout; 176 struct bootp *bp; 177 struct servent *servp; 178 struct hostent *hep; 179 char *stmp; 180 socklen_t ba_len, ra_len; 181 int n; 182 int nfound; 183 struct pollfd set[1]; 184 int standalone; 185 186 progname = strrchr(argv[0], '/'); 187 if (progname) 188 progname++; 189 else 190 progname = argv[0]; 191 192 /* 193 * Initialize logging. 194 */ 195 report_init(0); /* uses progname */ 196 197 /* 198 * Log startup 199 */ 200 report(LOG_INFO, "version %s.%d", VERSION, PATCHLEVEL); 201 202 /* Debugging for compilers with struct padding. */ 203 assert(sizeof(struct bootp) == BP_MINPKTSZ); 204 205 /* Get space for receiving packets and composing replies. */ 206 pktbuf = malloc(MAX_MSG_SIZE); 207 if (!pktbuf) { 208 report(LOG_ERR, "malloc failed"); 209 exit(1); 210 } 211 bp = (struct bootp *) pktbuf; 212 213 /* 214 * Check to see if a socket was passed to us from inetd. 215 * 216 * Use getsockname() to determine if descriptor 0 is indeed a socket 217 * (and thus we are probably a child of inetd) or if it is instead 218 * something else and we are running standalone. 219 */ 220 s = 0; 221 ba_len = sizeof(bind_addr); 222 bzero((char *) &bind_addr, ba_len); 223 errno = 0; 224 standalone = TRUE; 225 if (getsockname(s, (struct sockaddr *) &bind_addr, &ba_len) == 0) { 226 /* 227 * Descriptor 0 is a socket. Assume we are a child of inetd. 228 */ 229 if (bind_addr.sin_family == AF_INET) { 230 standalone = FALSE; 231 bootps_port = ntohs(bind_addr.sin_port); 232 } else { 233 /* Some other type of socket? */ 234 report(LOG_ERR, "getsockname: not an INET socket"); 235 } 236 } 237 238 /* 239 * Set defaults that might be changed by option switches. 240 */ 241 stmp = NULL; 242 timeout = actualtimeout; 243 244 /* 245 * Read switches. 246 */ 247 for (argc--, argv++; argc > 0; argc--, argv++) { 248 if (argv[0][0] != '-') 249 break; 250 switch (argv[0][1]) { 251 252 case 'c': /* chdir_path */ 253 if (argv[0][2]) { 254 stmp = &(argv[0][2]); 255 } else { 256 argc--; 257 argv++; 258 stmp = argv[0]; 259 } 260 if (!stmp || (stmp[0] != '/')) { 261 fprintf(stderr, 262 "bootpd: invalid chdir specification\n"); 263 break; 264 } 265 chdir_path = stmp; 266 break; 267 268 case 'd': /* debug level */ 269 if (argv[0][2]) { 270 stmp = &(argv[0][2]); 271 } else if (argv[1] && argv[1][0] == '-') { 272 /* 273 * Backwards-compatible behavior: 274 * no parameter, so just increment the debug flag. 275 */ 276 debug++; 277 break; 278 } else { 279 argc--; 280 argv++; 281 stmp = argv[0]; 282 } 283 if (!stmp || (sscanf(stmp, "%d", &n) != 1) || (n < 0)) { 284 fprintf(stderr, 285 "%s: invalid debug level\n", progname); 286 break; 287 } 288 debug = n; 289 break; 290 291 case 'h': /* override hostname */ 292 if (argv[0][2]) { 293 stmp = &(argv[0][2]); 294 } else { 295 argc--; 296 argv++; 297 stmp = argv[0]; 298 } 299 if (!stmp) { 300 fprintf(stderr, 301 "bootpd: missing hostname\n"); 302 break; 303 } 304 strlcpy(hostname, stmp, sizeof(hostname)); 305 break; 306 307 case 'i': /* inetd mode */ 308 standalone = FALSE; 309 break; 310 311 case 's': /* standalone mode */ 312 standalone = TRUE; 313 break; 314 315 case 't': /* timeout */ 316 if (argv[0][2]) { 317 stmp = &(argv[0][2]); 318 } else { 319 argc--; 320 argv++; 321 stmp = argv[0]; 322 } 323 if (!stmp || (sscanf(stmp, "%d", &n) != 1) || (n < 0)) { 324 fprintf(stderr, 325 "%s: invalid timeout specification\n", progname); 326 break; 327 } 328 actualtimeout = n * 60000; 329 /* 330 * If the actual timeout is zero, pass INFTIM 331 * to poll so it blocks indefinitely, otherwise, 332 * use the actual timeout value. 333 */ 334 timeout = (n > 0) ? actualtimeout : INFTIM; 335 break; 336 337 default: 338 fprintf(stderr, "%s: unknown switch: -%c\n", 339 progname, argv[0][1]); 340 usage(); 341 break; 342 343 } /* switch */ 344 } /* for args */ 345 346 /* 347 * Override default file names if specified on the command line. 348 */ 349 if (argc > 0) 350 bootptab = argv[0]; 351 352 if (argc > 1) 353 bootpd_dump = argv[1]; 354 355 /* 356 * Get my hostname and IP address. 357 */ 358 if (hostname[0] == '\0') { 359 if (gethostname(hostname, sizeof(hostname)) == -1) { 360 fprintf(stderr, "bootpd: can't get hostname\n"); 361 exit(1); 362 } 363 hostname[sizeof(hostname) - 1] = '\0'; 364 } 365 hep = gethostbyname(hostname); 366 if (!hep) { 367 fprintf(stderr, "Can not get my IP address\n"); 368 exit(1); 369 } 370 bcopy(hep->h_addr, (char *)&my_ip_addr, sizeof(my_ip_addr)); 371 372 if (standalone) { 373 /* 374 * Go into background and disassociate from controlling terminal. 375 */ 376 if (debug < 3) { 377 if (fork()) 378 exit(0); 379 #ifdef NO_SETSID 380 setpgrp(0,0); 381 #ifdef TIOCNOTTY 382 n = open("/dev/tty", O_RDWR); 383 if (n >= 0) { 384 ioctl(n, TIOCNOTTY, (char *) 0); 385 (void) close(n); 386 } 387 #endif /* TIOCNOTTY */ 388 #else /* SETSID */ 389 if (setsid() < 0) 390 perror("setsid"); 391 #endif /* SETSID */ 392 } /* if debug < 3 */ 393 394 /* 395 * Nuke any timeout value 396 */ 397 timeout = INFTIM; 398 399 } /* if standalone (1st) */ 400 401 /* Set the cwd (i.e. to /tftpboot) */ 402 if (chdir_path) { 403 if (chdir(chdir_path) < 0) 404 report(LOG_ERR, "%s: chdir failed", chdir_path); 405 } 406 407 /* Get the timezone. */ 408 tzone_init(); 409 410 /* Allocate hash tables. */ 411 rdtab_init(); 412 413 /* 414 * Read the bootptab file. 415 */ 416 readtab(1); /* force read */ 417 418 if (standalone) { 419 420 /* 421 * Create a socket. 422 */ 423 if ((s = socket(AF_INET, SOCK_DGRAM, 0)) < 0) { 424 report(LOG_ERR, "socket: %s", get_network_errmsg()); 425 exit(1); 426 } 427 428 /* 429 * Get server's listening port number 430 */ 431 servp = getservbyname("bootps", "udp"); 432 if (servp) { 433 bootps_port = ntohs((u_short) servp->s_port); 434 } else { 435 bootps_port = (u_short) IPPORT_BOOTPS; 436 report(LOG_ERR, 437 "udp/bootps: unknown service -- assuming port %d", 438 bootps_port); 439 } 440 441 /* 442 * Bind socket to BOOTPS port. 443 */ 444 bind_addr.sin_family = AF_INET; 445 bind_addr.sin_addr.s_addr = INADDR_ANY; 446 bind_addr.sin_port = htons(bootps_port); 447 if (bind(s, (struct sockaddr *) &bind_addr, 448 sizeof(bind_addr)) < 0) 449 { 450 report(LOG_ERR, "bind: %s", get_network_errmsg()); 451 exit(1); 452 } 453 } /* if standalone (2nd)*/ 454 455 /* 456 * Get destination port number so we can reply to client 457 */ 458 servp = getservbyname("bootpc", "udp"); 459 if (servp) { 460 bootpc_port = ntohs(servp->s_port); 461 } else { 462 report(LOG_ERR, 463 "udp/bootpc: unknown service -- assuming port %d", 464 IPPORT_BOOTPC); 465 bootpc_port = (u_short) IPPORT_BOOTPC; 466 } 467 468 /* 469 * Set up signals to read or dump the table. 470 */ 471 if ((long) signal(SIGHUP, catcher) < 0) { 472 report(LOG_ERR, "signal: %s", get_errmsg()); 473 exit(1); 474 } 475 if ((long) signal(SIGUSR1, catcher) < 0) { 476 report(LOG_ERR, "signal: %s", get_errmsg()); 477 exit(1); 478 } 479 480 /* 481 * Process incoming requests. 482 */ 483 set[0].fd = s; 484 set[0].events = POLLIN; 485 for (;;) { 486 nfound = poll(set, 1, timeout); 487 if (nfound < 0) { 488 if (errno != EINTR) { 489 report(LOG_ERR, "poll: %s", get_errmsg()); 490 } 491 /* 492 * Call readtab() or dumptab() here to avoid the 493 * dangers of doing I/O from a signal handler. 494 */ 495 if (do_readtab) { 496 do_readtab = 0; 497 readtab(1); /* force read */ 498 } 499 if (do_dumptab) { 500 do_dumptab = 0; 501 dumptab(bootpd_dump); 502 } 503 continue; 504 } 505 if (nfound == 0) { 506 if (debug > 1) 507 report(LOG_INFO, "exiting after %d minute%s of inactivity", 508 actualtimeout / 60000, 509 actualtimeout == 60000 ? "" : "s"); 510 exit(0); 511 } 512 ra_len = sizeof(recv_addr); 513 n = recvfrom(s, pktbuf, MAX_MSG_SIZE, 0, 514 (struct sockaddr *) &recv_addr, &ra_len); 515 if (n <= 0) { 516 continue; 517 } 518 if (debug > 1) { 519 report(LOG_INFO, "recvd pkt from IP addr %s", 520 inet_ntoa(recv_addr.sin_addr)); 521 } 522 if (n < (int)sizeof(struct bootp)) { 523 if (debug) { 524 report(LOG_INFO, "received short packet"); 525 } 526 continue; 527 } 528 pktlen = n; 529 530 readtab(0); /* maybe re-read bootptab */ 531 532 switch (bp->bp_op) { 533 case BOOTREQUEST: 534 handle_request(); 535 break; 536 case BOOTREPLY: 537 handle_reply(); 538 break; 539 } 540 } 541 } 542 543 544 545 546 /* 547 * Print "usage" message and exit 548 */ 549 550 PRIVATE void 551 usage(void) 552 { 553 fprintf(stderr, 554 "usage: bootpd [-d level] [-i] [-s] [-t timeout] [configfile [dumpfile]]\n"); 555 fprintf(stderr, "\t -c n\tset current directory\n"); 556 fprintf(stderr, "\t -d n\tset debug level\n"); 557 fprintf(stderr, "\t -i\tforce inetd mode (run as child of inetd)\n"); 558 fprintf(stderr, "\t -s\tforce standalone mode (run without inetd)\n"); 559 fprintf(stderr, "\t -t n\tset inetd exit timeout to n minutes\n"); 560 exit(1); 561 } 562 563 /* Signal catchers */ 564 PRIVATE void 565 catcher(int sig) 566 { 567 if (sig == SIGHUP) 568 do_readtab = 1; 569 if (sig == SIGUSR1) 570 do_dumptab = 1; 571 #ifdef SYSV 572 /* For older "System V" derivatives with no sigset(). */ 573 /* XXX - Should just do it the POSIX way (sigaction). */ 574 signal(sig, catcher); 575 #endif 576 } 577 578 579 580 /* 581 * Process BOOTREQUEST packet. 582 * 583 * Note: This version of the bootpd.c server never forwards 584 * a request to another server. That is the job of a gateway 585 * program such as the "bootpgw" program included here. 586 * 587 * (Also this version does not interpret the hostname field of 588 * the request packet; it COULD do a name->address lookup and 589 * forward the request there.) 590 */ 591 PRIVATE void 592 handle_request(void) 593 { 594 struct bootp *bp = (struct bootp *) pktbuf; 595 struct host *hp = NULL; 596 struct host dummyhost; 597 int32 bootsize = 0; 598 unsigned hlen, hashcode; 599 int32 dest; 600 char lrealpath[1024]; 601 char *clntpath; 602 char *homedir, *bootfile; 603 int n; 604 605 /* XXX - SLIP init: Set bp_ciaddr = recv_addr here? */ 606 607 /* 608 * If the servername field is set, compare it against us. 609 * If we're not being addressed, ignore this request. 610 * If the server name field is null, throw in our name. 611 */ 612 if (strlen(bp->bp_sname)) { 613 if (strcmp(bp->bp_sname, hostname)) { 614 if (debug) 615 report(LOG_INFO, "\ 616 ignoring request for server %s from client at %s address %s", 617 bp->bp_sname, netname(bp->bp_htype), 618 haddrtoa(bp->bp_chaddr, bp->bp_hlen)); 619 /* XXX - Is it correct to ignore such a request? -gwr */ 620 return; 621 } 622 } else { 623 strlcpy(bp->bp_sname, hostname, sizeof(bp->bp_sname)); 624 } 625 626 /* If it uses an unknown network type, ignore the request. */ 627 if (bp->bp_htype >= hwinfocnt) { 628 if (debug) 629 report(LOG_INFO, 630 "Request with unknown network type %u", 631 bp->bp_htype); 632 return; 633 } 634 635 /* Convert the request into a reply. */ 636 bp->bp_op = BOOTREPLY; 637 if (bp->bp_ciaddr.s_addr == 0) { 638 /* 639 * client doesnt know his IP address, 640 * search by hardware address. 641 */ 642 if (debug > 1) { 643 report(LOG_INFO, "request from %s address %s", 644 netname(bp->bp_htype), 645 haddrtoa(bp->bp_chaddr, bp->bp_hlen)); 646 } 647 hlen = haddrlength(bp->bp_htype); 648 if (hlen != bp->bp_hlen) { 649 report(LOG_NOTICE, "bad addr len from %s address %s", 650 netname(bp->bp_htype), 651 haddrtoa(bp->bp_chaddr, hlen)); 652 } 653 dummyhost.htype = bp->bp_htype; 654 bcopy(bp->bp_chaddr, dummyhost.haddr, hlen); 655 hashcode = hash_HashFunction(bp->bp_chaddr, hlen); 656 hp = (struct host *) hash_Lookup(hwhashtable, hashcode, hwlookcmp, 657 &dummyhost); 658 if (hp == NULL && 659 bp->bp_htype == HTYPE_IEEE802) 660 { 661 /* Try again with address in "canonical" form. */ 662 haddr_conv802(bp->bp_chaddr, dummyhost.haddr, hlen); 663 if (debug > 1) { 664 report(LOG_INFO, "\ 665 HW addr type is IEEE 802. convert to %s and check again\n", 666 haddrtoa(dummyhost.haddr, bp->bp_hlen)); 667 } 668 hashcode = hash_HashFunction(dummyhost.haddr, hlen); 669 hp = (struct host *) hash_Lookup(hwhashtable, hashcode, 670 hwlookcmp, &dummyhost); 671 } 672 if (hp == NULL) { 673 /* 674 * XXX - Add dynamic IP address assignment? 675 */ 676 if (debug > 1) 677 report(LOG_INFO, "unknown client %s address %s", 678 netname(bp->bp_htype), 679 haddrtoa(bp->bp_chaddr, bp->bp_hlen)); 680 return; /* not found */ 681 } 682 (bp->bp_yiaddr).s_addr = hp->iaddr.s_addr; 683 684 } else { 685 686 /* 687 * search by IP address. 688 */ 689 if (debug > 1) { 690 report(LOG_INFO, "request from IP addr %s", 691 inet_ntoa(bp->bp_ciaddr)); 692 } 693 dummyhost.iaddr.s_addr = bp->bp_ciaddr.s_addr; 694 hashcode = hash_HashFunction((u_char *) &(bp->bp_ciaddr.s_addr), 4); 695 hp = (struct host *) hash_Lookup(iphashtable, hashcode, iplookcmp, 696 &dummyhost); 697 if (hp == NULL) { 698 if (debug > 1) { 699 report(LOG_NOTICE, "IP address not found: %s", 700 inet_ntoa(bp->bp_ciaddr)); 701 } 702 return; 703 } 704 } 705 706 if (debug) { 707 report(LOG_INFO, "found %s (%s)", inet_ntoa(hp->iaddr), 708 hp->hostname->string); 709 } 710 711 /* 712 * If there is a response delay threshold, ignore requests 713 * with a timestamp lower than the threshold. 714 */ 715 if (hp->flags.min_wait) { 716 u_int32 t = (u_int32) ntohs(bp->bp_secs); 717 if (t < hp->min_wait) { 718 if (debug > 1) 719 report(LOG_INFO, 720 "ignoring request due to timestamp (%d < %d)", 721 t, hp->min_wait); 722 return; 723 } 724 } 725 726 #ifdef YORK_EX_OPTION 727 /* 728 * The need for the "ex" tag arose out of the need to empty 729 * shared networked drives on diskless PCs. This solution is 730 * not very clean but it does work fairly well. 731 * Written by Edmund J. Sutcliffe <edmund@york.ac.uk> 732 * 733 * XXX - This could compromise security if a non-trusted user 734 * managed to write an entry in the bootptab with :ex=trojan: 735 * so I would leave this turned off unless you need it. -gwr 736 */ 737 /* Run a program, passing the client name as a parameter. */ 738 if (hp->flags.exec_file) { 739 char tst[100]; 740 /* XXX - Check string lengths? -gwr */ 741 strlcpy(tst, hp->exec_file->string, sizeof(tst)); 742 strlcat(tst, " ", sizeof(tst)); 743 strlcat(tst, hp->hostname->string, sizeof(tst)); 744 strlcat(tst, " &", sizeof(tst)); 745 if (debug) 746 report(LOG_INFO, "executing %s", tst); 747 system(tst); /* Hope this finishes soon... */ 748 } 749 #endif /* YORK_EX_OPTION */ 750 751 /* 752 * If a specific TFTP server address was specified in the bootptab file, 753 * fill it in, otherwise zero it. 754 * XXX - Rather than zero it, should it be the bootpd address? -gwr 755 */ 756 (bp->bp_siaddr).s_addr = (hp->flags.bootserver) ? 757 hp->bootserver.s_addr : 0L; 758 759 #ifdef STANFORD_PROM_COMPAT 760 /* 761 * Stanford bootp PROMs (for a Sun?) have no way to leave 762 * the boot file name field blank (because the boot file 763 * name is automatically generated from some index). 764 * As a work-around, this little hack allows those PROMs to 765 * specify "sunboot14" with the same effect as a NULL name. 766 * (The user specifies boot device 14 or some such magic.) 767 */ 768 if (strcmp(bp->bp_file, "sunboot14") == 0) 769 bp->bp_file[0] = '\0'; /* treat it as unspecified */ 770 #endif 771 772 /* 773 * Fill in the client's proper bootfile. 774 * 775 * If the client specifies an absolute path, try that file with a 776 * ".host" suffix and then without. If the file cannot be found, no 777 * reply is made at all. 778 * 779 * If the client specifies a null or relative file, use the following 780 * table to determine the appropriate action: 781 * 782 * Homedir Bootfile Client's file 783 * specified? specified? specification Action 784 * ------------------------------------------------------------------- 785 * No No Null Send null filename 786 * No No Relative Discard request 787 * No Yes Null Send if absolute else null 788 * No Yes Relative Discard request *XXX 789 * Yes No Null Send null filename 790 * Yes No Relative Lookup with ".host" 791 * Yes Yes Null Send home/boot or bootfile 792 * Yes Yes Relative Lookup with ".host" *XXX 793 * 794 */ 795 796 /* 797 * XXX - I don't like the policy of ignoring a client when the 798 * boot file is not accessible. The TFTP server might not be 799 * running on the same machine as the BOOTP server, in which 800 * case checking accessibility of the boot file is pointless. 801 * 802 * Therefore, file accessibility is now demanded ONLY if you 803 * define CHECK_FILE_ACCESS in the Makefile options. -gwr 804 */ 805 806 /* 807 * The "real" path is as seen by the BOOTP daemon on this 808 * machine, while the client path is relative to the TFTP 809 * daemon chroot directory (i.e. /tftpboot). 810 */ 811 if (hp->flags.tftpdir) { 812 strlcpy(lrealpath, hp->tftpdir->string, sizeof(lrealpath)); 813 clntpath = &lrealpath[strlen(lrealpath)]; 814 } else { 815 lrealpath[0] = '\0'; 816 clntpath = lrealpath; 817 } 818 819 /* 820 * Determine client's requested homedir and bootfile. 821 */ 822 homedir = NULL; 823 bootfile = NULL; 824 if (bp->bp_file[0]) { 825 char *t; 826 827 homedir = bp->bp_file; 828 829 /* make sure that the file is nul terminated */ 830 for (t = homedir; t - homedir < BP_FILE_LEN; t++) 831 if (*t == '\0') 832 break; 833 if (t - homedir < BP_FILE_LEN) { 834 report(LOG_INFO, "requested path length > BP_FILE_LEN file = \"%s\", nul terminating", homedir); 835 homedir[BP_FILE_LEN - 1] = '\0'; 836 } 837 838 bootfile = strrchr(homedir, '/'); 839 if (bootfile) { 840 if (homedir == bootfile) 841 homedir = NULL; 842 *bootfile++ = '\0'; 843 } else { 844 /* no "/" in the string */ 845 bootfile = homedir; 846 homedir = NULL; 847 } 848 if (debug > 2) { 849 report(LOG_INFO, "requested path=\"%s\" file=\"%s\"", 850 (homedir) ? homedir : "", 851 (bootfile) ? bootfile : ""); 852 } 853 } 854 855 /* 856 * Specifications in bootptab override client requested values. 857 */ 858 if (hp->flags.homedir) 859 homedir = hp->homedir->string; 860 if (hp->flags.bootfile) 861 bootfile = hp->bootfile->string; 862 863 /* 864 * Construct bootfile path. 865 */ 866 if (homedir) { 867 if (homedir[0] != '/') 868 strlcat(lrealpath, "/", sizeof(lrealpath)); 869 strlcat(lrealpath, homedir, sizeof(lrealpath)); 870 homedir = NULL; 871 } 872 if (bootfile) { 873 if (bootfile[0] != '/') { 874 strlcat(lrealpath, "/", sizeof(lrealpath)); 875 lrealpath[sizeof(lrealpath) - 1] = '\0'; 876 } 877 strlcat(lrealpath, bootfile, sizeof(lrealpath)); 878 lrealpath[sizeof(lrealpath) - 1] = '\0'; 879 bootfile = NULL; 880 } 881 882 /* 883 * First try to find the file with a ".host" suffix 884 */ 885 n = strlen(clntpath); 886 strlcat(clntpath, ".", sizeof(clntpath)); 887 strlcat(clntpath, hp->hostname->string, sizeof(clntpath)); 888 if (chk_access(lrealpath, &bootsize) < 0) { 889 clntpath[n] = 0; /* Try it without the suffix */ 890 if (chk_access(lrealpath, &bootsize) < 0) { 891 /* neither "file.host" nor "file" was found */ 892 #ifdef CHECK_FILE_ACCESS 893 894 if (bp->bp_file[0]) { 895 /* 896 * Client wanted specific file 897 * and we didn't have it. 898 */ 899 report(LOG_NOTICE, 900 "requested file not found: \"%s\"", clntpath); 901 return; 902 } 903 /* 904 * Client didn't ask for a specific file and we couldn't 905 * access the default file, so just zero-out the bootfile 906 * field in the packet and continue processing the reply. 907 */ 908 bzero(bp->bp_file, sizeof(bp->bp_file)); 909 goto null_file_name; 910 911 #else /* CHECK_FILE_ACCESS */ 912 913 /* Complain only if boot file size was needed. */ 914 if (hp->flags.bootsize_auto) { 915 report(LOG_ERR, "can not determine size of file \"%s\"", 916 clntpath); 917 } 918 919 #endif /* CHECK_FILE_ACCESS */ 920 } 921 } 922 strlcpy(bp->bp_file, clntpath, sizeof(bp->bp_file)); 923 if (debug > 2) 924 report(LOG_INFO, "bootfile=\"%s\"", clntpath); 925 926 #ifdef CHECK_FILE_ACCESS 927 null_file_name: 928 #endif /* CHECK_FILE_ACCESS */ 929 930 931 /* 932 * Handle vendor options based on magic number. 933 */ 934 935 if (debug > 1) { 936 report(LOG_INFO, "vendor magic field is %d.%d.%d.%d", 937 (int) ((bp->bp_vend)[0]), 938 (int) ((bp->bp_vend)[1]), 939 (int) ((bp->bp_vend)[2]), 940 (int) ((bp->bp_vend)[3])); 941 } 942 /* 943 * If this host isn't set for automatic vendor info then copy the 944 * specific cookie into the bootp packet, thus forcing a certain 945 * reply format. Only force reply format if user specified it. 946 */ 947 if (hp->flags.vm_cookie) { 948 /* Slam in the user specified magic number. */ 949 bcopy(hp->vm_cookie, bp->bp_vend, 4); 950 } 951 /* 952 * Figure out the format for the vendor-specific info. 953 * Note that bp->bp_vend may have been set above. 954 */ 955 if (!bcmp(bp->bp_vend, vm_rfc1048, 4)) { 956 /* RFC1048 conformant bootp client */ 957 dovend_rfc1048(bp, hp, bootsize); 958 if (debug > 1) { 959 report(LOG_INFO, "sending reply (with RFC1048 options)"); 960 } 961 } 962 #ifdef VEND_CMU 963 else if (!bcmp(bp->bp_vend, vm_cmu, 4)) { 964 dovend_cmu(bp, hp); 965 if (debug > 1) { 966 report(LOG_INFO, "sending reply (with CMU options)"); 967 } 968 } 969 #endif 970 else { 971 if (debug > 1) { 972 report(LOG_INFO, "sending reply (with no options)"); 973 } 974 } 975 976 dest = (hp->flags.reply_addr) ? 977 hp->reply_addr.s_addr : 0L; 978 979 /* not forwarded */ 980 sendreply(0, dest); 981 } 982 983 984 /* 985 * Process BOOTREPLY packet. 986 */ 987 PRIVATE void 988 handle_reply(void) 989 { 990 if (debug) { 991 report(LOG_INFO, "processing boot reply"); 992 } 993 /* forwarded, no destination override */ 994 sendreply(1, 0); 995 } 996 997 998 /* 999 * Send a reply packet to the client. 'forward' flag is set if we are 1000 * not the originator of this reply packet. 1001 */ 1002 PRIVATE void 1003 sendreply(int forward, int32 dst_override) 1004 { 1005 struct bootp *bp = (struct bootp *) pktbuf; 1006 struct in_addr dst; 1007 u_short port = bootpc_port; 1008 unsigned char *ha; 1009 int len; 1010 1011 /* 1012 * XXX - Should honor bp_flags "broadcast" bit here. 1013 * Temporary workaround: use the :ra=ADDR: option to 1014 * set the reply address to the broadcast address. 1015 */ 1016 1017 /* 1018 * If the destination address was specified explicitly 1019 * (i.e. the broadcast address for HP compatibility) 1020 * then send the response to that address. Otherwise, 1021 * act in accordance with RFC951: 1022 * If the client IP address is specified, use that 1023 * else if gateway IP address is specified, use that 1024 * else make a temporary arp cache entry for the client's 1025 * NEW IP/hardware address and use that. 1026 */ 1027 if (dst_override) { 1028 dst.s_addr = dst_override; 1029 if (debug > 1) { 1030 report(LOG_INFO, "reply address override: %s", 1031 inet_ntoa(dst)); 1032 } 1033 } else if (bp->bp_ciaddr.s_addr) { 1034 dst = bp->bp_ciaddr; 1035 } else if (bp->bp_giaddr.s_addr && forward == 0) { 1036 dst = bp->bp_giaddr; 1037 port = bootps_port; 1038 if (debug > 1) { 1039 report(LOG_INFO, "sending reply to gateway %s", 1040 inet_ntoa(dst)); 1041 } 1042 } else { 1043 dst = bp->bp_yiaddr; 1044 ha = bp->bp_chaddr; 1045 len = bp->bp_hlen; 1046 if (len > MAXHADDRLEN) 1047 len = MAXHADDRLEN; 1048 1049 if (debug > 1) 1050 report(LOG_INFO, "setarp %s - %s", 1051 inet_ntoa(dst), haddrtoa(ha, len)); 1052 setarp(s, &dst, ha, len); 1053 } 1054 1055 if ((forward == 0) && 1056 (bp->bp_siaddr.s_addr == 0)) 1057 { 1058 struct ifreq *ifr; 1059 struct in_addr siaddr; 1060 /* 1061 * If we are originating this reply, we 1062 * need to find our own interface address to 1063 * put in the bp_siaddr field of the reply. 1064 * If this server is multi-homed, pick the 1065 * 'best' interface (the one on the same net 1066 * as the client). Of course, the client may 1067 * be on the other side of a BOOTP gateway... 1068 */ 1069 ifr = getif(s, &dst); 1070 if (ifr) { 1071 struct sockaddr_in *sip; 1072 sip = (struct sockaddr_in *) &(ifr->ifr_addr); 1073 siaddr = sip->sin_addr; 1074 } else { 1075 /* Just use my "official" IP address. */ 1076 siaddr = my_ip_addr; 1077 } 1078 1079 /* XXX - No need to set bp_giaddr here. */ 1080 1081 /* Finally, set the server address field. */ 1082 bp->bp_siaddr = siaddr; 1083 } 1084 /* Set up socket address for send. */ 1085 send_addr.sin_family = AF_INET; 1086 send_addr.sin_port = htons(port); 1087 send_addr.sin_addr = dst; 1088 1089 /* Send reply with same size packet as request used. */ 1090 if (sendto(s, pktbuf, pktlen, 0, 1091 (struct sockaddr *) &send_addr, 1092 sizeof(send_addr)) < 0) 1093 { 1094 report(LOG_ERR, "sendto: %s", get_network_errmsg()); 1095 } 1096 } /* sendreply */ 1097 1098 1099 /* nmatch() - now in getif.c */ 1100 /* setarp() - now in hwaddr.c */ 1101 1102 1103 /* 1104 * This call checks read access to a file. It returns 0 if the file given 1105 * by "path" exists and is publically readable. A value of -1 is returned if 1106 * access is not permitted or an error occurs. Successful calls also 1107 * return the file size in bytes using the long pointer "filesize". 1108 * 1109 * The read permission bit for "other" users is checked. This bit must be 1110 * set for tftpd(8) to allow clients to read the file. 1111 */ 1112 1113 PRIVATE int 1114 chk_access(char *path, int32 *filesize) 1115 { 1116 struct stat st; 1117 1118 if ((stat(path, &st) == 0) && (st.st_mode & (S_IREAD >> 6))) { 1119 *filesize = (int32) st.st_size; 1120 return 0; 1121 } else { 1122 return -1; 1123 } 1124 } 1125 1126 1127 /* 1128 * Now in dumptab.c : 1129 * dumptab() 1130 * dump_host() 1131 * list_ipaddresses() 1132 */ 1133 1134 #ifdef VEND_CMU 1135 1136 /* 1137 * Insert the CMU "vendor" data for the host pointed to by "hp" into the 1138 * bootp packet pointed to by "bp". 1139 */ 1140 1141 PRIVATE void 1142 dovend_cmu(struct bootp *bp, struct host *hp) 1143 { 1144 struct cmu_vend *vendp; 1145 struct in_addr_list *taddr; 1146 1147 /* 1148 * Initialize the entire vendor field to zeroes. 1149 */ 1150 bzero(bp->bp_vend, sizeof(bp->bp_vend)); 1151 1152 /* 1153 * Fill in vendor information. Subnet mask, default gateway, 1154 * domain name server, ien name server, time server 1155 */ 1156 vendp = (struct cmu_vend *) bp->bp_vend; 1157 strlcpy(vendp->v_magic, (char *)vm_cmu, sizeof(vendp->v_magic)); 1158 if (hp->flags.subnet_mask) { 1159 (vendp->v_smask).s_addr = hp->subnet_mask.s_addr; 1160 (vendp->v_flags) |= VF_SMASK; 1161 if (hp->flags.gateway) { 1162 (vendp->v_dgate).s_addr = hp->gateway->addr->s_addr; 1163 } 1164 } 1165 if (hp->flags.domain_server) { 1166 taddr = hp->domain_server; 1167 if (taddr->addrcount > 0) { 1168 (vendp->v_dns1).s_addr = (taddr->addr)[0].s_addr; 1169 if (taddr->addrcount > 1) { 1170 (vendp->v_dns2).s_addr = (taddr->addr)[1].s_addr; 1171 } 1172 } 1173 } 1174 if (hp->flags.name_server) { 1175 taddr = hp->name_server; 1176 if (taddr->addrcount > 0) { 1177 (vendp->v_ins1).s_addr = (taddr->addr)[0].s_addr; 1178 if (taddr->addrcount > 1) { 1179 (vendp->v_ins2).s_addr = (taddr->addr)[1].s_addr; 1180 } 1181 } 1182 } 1183 if (hp->flags.time_server) { 1184 taddr = hp->time_server; 1185 if (taddr->addrcount > 0) { 1186 (vendp->v_ts1).s_addr = (taddr->addr)[0].s_addr; 1187 if (taddr->addrcount > 1) { 1188 (vendp->v_ts2).s_addr = (taddr->addr)[1].s_addr; 1189 } 1190 } 1191 } 1192 /* Log message now done by caller. */ 1193 } /* dovend_cmu */ 1194 1195 #endif /* VEND_CMU */ 1196 1197 1198 1199 /* 1200 * Insert the RFC1048 vendor data for the host pointed to by "hp" into the 1201 * bootp packet pointed to by "bp". 1202 */ 1203 #define NEED(LEN, MSG) do \ 1204 if (bytesleft < (LEN)) { \ 1205 report(LOG_NOTICE, noroom, \ 1206 hp->hostname->string, MSG); \ 1207 return; \ 1208 } while (0) 1209 PRIVATE void 1210 dovend_rfc1048(struct bootp *bp, struct host *hp, int32 bootsize) 1211 { 1212 int bytesleft, len; 1213 byte *vp; 1214 1215 static const char noroom[] = "%s: No room for \"%s\" option"; 1216 1217 vp = bp->bp_vend; 1218 1219 if (hp->flags.msg_size) { 1220 pktlen = hp->msg_size; 1221 } else { 1222 /* 1223 * If the request was longer than the official length, build 1224 * a response of that same length where the additional length 1225 * is assumed to be part of the bp_vend (options) area. 1226 */ 1227 if (pktlen > (int)sizeof(*bp)) { 1228 if (debug > 1) 1229 report(LOG_INFO, "request message length=%d", pktlen); 1230 } 1231 /* 1232 * Check whether the request contains the option: 1233 * Maximum DHCP Message Size (RFC1533 sec. 9.8) 1234 * and if so, override the response length with its value. 1235 * This request must lie within the first BP_VEND_LEN 1236 * bytes of the option space. 1237 */ 1238 { 1239 byte *p, *ep; 1240 byte tag, llen; 1241 short msgsz = 0; 1242 1243 p = vp + 4; 1244 ep = p + BP_VEND_LEN - 4; 1245 while (p < ep) { 1246 tag = *p++; 1247 /* Check for tags with no data first. */ 1248 if (tag == TAG_PAD) 1249 continue; 1250 if (tag == TAG_END) 1251 break; 1252 /* Now scan the length byte. */ 1253 llen = *p++; 1254 switch (tag) { 1255 case TAG_MAX_MSGSZ: 1256 if (llen == 2) { 1257 bcopy(p, (char*)&msgsz, 2); 1258 msgsz = ntohs(msgsz); 1259 } 1260 break; 1261 case TAG_SUBNET_MASK: 1262 /* XXX - Should preserve this if given... */ 1263 break; 1264 } /* swtich */ 1265 p += llen; 1266 } 1267 1268 if (msgsz > (int)sizeof(*bp)) { 1269 if (debug > 1) 1270 report(LOG_INFO, "request has DHCP msglen=%d", msgsz); 1271 pktlen = msgsz; 1272 } 1273 } 1274 } 1275 1276 if (pktlen < (int)sizeof(*bp)) { 1277 report(LOG_ERR, "invalid response length=%d", pktlen); 1278 pktlen = sizeof(*bp); 1279 } 1280 bytesleft = ((byte*)bp + pktlen) - vp; 1281 if (pktlen > (int)sizeof(*bp)) { 1282 if (debug > 1) 1283 report(LOG_INFO, "extended reply, length=%d, options=%d", 1284 pktlen, bytesleft); 1285 } 1286 1287 /* Copy in the magic cookie */ 1288 bcopy(vm_rfc1048, vp, 4); 1289 vp += 4; 1290 bytesleft -= 4; 1291 1292 if (hp->flags.subnet_mask) { 1293 /* always enough room here. */ 1294 *vp++ = TAG_SUBNET_MASK;/* -1 byte */ 1295 *vp++ = 4; /* -1 byte */ 1296 insert_u_long(hp->subnet_mask.s_addr, &vp); /* -4 bytes */ 1297 bytesleft -= 6; /* Fix real count */ 1298 if (hp->flags.gateway) { 1299 (void) insert_ip(TAG_GATEWAY, 1300 hp->gateway, 1301 &vp, &bytesleft); 1302 } 1303 } 1304 if (hp->flags.bootsize) { 1305 /* always enough room here */ 1306 bootsize = (hp->flags.bootsize_auto) ? 1307 ((bootsize + 511) / 512) : ((int32_t)hp->bootsize); /* Round up */ 1308 *vp++ = TAG_BOOT_SIZE; 1309 *vp++ = 2; 1310 *vp++ = (byte) ((bootsize >> 8) & 0xFF); 1311 *vp++ = (byte) (bootsize & 0xFF); 1312 bytesleft -= 4; /* Tag, length, and 16 bit blocksize */ 1313 } 1314 /* 1315 * This one is special: Remaining options go in the ext file. 1316 * Only the subnet_mask, bootsize, and gateway should precede. 1317 */ 1318 if (hp->flags.exten_file) { 1319 /* 1320 * Check for room for exten_file. Add 3 to account for 1321 * TAG_EXTEN_FILE, length, and TAG_END. 1322 */ 1323 len = strlen(hp->exten_file->string); 1324 NEED((len + 3), "ef"); 1325 *vp++ = TAG_EXTEN_FILE; 1326 *vp++ = (byte) (len & 0xFF); 1327 bcopy(hp->exten_file->string, vp, len); 1328 vp += len; 1329 *vp++ = TAG_END; 1330 bytesleft -= len + 3; 1331 return; /* no more options here. */ 1332 } 1333 /* 1334 * The remaining options are inserted by the following 1335 * function (which is shared with bootpef.c). 1336 * Keep back one byte for the TAG_END. 1337 */ 1338 len = dovend_rfc1497(hp, vp, bytesleft - 1); 1339 vp += len; 1340 bytesleft -= len; 1341 1342 /* There should be at least one byte left. */ 1343 NEED(1, "(end)"); 1344 *vp++ = TAG_END; 1345 bytesleft--; 1346 1347 /* Log message done by caller. */ 1348 if (bytesleft > 0) { 1349 /* 1350 * Zero out any remaining part of the vendor area. 1351 */ 1352 bzero(vp, bytesleft); 1353 } 1354 } /* dovend_rfc1048 */ 1355 #undef NEED 1356 1357 1358 /* 1359 * Now in readfile.c: 1360 * hwlookcmp() 1361 * iplookcmp() 1362 */ 1363 1364 /* haddrtoa() - now in hwaddr.c */ 1365 /* 1366 * Now in dovend.c: 1367 * insert_ip() 1368 * insert_generic() 1369 * insert_u_long() 1370 */ 1371 1372 /* get_errmsg() - now in report.c */ 1373 1374 /* 1375 * Local Variables: 1376 * tab-width: 4 1377 * c-indent-level: 4 1378 * c-argdecl-indent: 4 1379 * c-continued-statement-offset: 4 1380 * c-continued-brace-offset: -4 1381 * c-label-offset: -4 1382 * c-brace-offset: 0 1383 * End: 1384 */ 1385