Bug#848995: atftpd: Large files cause transfer failures

[Benoit Panizzon]

Package: atftpd
Version: 0.7.git20120829-3.3+deb11u2
Followup-For: Bug #848995

Dear Maintainer,

Confirming the previous report.

I believe atftpd does not correctly handle sequence number roll-over.

I got a Mitel 6867i phone unable to completely download it's ~50MB firmware 
update file, the server outputting timeouts when the client probably rolls over 
with
the sequence numbers.

Smaller files work fine.

PS: There is a mention of the issue, 12 years old, on the atftpd github.

-Benoit-

-- System Information:
Debian Release: 11.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-19-amd64 (SMP w/4 CPU threads)
Locale: LANG=de_CH.UTF-8, LC_CTYPE=de_CH.UTF-8 (charmap=UTF-8), 
LANGUAGE=de_CH:de
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages atftpd depends on:
ii  debconf [debconf-2.0]  1.5.77
ii  libc6  2.31-13+deb11u5
ii  libpcre3   2:8.39-13
ii  libwrap0   7.6.q-31
ii  lsb-base   11.1.0
ii  tcpd   7.6.q-31
ii  update-inetd   4.51

Versions of packages atftpd recommends:
ii  openbsd-inetd [inet-superserver]  0.20160825-5

Versions of packages atftpd suggests:
ii  logrotate  3.18.0-2+deb11u1

-- debconf information:
  atftpd/basedir: /srv/tftp
  atftpd/timeout: true
  atftpd/multicast: true
  atftpd/use_inetd: true
  atftpd/maxthread: 100
  atftpd/logtofile: false
  atftpd/retry-timeout: 5
  atftpd/blksize: true
  atftpd/mcast_port: 1758
  atftpd/ttl: 1
  atftpd/tsize: true
  atftpd/port: 69
  atftpd/mcast_addr: 239.239.239.0-255
  atftpd/tftpd-timeout: 300
  atftpd/verbosity: 5 (LOG_NOTICE)
  atftpd/logfile: /var/log/atftpd.log

Bug#848995: atftpd: Large files cause transfer failures

[Eric P]

Package: atftpd
Version: 0.7.git20120829-1
Severity: normal
Tags: lfs

Dear Maintainer,

Attempting to transfer a binary file with a length of 47462048 bytes causes
atftpd to send an ICMP port unreachable to the client. 

The server is run out of inetd:

tftp-server$ head -1 /etc/default/atftpd
USE_INETD=true
tftp-server$ grep tftp /etc/inetd.conf
tftpdgram   udp4waitnobody /usr/sbin/tcpd 
/usr/sbin/in.tftpd --tftpd-timeout 300 --retry-timeout 5 --maxthread 100 
--verbose=5 /tftpboot

We have attempted to transfer a binary file from a Cisco router to atftpd
via a directly-connected network segment. A tcpdump on the segment monitoring 
the transfer shows a port unreachable sent from the server (192.168.253.21):

15:19:59.411461 IP 192.168.253.21.44863 > 192.168.253.3.53337: UDP, length 4
15:19:59.412806 IP 192.168.253.3.53337 > 192.168.253.21.44863: UDP, length 516
15:19:59.412899 IP 192.168.253.21.44863 > 192.168.253.3.53337: UDP, length 4
15:19:59.414381 IP 192.168.253.3.53337 > 192.168.253.21.44863: UDP, length 516
15:19:59.414624 IP 192.168.253.21.44863 > 192.168.253.3.53337: UDP, length 37
15:19:59.417361 IP 192.168.253.3.53337 > 192.168.253.21.44863: UDP, length 4
15:19:59.417448 IP 192.168.253.21 > 192.168.253.3: ICMP 192.168.253.21 udp port 
44863 unreachable, length 40
15:20:02.414195 IP 192.168.253.3.53337 > 192.168.253.21.44863: UDP, length 4
15:20:02.414269 IP 192.168.253.21 > 192.168.253.3: ICMP 192.168.253.21 udp port 
44863 unreachable, length 40
15:20:06.413873 IP 192.168.253.3.53337 > 192.168.253.21.44863: UDP, length 4
15:20:06.413949 IP 192.168.253.21 > 192.168.253.3: ICMP 192.168.253.21 udp port 
44863 unreachable, length 40
15:20:11.413464 IP 192.168.253.3.53337 > 192.168.253.21.44863: UDP, length 4
15:20:11.413537 IP 192.168.253.21 > 192.168.253.3: ICMP 192.168.253.21 udp port 
44863 unreachable, length 40
15:20:17.412970 IP 192.168.253.3.53337 > 192.168.253.21.44863: UDP, length 4
15:20:17.413037 IP 192.168.253.21 > 192.168.253.3: ICMP 192.168.253.21 udp port 
44863 unreachable, length 40

The following log entries were written to /var/log/daemon.log

Dec 21 15:18:00 tftp-server in.tftpd[16688]: connect from 192.168.253.3 
(192.168.253.3)
Dec 21 15:18:00 tftp-server atftpd[16688]: Advanced Trivial FTP server started 
(0.7)
Dec 21 15:18:00 tftp-server atftpd[16688]: Fetching from 192.168.253.3 to 
c1841-adventerprisek9-mz.151-4.M9.bin
Dec 21 15:19:59 tftp-server atftpd[16688]: tftpd_file.c: 361: error writing to 
file /tftpboot/c1841-adventerprisek9-mz.151-4.M9.bin
Dec 21 15:23:00 tftp-server atftpd[16688]: atftpd terminating after 300 seconds
Dec 21 15:23:00 tftp-server atftpd[16688]: Main thread exiting

The end result was 33553920 bytes were transfered before the transfer failed:

tftp-server$ ls -l /tftpboot/c1841-adventerprisek9-mz.151-4.M9.bin 
-rw-r--r-- 1 nobody nogroup 33553920 Dec 21 15:19 
/tftpboot/c1841-adventerprisek9-mz.151-4.M9.bin

-- System Information:
Distributor ID: Raspbian
Description:Raspbian GNU/Linux 8.0 (jessie)
Release:8.0
Codename:   jessie
Architecture: armv7l

Kernel: Linux 4.4.34-v7+ (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages atftpd depends on:
ii  debconf [debconf-2.0]  1.5.56
ii  libc6  2.19-18+deb8u6
ii  libpcre3   2:8.35-3.3+deb8u4
ii  libwrap0   7.6.q-25
ii  lsb-base   4.1+Debian13+rpi1+nmu1
ii  update-inetd   4.43

Versions of packages atftpd recommends:
ii  openbsd-inetd [inet-superserver]  0.20140418-2

Versions of packages atftpd suggests:
ii  logrotate  3.8.7-1

-- debconf information:
  atftpd/tsize: true
  atftpd/tftpd-timeout: 300
  atftpd/timeout: true
  atftpd/basedir: /tftpboot
  atftpd/port: 69
  atftpd/blksize: true
  atftpd/maxthread: 100
  atftpd/verbosity: 5 (LOG_NOTICE)
  atftpd/logtofile: false
  atftpd/retry-timeout: 5
  atftpd/ttl: 1
  atftpd/logfile: /var/log/atftpd.log
  atftpd/mcast_addr: 239.239.239.0-255
  atftpd/multicast: true
  atftpd/use_inetd: true
  atftpd/mcast_port: 1758