atftpd segfaults on non-existent file

Status changed to 'Confirmed' because the bug affects multiple users.

My comment in upstream:
https://sourceforge.net/p/atftp/support-requests/13/#e6ce

It seems that the line 171 in tftp_io.c :

Strncpy(tftphdr->th_msg, tftp_errmsg[err_code], buffer_size - 4);

is incompatible with current definition of tftphdr in libc6 and range checking in strncpy

Replacing it with semantically similar:

Strncpy(buffer + 4, tftp_errmsg[err_code], buffer_size - 4);

resolves the issue for me.

Seems like the use of a variable length field with a size of 0 can be treacherous, does it work if you use a proper C89 variable length field instead:

char tu_stuff[];

This definition of tftphdr is part of libc6 in /usr/include/arpa/tftp.h and it was the same in ubuntu bionic, so I guess changing it is out of scope here.

What is the path forward to get an updated package fixed?

Hi Florian,

Thanks for taking the time to report this bug and helping to make Ubuntu better.

I could reproduce the issue in both Jammy, Kinetic and Lunar/devel (in a chroot environment).
Has anyone tried to reproduce it in Debian testing/bookworm? Even though it is a different version from Jammy and Kinetic, it is the same version as we currently have in current devel release. So I would like to make a comparison.

Hi Eduardo. I've just installed the Debian testing version (0.8.0-1+b1) on a Jammy host we use for PXE booting and can no longer replicate the issue. I hope that's useful.

I don't know for certain if our package was rebuilt with LTO enabled, but the timing feels plausible, and it's a known difference between our toolchain and Debian's toolchain; perhaps disabling LTO for a test build as described in https://wiki.ubuntu.com/ToolChain/LTO ?

    export DEB_BUILD_MAINT_OPTIONS=optimize=-lto

Thanks

Thanks Seth!
You were spot on and I can see that disabling LTO makes the package to work properly:

tftp> get i
tftp: error received from server <File not found>
tftp: aborting

Confirmed that rebuild with LTO disabled fix it. Can we get that addressed?

This bug was fixed in the package atftp - 0.8.0-3build0.23.04.1

---------------
atftp (0.8.0-3build0.23.04.1) lunar-security; urgency=medium

  * Disable -flto flag in debian/rules file to fix LP: #1989816, LP: #1995854

 -- Jorge Sancho Larraz <email address hidden> Fri, 01 Sep 2023 15:12:58 +0200

This bug was fixed in the package atftp - 0.7.git20210915-4build1

---------------
atftp (0.7.git20210915-4build1) jammy-security; urgency=medium

  * Disable -flto flag in debian/rules file to fix LP: #1989816, LP: #1995854

 -- Jorge Sancho Larraz <email address hidden> Fri, 01 Sep 2023 14:59:36 +0200