input.c revision 7c478bd95313f5f23a4c958a745db2134aa03244
/*
* Copyright 2004 Sun Microsystems, Inc. All rights reserved.
* Use is subject to license terms.
*
* Copyright (c) 1983, 1988, 1993
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgment:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
*/
#pragma ident "%Z%%M% %I% %E% SMI"
#include "defs.h"
#include <md5.h>
/*
* The size of the control buffer passed to recvmsg() used to receive
* ancillary data.
*/
#define CONTROL_BUFSIZE 1024
/*
* Find the interface which received the given message.
*/
struct interface *
{
struct sockaddr_in *from;
void *opt;
/* First see if this packet came from a remote gateway. */
return (ifp);
/*
* It did not come from a remote gateway. Determine which
* physical interface this packet was received on by
* processing the message's ancillary data to find the
* IP_RECVIF option we requested.
*/
msglog("unable to retrieve IP_RECVIF");
} else {
/* Find the best match of the aliases */
return (ifp1);
}
return (ifp);
}
}
/*
* As a last resort (for some reason, ip didn't give us the
* IP_RECVIF index we requested), try to deduce the receiving
* interface based on the source address of the packet.
*/
}
/*
* Process RIP input on rip_sock. Returns 0 for success, -1 for failure.
*/
int
read_rip()
{
struct sockaddr_in from;
int cc;
for (;;) {
if (cc == 0)
return (-1);
if (cc < 0) {
return (0);
LOGERR("recvmsg(rip_sock)");
return (-1);
}
/*
* ifp is the interface via which the packet arrived.
*/
}
}
/* Process a RIP packet */
static void
int cc)
{
int i, j;
/* Notice when we hear from a remote gateway */
trace_misc("discard RIP packet received over %s (IFF_NORTEXCH)",
return;
}
return;
}
"RIP version 0, cmd %d, packet received from %s",
return;
}
"Treating RIP version %d packet received from %s as "
RIPv2);
}
if (cc > (int)OVER_MAXPACKETSIZE) {
"packet at least %d bytes too long received from %s",
}
/*
* Notice authentication.
* As required by section 5.2 of RFC 2453, discard authenticated
* RIPv2 messages, but only if configured for that silliness.
*
* RIPv2 authentication is lame. Why authenticate queries?
* Why should a RIPv2 implementation with authentication disabled
* not be able to listen to RIPv2 packets with authentication, while
* RIPv1 systems will listen? Crazy!
*/
n->n_family == RIP_AF_AUTH) {
"RIPv2 message with authentication from %s discarded",
return;
}
case RIPCMD_POLL:
/*
* Similar to RIPCMD_REQUEST, this command is used to
* request either a full-table or a set of entries. Both
* silent processes and routers can respond to this
* command.
*/
/* FALLTHRU */
case RIPCMD_REQUEST:
/* Are we talking to ourself or a remote gateway? */
/* remote gateway */
if (check_remote(ifp)) {
}
trace_pkt(" discard our own RIP request");
return;
}
}
/* did the request come from a router? */
/*
* yes, ignore the request if RIP is off so that
* the router does not depend on us.
*/
if (ripout_interfaces == 0 ||
trace_pkt(" discard request while RIP off");
return;
}
}
/*
* According to RFC 2453 section 5.2, we should ignore
* unauthenticated queries when authentication is
* configured. That is too silly to bother with. Sheesh!
* Are forwarding tables supposed to be secret even though
* a bad guy can infer them with test traffic? RIP is
* still the most common router-discovery protocol, so
* hosts need to send queries that will be answered. What
* about `rtquery`? Maybe on firewalls you'd care, but not
* enough to give up the diagnostic facilities of remote
* probing.
*/
if (n >= lim) {
return;
}
"request of bad length (%d) from %s",
}
/*
* If we have a secret but it is a cleartext secret,
* do not disclose our secret unless the other guy
* already knows it.
*/
/*
* Don't authenticate incoming packets
* using an expired key.
*/
"%s attempting to authenticate using "
"an expired password.",
}
(n->n_family != RIP_AF_AUTH ||
&use_auth)))
} else {
}
do {
/*
* A single entry with family RIP_AF_UNSPEC and
* metric HOPCNT_INFINITY means "all routes".
* We respond to routers only if we are acting
* as a supplier, or to anyone other than a router
* (i.e. a query).
*/
if (n->n_family == RIP_AF_UNSPEC &&
n->n_metric == HOPCNT_INFINITY) {
/*
* Answer a full-table query from a utility
* program with all we know.
*/
if (poll_answer ||
return;
}
/*
* A router is trying to prime its tables.
* Filter the answer in the same way
* broadcasts are filtered.
*
* Only answer a router if we are a supplier
* to keep an unwary host that is just starting
* from picking us as a router.
*/
trace_pkt("ignore distant router");
return;
}
!should_supply(ifp)) {
trace_pkt("ignore; not supplying");
return;
}
/*
* Do not answer a RIPv1 router if
* we are sending RIPv2. But do offer
* poor man's router discovery.
*/
trace_pkt("ignore; sending RIPv2");
return;
}
if (NULL !=
v12buf.n++;
break;
}
/*
* Respond with RIPv1 instead of RIPv2 if
* that is what we are broadcasting on the
* interface to keep the remote router from
* getting the wrong initial idea of the
* routes we send.
*/
return;
}
/* Ignore authentication */
if (n->n_family == RIP_AF_AUTH)
continue;
if (n->n_family != RIP_AF_INET) {
"request from %s for unsupported"
" (af %d) %s",
naddr_ntoa(n->n_dst));
return;
}
/* We are being asked about a specific destination. */
"bad queried destination %s from %s",
goto rte_done;
}
/* decide what mask was intended */
/*
* Try to find the answer. If we don't have an
* explicit route for the destination, use the best
* route to the destination.
*/
/* we do not have the answer */
goto rte_done;
}
/*
* we have the answer, so compute the right metric
* and next hop.
*/
}
/*
* Stop paying attention if we fill the output buffer.
*/
break;
} while (++n < lim);
/*
* If our response is authenticated with md5, complete the
* md5 computation.
*/
/*
* Diagnostic programs make specific requests
* from ports other than 520. Log other types
* of specific requests as suspicious.
*/
"Received suspicious request from %s port %d",
}
/* query */
} else {
}
return;
case RIPCMD_TRACEON:
case RIPCMD_TRACEOFF:
/*
* Notice that trace messages are turned off for all possible
* abuse if PATH_TRACE is undefined in pathnames.h.
* Notice also that because of the way the trace file is
* handled in trace.c, no abuse is plausible even if
* PATH_TRACE is defined.
*
* First verify message came from a privileged port.
*/
trace_pkt("trace command from untrusted port %d on %s",
return;
}
/*
* Use a message here to warn about strange
* messages from remote systems.
*/
"trace command from non-local host %s",
return;
}
trace_pkt("trace command from "
"untrusted host %s",
return;
}
}
}
/*
* Technically, it would be fairly easy to add
* standard authentication to the existing
* trace commands -- just bracket the payload
* with the authentication information.
* However, the tracing message behavior
* itself is marginal enough that we don't
* actually care. Just discard if
* authentication is needed.
*/
trace_pkt("trace command unauthenticated from %s",
return;
}
"trace command: %s\n", 0);
} else {
trace_off("tracing turned off by %s",
}
return;
case RIPCMD_RESPONSE:
trace_misc("discard RIP response received over %s "
return;
}
"response of bad length (%d) from %s",
}
"discard RIP response from bad source address %s",
return;
}
/* verify message came from a router */
" discard RIP response from unknown port"
return;
}
if (!rip_enabled) {
trace_pkt(" discard response while RIP off");
return;
}
/* Are we talking to ourself or a remote gateway? */
/* remote gateway */
if (check_remote(ifp)) {
}
} else {
trace_pkt(" discard our own RIP response");
return;
}
} else {
/*
* If it's not a remote gateway, then the
* remote address *must* be directly
* connected. Make sure that it is.
*/
"discard RIP response; source %s not on "
return;
}
}
/*
* Accept routing packets from routers directly connected
* via broadcast or point-to-point networks, and from
*/
" discard response from %s"
" via unexpected interface",
return;
}
trace_pkt(" discard RIPv%d response"
" via disabled interface %s",
return;
}
if (n >= lim) {
return;
}
trace_pkt(" discard RIPv%d response",
return;
}
/*
* Continue to listen to routes via broken interfaces
* which might be declared IS_BROKE because of
* device-driver idiosyncracies, but might otherwise
* be perfectly healthy.
*/
trace_pkt("response via broken interface %s",
}
/*
* If the interface cares, ignore bad routers.
* Trace but do not log this problem, because where it
* happens, it happens frequently.
*/
trace_pkt(" discard RIP response"
" from untrusted router %s",
return;
}
}
}
/*
* Authenticate the packet if we have a secret.
* If we do not have any secrets, ignore the error in
* RFC 1723 and accept it regardless.
*/
return;
/*
* Do this only if we're supplying routes to *nobody*.
*/
/*
* "-S" option. Instead of entering all routes,
* only enter a default route for the sender of
* this RESPONSE message
*/
/* Should we trust this route from this router? */
trace_pkt(" ignored unauthorized %s",
addrname(RIP_DEFAULT, 0, 0));
break;
}
/*
* Add the newly generated default route, but don't
* propagate the madness. Treat it the same way as
* default routes learned from Router Discovery.
*/
return;
}
/*
* We don't want to propagate routes which would
* result in a black-hole.
*/
}
do {
if (n->n_family == RIP_AF_AUTH)
continue;
if (n->n_family != RIP_AF_INET &&
(n->n_family != RIP_AF_UNSPEC ||
dst != RIP_DEFAULT)) {
"route from %s to unsupported"
" address family=%d destination=%s",
naddr_ntoa(dst));
continue;
}
"bad destination %s from %s",
continue;
}
"bad metric %d from %s"
" for destination %s",
naddr_ntoa(dst));
continue;
}
/*
* Notice the next-hop.
*/
gate = FROM_NADDR;
if (n->n_nhop != 0) {
n->n_nhop = 0;
} else {
/* Use it only if it is valid. */
} else {
"router %s to %s"
" has bad next hop %s",
naddr_ntoa(n->n_nhop));
n->n_nhop = 0;
}
}
}
"router %s sent bad netmask %s with %s",
naddr_ntoa(dst));
continue;
}
trace_pkt(" ignored host route %s",
continue;
}
n->n_tag = 0;
/*
* Adjust metric according to incoming interface cost.
* We intentionally don't drop incoming routes with
* metric 15 on the floor even though they will
* not be advertised to other routers. We can use
* such routes locally, resulting in a network with
* a maximum width of 15 hops rather than 14.
*/
if (n->n_metric > HOPCNT_INFINITY)
n->n_metric = HOPCNT_INFINITY;
/*
* Should we trust this route from this router?
*/
for (i = 0; i < MAX_TGATE_NETS; i++, tn++) {
break;
}
trace_pkt(" ignored unauthorized %s",
continue;
}
}
/*
* Recognize and ignore a default route we faked
* which is being sent back to us by a machine with
* broken split-horizon. Be a little more paranoid
* than that, and reject default routes with the
* same metric we advertised.
*/
continue;
/*
* We can receive aggregated RIPv2 routes that must
* be broken down before they are transmitted by
* RIPv1 via an interface on a subnet. We might
* also receive the same routes aggregated via
* other RIPv2 interfaces. This could cause
* duplicate routes to be sent on the RIPv1
* interfaces. "Longest matching variable length
* netmasks" lets RIPv2 listeners understand, but
* breaking down the aggregated routes for RIPv1
* listeners can produce duplicate routes.
*
* Breaking down aggregated routes here bloats the
* daemon table, but does not hurt the kernel
* table, since routes are always aggregated for
* the kernel.
*
* Notice that this does not break down network
* routes corresponding to subnets. This is part of
* the defense against RS_NET_SYN.
*/
if (have_ripv1_out &&
/* Get least significant set bit */
/*
* If you're going to make 512 or more
* routes, then that's just too many. The
* reason here is that breaking an old
* class B into /24 allocations is common
* enough that allowing for the creation of
* at least 256 deaggregated routes is
* good. The next power of 2 is 512.
*/
if (i >= 511) {
/*
* Punt if we would have to
* generate an unreasonable number
* of routes.
*/
if (TRACECONTENTS)
trace_misc("accept %s-->%s as 1"
" instead of %d routes",
i + 1);
i = 0;
} else {
}
} else {
i = 0;
}
j = 0;
for (;;) {
if (++j > i)
break;
}
} while (++n < lim);
return;
case RIPCMD_POLLENTRY:
/*
* With this command one can request a single entry.
* Both silent processes and routers can respond to this
* command
*/
if (n >= lim) {
return;
}
"request of bad length (%d) from %s",
}
} else {
}
/* Dont bother with md5 authentication with POLLENTRY */
if (n->n_family != RIP_AF_INET) {
"POLLENTRY request from %s for unsupported"
" (af %d) %s",
naddr_ntoa(n->n_dst));
return;
}
/* We are being asked about a specific destination. */
"bad queried destination %s from %s",
goto pollentry_done;
}
/* decide what mask was intended */
/* try to find the answer */
/* we do not have the answer */
goto pollentry_done;
}
/*
* we have the answer, so compute the right metric and next
* hop.
*/
}
/*
* Send the answer about specific routes.
*/
break;
}
}
/*
* Process a single input route.
*/
void
struct netinfo *n,
{
int i;
/*
* See if we can already get there by a working interface. Ignore
* if so.
*/
return;
/*
* Look for the route in our table.
*/
/* Consider adding the route if we do not already have it. */
/* Ignore unknown routes being poisoned. */
return;
/* Ignore the route if it points to us */
return;
/*
* If something has not gone crazy and tried to fill
* our memory, accept the new route.
*/
return;
}
/*
* We already know about the route. Consider this update.
*
* If (rt->rt_state & RS_NET_SYN), then this route
* is the same as a network route we have inferred
* for subnets we know, in order to tell RIPv1 routers
* about the subnets.
*
* It is impossible to tell if the route is coming
* from a distant RIPv2 router with the standard
* netmask because that router knows about the entire
* network, or if it is a round-about echo of a
* synthetic, RIPv1 network route of our own.
* The worst is that both kinds of routes might be
* received, and the bad one might have the smaller
* metric. Partly solve this problem by never
* aggregating into such a route. Also keep it
* around as long as the interface exists.
*/
break;
/*
* Note the worst slot to reuse,
* other than the current slot.
*/
}
if (i != 0) {
/*
* Found a route from the router already in the table.
*/
/*
* If the new route is a route broken down from an
* aggregated route, and if the previous route is either
* not a broken down route or was broken down from a finer
* netmask, and if the previous route is current,
* then forget this one.
*/
return;
/*
* Keep poisoned routes around only long enough to pass
* the poison on. Use a new timestamp for good routes.
*/
/*
* If this is an update for the router we currently prefer,
* then note it.
*/
if (i == rt->rt_num_spares) {
/*
* If the route got worse, check for something better.
*/
return;
}
/*
* This is an update for a spare route.
* Finished if the route is unchanged.
*/
trace_misc("input_route update for spare");
return;
}
/*
* Forget it if it has gone bad.
*/
return;
}
} else {
/*
* The update is for a route we know about,
* but not from a familiar router.
*
* Ignore the route if it points to us.
*/
return;
/* the loop above set rts0=worst spare */
sizeof (struct rt_spare);
i != 0; i--, rts++)
}
}
/*
* Save the route as a spare only if it has
* a better metric than our worst spare.
* This also ignores poisoned routes (those
* received with metric HOPCNT_INFINITY).
*/
return;
}
/* try to switch to a better route */
}
/*
* Recorded information about peer's MD5 sequence numbers. This is
* used to validate that received sequence numbers are in
* non-decreasing order as per the RFC.
*/
struct peer_hash {
};
static struct peer_hash **peer_hashes;
static int ph_index;
static int ph_num_peers;
/*
* Get a peer_hash structure from the hash of known peers. Create a
* new one if not found. Returns NULL on unrecoverable allocation
* failure.
*/
static struct peer_hash *
{
int i;
static uint_t failed_count;
if (peer_hashes == NULL) {
sizeof (peer_hashes[0]));
if (peer_hashes == NULL) {
msglog("no memory for peer hash");
return (NULL);
}
}
/* Search for peer in existing hash table */
return (php);
}
/*
* Not found; we need to add this peer to the table. If there
* are already too many peers, then try to expand the table
* first. It's not a big deal if we can't expand the table
* right now due to memory constraints. We'll try again
* later.
*/
sizeof (peer_hashes[0]))) != NULL) {
}
}
ph_index++;
peer_hashes = ph_pp;
}
msglog("no memory for peer hash entry");
} else {
ph_num_peers++;
}
return (php);
}
/*
* Age out entries in the peer table. This is called every time we do
* a normal 30 second broadcast.
*/
void
age_peer_info(void)
{
int i;
/*
* Scan through the list and remove peers that should not
* still have valid authenticated entries in the routing
* table.
*/
return;
else
if (--ph_num_peers == 0)
return;
} else {
}
}
}
}
static boolean_t /* _B_FALSE if bad, _B_TRUE if good */
{
int i, len;
naddr_ntoa(from));
return (_B_FALSE);
}
/*
* Validate sequence number on RIPv2 responses using keyed MD5
* authentication per RFC 2082 section 3.2.2. Note that if we
* can't locate the peer information (due to transient
* allocation problems), then we don't do the test. Also note
* that we assume that all sequence numbers 0x80000000 or more
* away are "less than."
*
* We intentionally violate RFC 2082 with respect to one case:
* restablishing contact. The RFC says that you should
* continue to ignore old sequence numbers in this case but
* make a special allowance for 0. This is extremely foolish.
* The problem is that if the router has crashed, it's
* entirely possible that either we'll miss sequence zero (or
* that it might not even send it!) or that the peer doesn't
* remember what it last used for a sequence number. In
* either case, we'll create a failure state that persists
* until the sequence number happens to advance past the last
* one we saw. This is bad because it means that we may have
* to wait until the router has been up for at least as long
* as it was last time before we even pay attention to it.
* Meanwhile, other routers may listen to it if they hadn't
* seen it before (i.e., if they crashed in the meantime).
* This means -- perversely -- that stable systems that stay
* "up" for a long time pay a penalty for doing so.
*/
/*
* If the entry that we find has been updated
* recently enough that the routes are known
* to still be good, but the sequence number
* looks bad, then discard the packet.
*/
"discarding sequence %x (older than %x)",
return (_B_FALSE);
}
}
/*
* accept any current (+/- 24 hours) password
*/
continue;
return (_B_TRUE);
} else {
/*
* accept MD5 secret with the right key ID
*/
continue;
"wrong MD5 RIPv2 packet length of %d"
" instead of %d from %s",
naddr_ntoa(from));
return (_B_FALSE);
}
/*
* Given a good hash value, these are not security
* problems so be generous and accept the routes,
* after complaining.
*/
if (TRACEPACKETS) {
"unknown MD5 RIPv2 auth len %#x"
" instead of %#x from %s",
naddr_ntoa(from));
"unknown MD5 RIPv2 family %#x"
" instead of %#x from %s",
naddr_ntoa(from));
"MD5 RIPv2 hash has %#x"
" instead of %#x from %s",
naddr_ntoa(from));
}
/*
* MD5 sum
*/
return (_B_TRUE);
}
}
naddr_ntoa(from));
return (_B_FALSE);
}