1 /*
2 * Routine to disable IP-level socket options. This code was taken from 4.4BSD
3 * rlogind and kernel source, but all mistakes in it are my fault.
4 *
5 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
6 *
7 * $FreeBSD$
8 */
9
10 #ifndef lint
11 static char sccsid[] = "@(#) fix_options.c 1.6 97/04/08 02:29:19";
12 #endif
13
14 #include <sys/types.h>
15 #include <sys/param.h>
16 #ifdef INET6
17 #include <sys/socket.h>
18 #endif
19 #include <netinet/in.h>
20 #include <netinet/in_systm.h>
21 #include <netinet/ip.h>
22 #include <netdb.h>
23 #include <stdio.h>
24 #include <syslog.h>
25
26 #ifndef IPOPT_OPTVAL
27 #define IPOPT_OPTVAL 0
28 #define IPOPT_OLEN 1
29 #endif
30
31 #include "tcpd.h"
32
33 #define BUFFER_SIZE 512 /* Was: BUFSIZ */
34
35 /* fix_options - get rid of IP-level socket options */
36
37 void
fix_options(struct request_info * request)38 fix_options(struct request_info *request)
39 {
40 #ifdef IP_OPTIONS
41 unsigned char optbuf[BUFFER_SIZE / 3], *cp;
42 char lbuf[BUFFER_SIZE], *lp;
43 int optsize = sizeof(optbuf), ipproto;
44 struct protoent *ip;
45 int fd = request->fd;
46 unsigned int opt;
47 int optlen;
48 struct in_addr dummy;
49 #ifdef INET6
50 struct sockaddr_storage ss;
51 int sslen;
52
53 /*
54 * check if this is AF_INET socket
55 * XXX IPv6 support?
56 */
57 sslen = sizeof(ss);
58 if (getsockname(fd, (struct sockaddr *)&ss, &sslen) < 0) {
59 syslog(LOG_ERR, "getpeername: %m");
60 clean_exit(request);
61 }
62 if (ss.ss_family != AF_INET)
63 return;
64 #endif
65
66 if ((ip = getprotobyname("ip")) != 0)
67 ipproto = ip->p_proto;
68 else
69 ipproto = IPPROTO_IP;
70
71 if (getsockopt(fd, ipproto, IP_OPTIONS, (char *) optbuf, &optsize) == 0
72 && optsize != 0) {
73
74 /*
75 * Horror! 4.[34] BSD getsockopt() prepends the first-hop destination
76 * address to the result IP options list when source routing options
77 * are present (see <netinet/ip_var.h>), but produces no output for
78 * other IP options. Solaris 2.x getsockopt() does produce output for
79 * non-routing IP options, and uses the same format as BSD even when
80 * the space for the destination address is unused. The code below
81 * does the right thing with 4.[34]BSD derivatives and Solaris 2, but
82 * may occasionally miss source routing options on incompatible
83 * systems such as Linux. Their choice.
84 *
85 * Look for source routing options. Drop the connection when one is
86 * found. Just wiping the IP options is insufficient: we would still
87 * help the attacker by providing a real TCP sequence number, and the
88 * attacker would still be able to send packets (blind spoofing). I
89 * discussed this attack with Niels Provos, half a year before the
90 * attack was described in open mailing lists.
91 *
92 * It would be cleaner to just return a yes/no reply and let the caller
93 * decide how to deal with it. Resident servers should not terminate.
94 * However I am not prepared to make changes to internal interfaces
95 * on short notice.
96 */
97 #define ADDR_LEN sizeof(dummy.s_addr)
98
99 for (cp = optbuf + ADDR_LEN; cp < optbuf + optsize; cp += optlen) {
100 opt = cp[IPOPT_OPTVAL];
101 if (opt == IPOPT_LSRR || opt == IPOPT_SSRR) {
102 syslog(LOG_WARNING,
103 "refused connect from %s with IP source routing options",
104 eval_client(request));
105 shutdown(fd, 2);
106 return;
107 }
108 if (opt == IPOPT_EOL)
109 break;
110 if (opt == IPOPT_NOP) {
111 optlen = 1;
112 } else {
113 optlen = cp[IPOPT_OLEN];
114 if (optlen <= 0) /* Do not loop! */
115 break;
116 }
117 }
118 lp = lbuf;
119 for (cp = optbuf; optsize > 0; cp++, optsize--, lp += 3)
120 sprintf(lp, " %2.2x", *cp);
121 syslog(LOG_NOTICE,
122 "connect from %s with IP options (ignored):%s",
123 eval_client(request), lbuf);
124 if (setsockopt(fd, ipproto, IP_OPTIONS, (char *) 0, optsize) != 0) {
125 syslog(LOG_ERR, "setsockopt IP_OPTIONS NULL: %m");
126 shutdown(fd, 2);
127 }
128 }
129 #endif
130 }
131