xref: /freebsd/sbin/routed/input.c (revision 15fe2513996eaa8857fcf66a632814b5f9374b03)
1 /*-
2  * SPDX-License-Identifier: BSD-3-Clause
3  *
4  * Copyright (c) 1983, 1988, 1993
5  *	The Regents of the University of California.  All rights reserved.
6  *
7  * Redistribution and use in source and binary forms, with or without
8  * modification, are permitted provided that the following conditions
9  * are met:
10  * 1. Redistributions of source code must retain the above copyright
11  *    notice, this list of conditions and the following disclaimer.
12  * 2. Redistributions in binary form must reproduce the above copyright
13  *    notice, this list of conditions and the following disclaimer in the
14  *    documentation and/or other materials provided with the distribution.
15  * 3. Neither the name of the University nor the names of its contributors
16  *    may be used to endorse or promote products derived from this software
17  *    without specific prior written permission.
18  *
19  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
20  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
23  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29  * SUCH DAMAGE.
30  *
31  * $FreeBSD$
32  */
33 
34 #include "defs.h"
35 
36 #ifdef __NetBSD__
37 __RCSID("$NetBSD$");
38 #elif defined(__FreeBSD__)
39 __RCSID("$FreeBSD$");
40 #else
41 __RCSID("$Revision: 2.26 $");
42 #ident "$Revision: 2.26 $"
43 #endif
44 
45 static void input(struct sockaddr_in *, struct interface *, struct interface *,
46 		  struct rip *, int);
47 static void input_route(naddr, naddr, struct rt_spare *, struct netinfo *);
48 static int ck_passwd(struct interface *, struct rip *, void *,
49 		     naddr, struct msg_limit *);
50 
51 
52 /* process RIP input
53  */
54 void
55 read_rip(int sock,
56 	 struct interface *sifp)
57 {
58 	struct sockaddr_in from;
59 	struct interface *aifp;
60 	socklen_t fromlen;
61 	int cc;
62 #ifdef USE_PASSIFNAME
63 	static struct msg_limit  bad_name;
64 	struct {
65 		char	ifname[IFNAMSIZ];
66 		union pkt_buf pbuf;
67 	} inbuf;
68 #else
69 	struct {
70 		union pkt_buf pbuf;
71 	} inbuf;
72 #endif
73 
74 
75 	for (;;) {
76 		fromlen = sizeof(from);
77 		cc = recvfrom(sock, &inbuf, sizeof(inbuf), 0,
78 			      (struct sockaddr*)&from, &fromlen);
79 		if (cc <= 0) {
80 			if (cc < 0 && errno != EWOULDBLOCK)
81 				LOGERR("recvfrom(rip)");
82 			break;
83 		}
84 		if (fromlen != sizeof(struct sockaddr_in))
85 			logbad(1,"impossible recvfrom(rip) fromlen=%d",
86 			       (int)fromlen);
87 
88 		/* aifp is the "authenticated" interface via which the packet
89 		 *	arrived.  In fact, it is only the interface on which
90 		 *	the packet should have arrived based on is source
91 		 *	address.
92 		 * sifp is interface associated with the socket through which
93 		 *	the packet was received.
94 		 */
95 #ifdef USE_PASSIFNAME
96 		if ((cc -= sizeof(inbuf.ifname)) < 0)
97 			logbad(0,"missing USE_PASSIFNAME; only %d bytes",
98 			       cc+sizeof(inbuf.ifname));
99 
100 		/* check the remote interfaces first */
101 		LIST_FOREACH(aifp, &remote_if, remote_list) {
102 			if (aifp->int_addr == from.sin_addr.s_addr)
103 				break;
104 		}
105 		if (aifp == NULL) {
106 			aifp = ifwithname(inbuf.ifname, 0);
107 			if (aifp == NULL) {
108 				msglim(&bad_name, from.sin_addr.s_addr,
109 				       "impossible interface name %.*s",
110 				       IFNAMSIZ, inbuf.ifname);
111 			} else if (((aifp->int_if_flags & IFF_POINTOPOINT)
112 				    && aifp->int_dstaddr!=from.sin_addr.s_addr)
113 				   || (!(aifp->int_if_flags & IFF_POINTOPOINT)
114 				       && !on_net(from.sin_addr.s_addr,
115 						  aifp->int_net,
116 						  aifp->int_mask))) {
117 				/* If it came via the wrong interface, do not
118 				 * trust it.
119 				 */
120 				aifp = NULL;
121 			}
122 		}
123 #else
124 		aifp = iflookup(from.sin_addr.s_addr);
125 #endif
126 		if (sifp == NULL)
127 			sifp = aifp;
128 
129 		input(&from, sifp, aifp, &inbuf.pbuf.rip, cc);
130 	}
131 }
132 
133 
134 /* Process a RIP packet
135  */
136 static void
137 input(struct sockaddr_in *from,		/* received from this IP address */
138       struct interface *sifp,		/* interface of incoming socket */
139       struct interface *aifp,		/* "authenticated" interface */
140       struct rip *rip,
141       int cc)
142 {
143 #	define FROM_NADDR from->sin_addr.s_addr
144 	static struct msg_limit use_auth, bad_len, bad_mask;
145 	static struct msg_limit unk_router, bad_router, bad_nhop;
146 
147 	struct rt_entry *rt;
148 	struct rt_spare new;
149 	struct netinfo *n, *lim;
150 	struct interface *ifp1;
151 	naddr gate, mask, v1_mask, dst, ddst_h = 0;
152 	struct auth *ap;
153 	struct tgate *tg = NULL;
154 	struct tgate_net *tn;
155 	int i, j;
156 
157 	/* Notice when we hear from a remote gateway
158 	 */
159 	if (aifp != NULL
160 	    && (aifp->int_state & IS_REMOTE))
161 		aifp->int_act_time = now.tv_sec;
162 
163 	trace_rip("Recv", "from", from, sifp, rip, cc);
164 
165 	if (sifp == NULL) {
166 		trace_pkt("    discard a request from an indirect router"
167 		    " (possibly an attack)");
168 		return;
169 	}
170 
171 	if (rip->rip_vers == 0) {
172 		msglim(&bad_router, FROM_NADDR,
173 		       "RIP version 0, cmd %d, packet received from %s",
174 		       rip->rip_cmd, naddr_ntoa(FROM_NADDR));
175 		return;
176 	} else if (rip->rip_vers > RIPv2) {
177 		rip->rip_vers = RIPv2;
178 	}
179 	if (cc > (int)OVER_MAXPACKETSIZE) {
180 		msglim(&bad_router, FROM_NADDR,
181 		       "packet at least %d bytes too long received from %s",
182 		       cc-MAXPACKETSIZE, naddr_ntoa(FROM_NADDR));
183 		return;
184 	}
185 
186 	n = rip->rip_nets;
187 	lim = (struct netinfo *)((char*)rip + cc);
188 
189 	/* Notice authentication.
190 	 * As required by section 4.2 in RFC 1723, discard authenticated
191 	 * RIPv2 messages, but only if configured for that silliness.
192 	 *
193 	 * RIPv2 authentication is lame.  Why authenticate queries?
194 	 * Why should a RIPv2 implementation with authentication disabled
195 	 * not be able to listen to RIPv2 packets with authentication, while
196 	 * RIPv1 systems will listen?  Crazy!
197 	 */
198 	if (!auth_ok
199 	    && rip->rip_vers == RIPv2
200 	    && n < lim && n->n_family == RIP_AF_AUTH) {
201 		msglim(&use_auth, FROM_NADDR,
202 		       "RIPv2 message with authentication from %s discarded",
203 		       naddr_ntoa(FROM_NADDR));
204 		return;
205 	}
206 
207 	switch (rip->rip_cmd) {
208 	case RIPCMD_REQUEST:
209 		/* For mere requests, be a little sloppy about the source
210 		 */
211 		if (aifp == NULL)
212 			aifp = sifp;
213 
214 		/* Are we talking to ourself or a remote gateway?
215 		 */
216 		ifp1 = ifwithaddr(FROM_NADDR, 0, 1);
217 		if (ifp1) {
218 			if (ifp1->int_state & IS_REMOTE) {
219 				/* remote gateway */
220 				aifp = ifp1;
221 				if (check_remote(aifp)) {
222 					aifp->int_act_time = now.tv_sec;
223 					(void)if_ok(aifp, "remote ");
224 				}
225 			} else if (from->sin_port == htons(RIP_PORT)) {
226 				trace_pkt("    discard our own RIP request");
227 				return;
228 			}
229 		}
230 
231 		/* did the request come from a router?
232 		 */
233 		if (from->sin_port == htons(RIP_PORT)) {
234 			/* yes, ignore the request if RIP is off so that
235 			 * the router does not depend on us.
236 			 */
237 			if (rip_sock < 0
238 			    || (aifp != NULL
239 				&& IS_RIP_OUT_OFF(aifp->int_state))) {
240 				trace_pkt("    discard request while RIP off");
241 				return;
242 			}
243 		}
244 
245 		/* According to RFC 1723, we should ignore unauthenticated
246 		 * queries.  That is too silly to bother with.  Sheesh!
247 		 * Are forwarding tables supposed to be secret, when
248 		 * a bad guy can infer them with test traffic?  When RIP
249 		 * is still the most common router-discovery protocol
250 		 * and so hosts need to send queries that will be answered?
251 		 * What about `rtquery`?
252 		 * Maybe on firewalls you'd care, but not enough to
253 		 * give up the diagnostic facilities of remote probing.
254 		 */
255 
256 		if (n >= lim) {
257 			msglim(&bad_len, FROM_NADDR, "empty request from %s",
258 			       naddr_ntoa(FROM_NADDR));
259 			return;
260 		}
261 		if (cc%sizeof(*n) != sizeof(struct rip)%sizeof(*n)) {
262 			msglim(&bad_len, FROM_NADDR,
263 			       "request of bad length (%d) from %s",
264 			       cc, naddr_ntoa(FROM_NADDR));
265 		}
266 
267 		if (rip->rip_vers == RIPv2
268 		    && (aifp == NULL || (aifp->int_state & IS_NO_RIPV1_OUT))) {
269 			v12buf.buf->rip_vers = RIPv2;
270 			/* If we have a secret but it is a cleartext secret,
271 			 * do not disclose our secret unless the other guy
272 			 * already knows it.
273 			 */
274 			ap = find_auth(aifp);
275 			if (ap != NULL && ap->type == RIP_AUTH_PW
276 			    && n->n_family == RIP_AF_AUTH
277 			    && !ck_passwd(aifp,rip,lim,FROM_NADDR,&use_auth))
278 				ap = NULL;
279 		} else {
280 			v12buf.buf->rip_vers = RIPv1;
281 			ap = NULL;
282 		}
283 		clr_ws_buf(&v12buf, ap);
284 
285 		do {
286 			n->n_metric = ntohl(n->n_metric);
287 
288 			/* A single entry with family RIP_AF_UNSPEC and
289 			 * metric HOPCNT_INFINITY means "all routes".
290 			 * We respond to routers only if we are acting
291 			 * as a supplier, or to anyone other than a router
292 			 * (i.e. a query).
293 			 */
294 			if (n->n_family == RIP_AF_UNSPEC
295 			    && n->n_metric == HOPCNT_INFINITY) {
296 				/* Answer a query from a utility program
297 				 * with all we know.
298 				 */
299 				if (aifp == NULL) {
300 					trace_pkt("ignore remote query");
301 					return;
302 				}
303 				if (from->sin_port != htons(RIP_PORT)) {
304 					/*
305 					 * insecure: query from non-router node
306 					 *   > 1: allow from distant node
307 					 *   > 0: allow from neighbor node
308 					 *  == 0: deny
309 					 */
310 					if ((aifp != NULL && insecure > 0) ||
311 					    (aifp == NULL && insecure > 1))
312 						supply(from, aifp, OUT_QUERY, 0,
313 						       rip->rip_vers,
314 						       ap != NULL);
315 					else
316 						trace_pkt("Warning: "
317 						    "possible attack detected");
318 					return;
319 				}
320 
321 				/* A router trying to prime its tables.
322 				 * Filter the answer in the about same way
323 				 * broadcasts are filtered.
324 				 *
325 				 * Only answer a router if we are a supplier
326 				 * to keep an unwary host that is just starting
327 				 * from picking us as a router.
328 				 */
329 				if (aifp == NULL) {
330 					trace_pkt("ignore distant router");
331 					return;
332 				}
333 				if (!supplier
334 				    || IS_RIP_OFF(aifp->int_state)) {
335 					trace_pkt("ignore; not supplying");
336 					return;
337 				}
338 
339 				/* Do not answer a RIPv1 router if
340 				 * we are sending RIPv2.  But do offer
341 				 * poor man's router discovery.
342 				 */
343 				if ((aifp->int_state & IS_NO_RIPV1_OUT)
344 				    && rip->rip_vers == RIPv1) {
345 					if (!(aifp->int_state & IS_PM_RDISC)) {
346 					    trace_pkt("ignore; sending RIPv2");
347 					    return;
348 					}
349 
350 					v12buf.n->n_family = RIP_AF_INET;
351 					v12buf.n->n_dst = RIP_DEFAULT;
352 					i = aifp->int_d_metric;
353 					if (NULL != (rt = rtget(RIP_DEFAULT, 0))) {
354 					    j = (rt->rt_metric
355 						 +aifp->int_metric
356 						 +aifp->int_adj_outmetric
357 						 +1);
358 					    if (i > j)
359 						i = j;
360 					}
361 					v12buf.n->n_metric = htonl(i);
362 					v12buf.n++;
363 					break;
364 				}
365 
366 				/* Respond with RIPv1 instead of RIPv2 if
367 				 * that is what we are broadcasting on the
368 				 * interface to keep the remote router from
369 				 * getting the wrong initial idea of the
370 				 * routes we send.
371 				 */
372 				supply(from, aifp, OUT_UNICAST, 0,
373 				       (aifp->int_state & IS_NO_RIPV1_OUT)
374 				       ? RIPv2 : RIPv1,
375 				       ap != NULL);
376 				return;
377 			}
378 
379 			/* Ignore authentication */
380 			if (n->n_family == RIP_AF_AUTH)
381 				continue;
382 
383 			if (n->n_family != RIP_AF_INET) {
384 				msglim(&bad_router, FROM_NADDR,
385 				       "request from %s for unsupported"
386 				       " (af %d) %s",
387 				       naddr_ntoa(FROM_NADDR),
388 				       ntohs(n->n_family),
389 				       naddr_ntoa(n->n_dst));
390 				return;
391 			}
392 
393 			/* We are being asked about a specific destination.
394 			 */
395 			dst = n->n_dst;
396 			if (!check_dst(dst)) {
397 				msglim(&bad_router, FROM_NADDR,
398 				       "bad queried destination %s from %s",
399 				       naddr_ntoa(dst),
400 				       naddr_ntoa(FROM_NADDR));
401 				return;
402 			}
403 
404 			/* decide what mask was intended */
405 			if (rip->rip_vers == RIPv1
406 			    || 0 == (mask = ntohl(n->n_mask))
407 			    || 0 != (ntohl(dst) & ~mask))
408 				mask = ripv1_mask_host(dst, aifp);
409 
410 			/* try to find the answer */
411 			rt = rtget(dst, mask);
412 			if (!rt && dst != RIP_DEFAULT)
413 				rt = rtfind(n->n_dst);
414 
415 			if (v12buf.buf->rip_vers != RIPv1)
416 				v12buf.n->n_mask = mask;
417 			if (rt == NULL) {
418 				/* we do not have the answer */
419 				v12buf.n->n_metric = HOPCNT_INFINITY;
420 			} else {
421 				/* we have the answer, so compute the
422 				 * right metric and next hop.
423 				 */
424 				v12buf.n->n_family = RIP_AF_INET;
425 				v12buf.n->n_dst = dst;
426 				j = rt->rt_metric+1;
427 				if (!aifp)
428 					++j;
429 				else
430 					j += (aifp->int_metric
431 					      + aifp->int_adj_outmetric);
432 				if (j < HOPCNT_INFINITY)
433 					v12buf.n->n_metric = j;
434 				else
435 					v12buf.n->n_metric = HOPCNT_INFINITY;
436 				if (v12buf.buf->rip_vers != RIPv1) {
437 					v12buf.n->n_tag = rt->rt_tag;
438 					v12buf.n->n_mask = mask;
439 					if (aifp != NULL
440 					    && on_net(rt->rt_gate,
441 						      aifp->int_net,
442 						      aifp->int_mask)
443 					    && rt->rt_gate != aifp->int_addr)
444 					    v12buf.n->n_nhop = rt->rt_gate;
445 				}
446 			}
447 			v12buf.n->n_metric = htonl(v12buf.n->n_metric);
448 
449 			/* Stop paying attention if we fill the output buffer.
450 			 */
451 			if (++v12buf.n >= v12buf.lim)
452 				break;
453 		} while (++n < lim);
454 
455 		/* Send the answer about specific routes.
456 		 */
457 		if (ap != NULL && ap->type == RIP_AUTH_MD5)
458 			end_md5_auth(&v12buf, ap);
459 
460 		if (from->sin_port != htons(RIP_PORT)) {
461 			/* query */
462 			(void)output(OUT_QUERY, from, aifp,
463 				     v12buf.buf,
464 				     ((char *)v12buf.n - (char*)v12buf.buf));
465 		} else if (supplier) {
466 			(void)output(OUT_UNICAST, from, aifp,
467 				     v12buf.buf,
468 				     ((char *)v12buf.n - (char*)v12buf.buf));
469 		} else {
470 			/* Only answer a router if we are a supplier
471 			 * to keep an unwary host that is just starting
472 			 * from picking us an a router.
473 			 */
474 			;
475 		}
476 		return;
477 
478 	case RIPCMD_TRACEON:
479 	case RIPCMD_TRACEOFF:
480 		/* Notice that trace messages are turned off for all possible
481 		 * abuse if _PATH_TRACE is undefined in pathnames.h.
482 		 * Notice also that because of the way the trace file is
483 		 * handled in trace.c, no abuse is plausible even if
484 		 * _PATH_TRACE_ is defined.
485 		 *
486 		 * First verify message came from a privileged port. */
487 		if (ntohs(from->sin_port) > IPPORT_RESERVED) {
488 			msglog("trace command from untrusted port on %s",
489 			       naddr_ntoa(FROM_NADDR));
490 			return;
491 		}
492 		if (aifp == NULL) {
493 			msglog("trace command from unknown router %s",
494 			       naddr_ntoa(FROM_NADDR));
495 			return;
496 		}
497 		if (rip->rip_cmd == RIPCMD_TRACEON) {
498 			rip->rip_tracefile[cc-4] = '\0';
499 			set_tracefile((char*)rip->rip_tracefile,
500 				      "trace command: %s\n", 0);
501 		} else {
502 			trace_off("tracing turned off by %s",
503 				  naddr_ntoa(FROM_NADDR));
504 		}
505 		return;
506 
507 	case RIPCMD_RESPONSE:
508 		if (cc%sizeof(*n) != sizeof(struct rip)%sizeof(*n)) {
509 			msglim(&bad_len, FROM_NADDR,
510 			       "response of bad length (%d) from %s",
511 			       cc, naddr_ntoa(FROM_NADDR));
512 		}
513 
514 		/* verify message came from a router */
515 		if (from->sin_port != ntohs(RIP_PORT)) {
516 			msglim(&bad_router, FROM_NADDR,
517 			       "    discard RIP response from unknown port"
518 			       " %d on %s",
519 			       ntohs(from->sin_port), naddr_ntoa(FROM_NADDR));
520 			return;
521 		}
522 
523 		if (rip_sock < 0) {
524 			trace_pkt("    discard response while RIP off");
525 			return;
526 		}
527 
528 		/* Are we talking to ourself or a remote gateway?
529 		 */
530 		ifp1 = ifwithaddr(FROM_NADDR, 0, 1);
531 		if (ifp1) {
532 			if (ifp1->int_state & IS_REMOTE) {
533 				/* remote gateway */
534 				aifp = ifp1;
535 				if (check_remote(aifp)) {
536 					aifp->int_act_time = now.tv_sec;
537 					(void)if_ok(aifp, "remote ");
538 				}
539 			} else {
540 				trace_pkt("    discard our own RIP response");
541 				return;
542 			}
543 		}
544 
545 		/* Accept routing packets from routers directly connected
546 		 * via broadcast or point-to-point networks, and from
547 		 * those listed in /etc/gateways.
548 		 */
549 		if (aifp == NULL) {
550 			msglim(&unk_router, FROM_NADDR,
551 			       "   discard response from %s"
552 			       " via unexpected interface",
553 			       naddr_ntoa(FROM_NADDR));
554 			return;
555 		}
556 		if (IS_RIP_IN_OFF(aifp->int_state)) {
557 			trace_pkt("    discard RIPv%d response"
558 				  " via disabled interface %s",
559 				  rip->rip_vers, aifp->int_name);
560 			return;
561 		}
562 
563 		if (n >= lim) {
564 			msglim(&bad_len, FROM_NADDR, "empty response from %s",
565 			       naddr_ntoa(FROM_NADDR));
566 			return;
567 		}
568 
569 		if (((aifp->int_state & IS_NO_RIPV1_IN)
570 		     && rip->rip_vers == RIPv1)
571 		    || ((aifp->int_state & IS_NO_RIPV2_IN)
572 			&& rip->rip_vers != RIPv1)) {
573 			trace_pkt("    discard RIPv%d response",
574 				  rip->rip_vers);
575 			return;
576 		}
577 
578 		/* Ignore routes via dead interface.
579 		 */
580 		if (aifp->int_state & IS_BROKE) {
581 			trace_pkt("discard response via broken interface %s",
582 				  aifp->int_name);
583 			return;
584 		}
585 
586 		/* If the interface cares, ignore bad routers.
587 		 * Trace but do not log this problem, because where it
588 		 * happens, it happens frequently.
589 		 */
590 		if (aifp->int_state & IS_DISTRUST) {
591 			tg = tgates;
592 			while (tg->tgate_addr != FROM_NADDR) {
593 				tg = tg->tgate_next;
594 				if (tg == NULL) {
595 					trace_pkt("    discard RIP response"
596 						  " from untrusted router %s",
597 						  naddr_ntoa(FROM_NADDR));
598 					return;
599 				}
600 			}
601 		}
602 
603 		/* Authenticate the packet if we have a secret.
604 		 * If we do not have any secrets, ignore the error in
605 		 * RFC 1723 and accept it regardless.
606 		 */
607 		if (aifp->int_auth[0].type != RIP_AUTH_NONE
608 		    && rip->rip_vers != RIPv1
609 		    && !ck_passwd(aifp,rip,lim,FROM_NADDR,&use_auth))
610 			return;
611 
612 		do {
613 			if (n->n_family == RIP_AF_AUTH)
614 				continue;
615 
616 			n->n_metric = ntohl(n->n_metric);
617 			dst = n->n_dst;
618 			if (n->n_family != RIP_AF_INET
619 			    && (n->n_family != RIP_AF_UNSPEC
620 				|| dst != RIP_DEFAULT)) {
621 				msglim(&bad_router, FROM_NADDR,
622 				       "route from %s to unsupported"
623 				       " address family=%d destination=%s",
624 				       naddr_ntoa(FROM_NADDR),
625 				       n->n_family,
626 				       naddr_ntoa(dst));
627 				continue;
628 			}
629 			if (!check_dst(dst)) {
630 				msglim(&bad_router, FROM_NADDR,
631 				       "bad destination %s from %s",
632 				       naddr_ntoa(dst),
633 				       naddr_ntoa(FROM_NADDR));
634 				return;
635 			}
636 			if (n->n_metric == 0
637 			    || n->n_metric > HOPCNT_INFINITY) {
638 				msglim(&bad_router, FROM_NADDR,
639 				       "bad metric %d from %s"
640 				       " for destination %s",
641 				       n->n_metric,
642 				       naddr_ntoa(FROM_NADDR),
643 				       naddr_ntoa(dst));
644 				return;
645 			}
646 
647 			/* Notice the next-hop.
648 			 */
649 			gate = FROM_NADDR;
650 			if (n->n_nhop != 0) {
651 				if (rip->rip_vers == RIPv1) {
652 					n->n_nhop = 0;
653 				} else {
654 				    /* Use it only if it is valid. */
655 				    if (on_net(n->n_nhop,
656 					       aifp->int_net, aifp->int_mask)
657 					&& check_dst(n->n_nhop)) {
658 					    gate = n->n_nhop;
659 				    } else {
660 					    msglim(&bad_nhop, FROM_NADDR,
661 						   "router %s to %s"
662 						   " has bad next hop %s",
663 						   naddr_ntoa(FROM_NADDR),
664 						   naddr_ntoa(dst),
665 						   naddr_ntoa(n->n_nhop));
666 					    n->n_nhop = 0;
667 				    }
668 				}
669 			}
670 
671 			if (rip->rip_vers == RIPv1
672 			    || 0 == (mask = ntohl(n->n_mask))) {
673 				mask = ripv1_mask_host(dst,aifp);
674 			} else if ((ntohl(dst) & ~mask) != 0) {
675 				msglim(&bad_mask, FROM_NADDR,
676 				       "router %s sent bad netmask"
677 				       " %#lx with %s",
678 				       naddr_ntoa(FROM_NADDR),
679 				       (u_long)mask,
680 				       naddr_ntoa(dst));
681 				continue;
682 			}
683 			if (rip->rip_vers == RIPv1)
684 				n->n_tag = 0;
685 
686 			/* Adjust metric according to incoming interface..
687 			 */
688 			n->n_metric += (aifp->int_metric
689 					+ aifp->int_adj_inmetric);
690 			if (n->n_metric > HOPCNT_INFINITY)
691 				n->n_metric = HOPCNT_INFINITY;
692 
693 			/* Should we trust this route from this router? */
694 			if (tg && (tn = tg->tgate_nets)->mask != 0) {
695 				for (i = 0; i < MAX_TGATE_NETS; i++, tn++) {
696 					if (on_net(dst, tn->net, tn->mask)
697 					    && tn->mask <= mask)
698 					    break;
699 				}
700 				if (i >= MAX_TGATE_NETS || tn->mask == 0) {
701 					trace_pkt("   ignored unauthorized %s",
702 						  addrname(dst,mask,0));
703 					continue;
704 				}
705 			}
706 
707 			/* Recognize and ignore a default route we faked
708 			 * which is being sent back to us by a machine with
709 			 * broken split-horizon.
710 			 * Be a little more paranoid than that, and reject
711 			 * default routes with the same metric we advertised.
712 			 */
713 			if (aifp->int_d_metric != 0
714 			    && dst == RIP_DEFAULT
715 			    && (int)n->n_metric >= aifp->int_d_metric)
716 				continue;
717 
718 			/* We can receive aggregated RIPv2 routes that must
719 			 * be broken down before they are transmitted by
720 			 * RIPv1 via an interface on a subnet.
721 			 * We might also receive the same routes aggregated
722 			 * via other RIPv2 interfaces.
723 			 * This could cause duplicate routes to be sent on
724 			 * the RIPv1 interfaces.  "Longest matching variable
725 			 * length netmasks" lets RIPv2 listeners understand,
726 			 * but breaking down the aggregated routes for RIPv1
727 			 * listeners can produce duplicate routes.
728 			 *
729 			 * Breaking down aggregated routes here bloats
730 			 * the daemon table, but does not hurt the kernel
731 			 * table, since routes are always aggregated for
732 			 * the kernel.
733 			 *
734 			 * Notice that this does not break down network
735 			 * routes corresponding to subnets.  This is part
736 			 * of the defense against RS_NET_SYN.
737 			 */
738 			if (have_ripv1_out
739 			    && (((rt = rtget(dst,mask)) == NULL
740 				 || !(rt->rt_state & RS_NET_SYN)))
741 			    && (v1_mask = ripv1_mask_net(dst,0)) > mask) {
742 				ddst_h = v1_mask & -v1_mask;
743 				i = (v1_mask & ~mask)/ddst_h;
744 				if (i >= 511) {
745 					/* Punt if we would have to generate
746 					 * an unreasonable number of routes.
747 					 */
748 					if (TRACECONTENTS)
749 					    trace_misc("accept %s-->%s as 1"
750 						       " instead of %d routes",
751 						       addrname(dst,mask,0),
752 						       naddr_ntoa(FROM_NADDR),
753 						       i+1);
754 					i = 0;
755 				} else {
756 					mask = v1_mask;
757 				}
758 			} else {
759 				i = 0;
760 			}
761 
762 			new.rts_gate = gate;
763 			new.rts_router = FROM_NADDR;
764 			new.rts_metric = n->n_metric;
765 			new.rts_tag = n->n_tag;
766 			new.rts_time = now.tv_sec;
767 			new.rts_ifp = aifp;
768 			new.rts_de_ag = i;
769 			j = 0;
770 			for (;;) {
771 				input_route(dst, mask, &new, n);
772 				if (++j > i)
773 					break;
774 				dst = htonl(ntohl(dst) + ddst_h);
775 			}
776 		} while (++n < lim);
777 		break;
778 	}
779 #undef FROM_NADDR
780 }
781 
782 
783 /* Process a single input route.
784  */
785 static void
786 input_route(naddr dst,			/* network order */
787 	    naddr mask,
788 	    struct rt_spare *new,
789 	    struct netinfo *n)
790 {
791 	int i;
792 	struct rt_entry *rt;
793 	struct rt_spare *rts, *rts0;
794 	struct interface *ifp1;
795 
796 
797 	/* See if the other guy is telling us to send our packets to him.
798 	 * Sometimes network routes arrive over a point-to-point link for
799 	 * the network containing the address(es) of the link.
800 	 *
801 	 * If our interface is broken, switch to using the other guy.
802 	 */
803 	ifp1 = ifwithaddr(dst, 1, 1);
804 	if (ifp1 != NULL
805 	    && (!(ifp1->int_state & IS_BROKE)
806 		|| (ifp1->int_state & IS_PASSIVE)))
807 		return;
808 
809 	/* Look for the route in our table.
810 	 */
811 	rt = rtget(dst, mask);
812 
813 	/* Consider adding the route if we do not already have it.
814 	 */
815 	if (rt == NULL) {
816 		/* Ignore unknown routes being poisoned.
817 		 */
818 		if (new->rts_metric == HOPCNT_INFINITY)
819 			return;
820 
821 		/* Ignore the route if it points to us */
822 		if (n->n_nhop != 0
823 		    && ifwithaddr(n->n_nhop, 1, 0) != NULL)
824 			return;
825 
826 		/* If something has not gone crazy and tried to fill
827 		 * our memory, accept the new route.
828 		 */
829 		if (total_routes < MAX_ROUTES)
830 			rtadd(dst, mask, 0, new);
831 		return;
832 	}
833 
834 	/* We already know about the route.  Consider this update.
835 	 *
836 	 * If (rt->rt_state & RS_NET_SYN), then this route
837 	 * is the same as a network route we have inferred
838 	 * for subnets we know, in order to tell RIPv1 routers
839 	 * about the subnets.
840 	 *
841 	 * It is impossible to tell if the route is coming
842 	 * from a distant RIPv2 router with the standard
843 	 * netmask because that router knows about the entire
844 	 * network, or if it is a round-about echo of a
845 	 * synthetic, RIPv1 network route of our own.
846 	 * The worst is that both kinds of routes might be
847 	 * received, and the bad one might have the smaller
848 	 * metric.  Partly solve this problem by never
849 	 * aggregating into such a route.  Also keep it
850 	 * around as long as the interface exists.
851 	 */
852 
853 	rts0 = rt->rt_spares;
854 	for (rts = rts0, i = NUM_SPARES; i != 0; i--, rts++) {
855 		if (rts->rts_router == new->rts_router)
856 			break;
857 		/* Note the worst slot to reuse,
858 		 * other than the current slot.
859 		 */
860 		if (rts0 == rt->rt_spares
861 		    || BETTER_LINK(rt, rts0, rts))
862 			rts0 = rts;
863 	}
864 	if (i != 0) {
865 		/* Found a route from the router already in the table.
866 		 */
867 
868 		/* If the new route is a route broken down from an
869 		 * aggregated route, and if the previous route is either
870 		 * not a broken down route or was broken down from a finer
871 		 * netmask, and if the previous route is current,
872 		 * then forget this one.
873 		 */
874 		if (new->rts_de_ag > rts->rts_de_ag
875 		    && now_stale <= rts->rts_time)
876 			return;
877 
878 		/* Keep poisoned routes around only long enough to pass
879 		 * the poison on.  Use a new timestamp for good routes.
880 		 */
881 		if (rts->rts_metric == HOPCNT_INFINITY
882 		    && new->rts_metric == HOPCNT_INFINITY)
883 			new->rts_time = rts->rts_time;
884 
885 		/* If this is an update for the router we currently prefer,
886 		 * then note it.
887 		 */
888 		if (i == NUM_SPARES) {
889 			rtchange(rt, rt->rt_state, new, 0);
890 			/* If the route got worse, check for something better.
891 			 */
892 			if (new->rts_metric > rts->rts_metric)
893 				rtswitch(rt, 0);
894 			return;
895 		}
896 
897 		/* This is an update for a spare route.
898 		 * Finished if the route is unchanged.
899 		 */
900 		if (rts->rts_gate == new->rts_gate
901 		    && rts->rts_metric == new->rts_metric
902 		    && rts->rts_tag == new->rts_tag) {
903 			trace_upslot(rt, rts, new);
904 			*rts = *new;
905 			return;
906 		}
907 		/* Forget it if it has gone bad.
908 		 */
909 		if (new->rts_metric == HOPCNT_INFINITY) {
910 			rts_delete(rt, rts);
911 			return;
912 		}
913 
914 	} else {
915 		/* The update is for a route we know about,
916 		 * but not from a familiar router.
917 		 *
918 		 * Ignore the route if it points to us.
919 		 */
920 		if (n->n_nhop != 0
921 		    && NULL != ifwithaddr(n->n_nhop, 1, 0))
922 			return;
923 
924 		/* the loop above set rts0=worst spare */
925 		rts = rts0;
926 
927 		/* Save the route as a spare only if it has
928 		 * a better metric than our worst spare.
929 		 * This also ignores poisoned routes (those
930 		 * received with metric HOPCNT_INFINITY).
931 		 */
932 		if (new->rts_metric >= rts->rts_metric)
933 			return;
934 	}
935 
936 	trace_upslot(rt, rts, new);
937 	*rts = *new;
938 
939 	/* try to switch to a better route */
940 	rtswitch(rt, rts);
941 }
942 
943 
944 static int				/* 0 if bad */
945 ck_passwd(struct interface *aifp,
946 	  struct rip *rip,
947 	  void *lim,
948 	  naddr from,
949 	  struct msg_limit *use_authp)
950 {
951 #	define NA (rip->rip_auths)
952 	struct netauth *na2;
953 	struct auth *ap;
954 	MD5_CTX md5_ctx;
955 	u_char hash[RIP_AUTH_PW_LEN];
956 	int i, len;
957 
958 	assert(aifp != NULL);
959 	if ((void *)NA >= lim || NA->a_family != RIP_AF_AUTH) {
960 		msglim(use_authp, from, "missing password from %s",
961 		       naddr_ntoa(from));
962 		return 0;
963 	}
964 
965 	/* accept any current (+/- 24 hours) password
966 	 */
967 	for (ap = aifp->int_auth, i = 0; i < MAX_AUTH_KEYS; i++, ap++) {
968 		if (ap->type != NA->a_type
969 		    || (u_long)ap->start > (u_long)clk.tv_sec+DAY
970 		    || (u_long)ap->end+DAY < (u_long)clk.tv_sec)
971 			continue;
972 
973 		if (NA->a_type == RIP_AUTH_PW) {
974 			if (!memcmp(NA->au.au_pw, ap->key, RIP_AUTH_PW_LEN))
975 				return 1;
976 
977 		} else {
978 			/* accept MD5 secret with the right key ID
979 			 */
980 			if (NA->au.a_md5.md5_keyid != ap->keyid)
981 				continue;
982 
983 			len = ntohs(NA->au.a_md5.md5_pkt_len);
984 			if ((len-sizeof(*rip)) % sizeof(*NA) != 0
985 			    || len != (char *)lim-(char*)rip-(int)sizeof(*NA)) {
986 				msglim(use_authp, from,
987 				       "wrong MD5 RIPv2 packet length of %d"
988 				       " instead of %d from %s",
989 				       len, (int)((char *)lim-(char *)rip
990 						  -sizeof(*NA)),
991 				       naddr_ntoa(from));
992 				return 0;
993 			}
994 			na2 = (struct netauth *)((char *)rip+len);
995 
996 			/* Given a good hash value, these are not security
997 			 * problems so be generous and accept the routes,
998 			 * after complaining.
999 			 */
1000 			if (TRACEPACKETS) {
1001 				if (NA->au.a_md5.md5_auth_len
1002 				    != RIP_AUTH_MD5_HASH_LEN)
1003 					msglim(use_authp, from,
1004 					       "unknown MD5 RIPv2 auth len %#x"
1005 					       " instead of %#x from %s",
1006 					       NA->au.a_md5.md5_auth_len,
1007 					       (unsigned)RIP_AUTH_MD5_HASH_LEN,
1008 					       naddr_ntoa(from));
1009 				if (na2->a_family != RIP_AF_AUTH)
1010 					msglim(use_authp, from,
1011 					       "unknown MD5 RIPv2 family %#x"
1012 					       " instead of %#x from %s",
1013 					       na2->a_family, RIP_AF_AUTH,
1014 					       naddr_ntoa(from));
1015 				if (na2->a_type != ntohs(1))
1016 					msglim(use_authp, from,
1017 					       "MD5 RIPv2 hash has %#x"
1018 					       " instead of %#x from %s",
1019 					       na2->a_type, ntohs(1),
1020 					       naddr_ntoa(from));
1021 			}
1022 
1023 			MD5Init(&md5_ctx);
1024 			MD5Update(&md5_ctx, (u_char *)rip,
1025 				  len + RIP_AUTH_MD5_HASH_XTRA);
1026 			MD5Update(&md5_ctx, ap->key, RIP_AUTH_MD5_KEY_LEN);
1027 			MD5Final(hash, &md5_ctx);
1028 			if (!memcmp(hash, na2->au.au_pw, sizeof(hash)))
1029 				return 1;
1030 		}
1031 	}
1032 
1033 	msglim(use_authp, from, "bad password from %s",
1034 	       naddr_ntoa(from));
1035 	return 0;
1036 #undef NA
1037 }
1038