xref: /freebsd/sbin/routed/input.c (revision 39ee7a7a6bdd1557b1c3532abf60d139798ac88b)
1 /*
2  * Copyright (c) 1983, 1988, 1993
3  *	The Regents of the University of California.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  * 4. Neither the name of the University nor the names of its contributors
14  *    may be used to endorse or promote products derived from this software
15  *    without specific prior written permission.
16  *
17  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
18  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
21  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27  * SUCH DAMAGE.
28  *
29  * $FreeBSD$
30  */
31 
32 #include "defs.h"
33 
34 #ifdef __NetBSD__
35 __RCSID("$NetBSD$");
36 #elif defined(__FreeBSD__)
37 __RCSID("$FreeBSD$");
38 #else
39 __RCSID("$Revision: 2.26 $");
40 #ident "$Revision: 2.26 $"
41 #endif
42 
43 static void input(struct sockaddr_in *, struct interface *, struct interface *,
44 		  struct rip *, int);
45 static void input_route(naddr, naddr, struct rt_spare *, struct netinfo *);
46 static int ck_passwd(struct interface *, struct rip *, void *,
47 		     naddr, struct msg_limit *);
48 
49 
50 /* process RIP input
51  */
52 void
53 read_rip(int sock,
54 	 struct interface *sifp)
55 {
56 	struct sockaddr_in from;
57 	struct interface *aifp;
58 	socklen_t fromlen;
59 	int cc;
60 #ifdef USE_PASSIFNAME
61 	static struct msg_limit  bad_name;
62 	struct {
63 		char	ifname[IFNAMSIZ];
64 		union pkt_buf pbuf;
65 	} inbuf;
66 #else
67 	struct {
68 		union pkt_buf pbuf;
69 	} inbuf;
70 #endif
71 
72 
73 	for (;;) {
74 		fromlen = sizeof(from);
75 		cc = recvfrom(sock, &inbuf, sizeof(inbuf), 0,
76 			      (struct sockaddr*)&from, &fromlen);
77 		if (cc <= 0) {
78 			if (cc < 0 && errno != EWOULDBLOCK)
79 				LOGERR("recvfrom(rip)");
80 			break;
81 		}
82 		if (fromlen != sizeof(struct sockaddr_in))
83 			logbad(1,"impossible recvfrom(rip) fromlen=%d",
84 			       (int)fromlen);
85 
86 		/* aifp is the "authenticated" interface via which the packet
87 		 *	arrived.  In fact, it is only the interface on which
88 		 *	the packet should have arrived based on is source
89 		 *	address.
90 		 * sifp is interface associated with the socket through which
91 		 *	the packet was received.
92 		 */
93 #ifdef USE_PASSIFNAME
94 		if ((cc -= sizeof(inbuf.ifname)) < 0)
95 			logbad(0,"missing USE_PASSIFNAME; only %d bytes",
96 			       cc+sizeof(inbuf.ifname));
97 
98 		/* check the remote interfaces first */
99 		LIST_FOREACH(aifp, &remote_if, remote_list) {
100 			if (aifp->int_addr == from.sin_addr.s_addr)
101 				break;
102 		}
103 		if (aifp == 0) {
104 			aifp = ifwithname(inbuf.ifname, 0);
105 			if (aifp == 0) {
106 				msglim(&bad_name, from.sin_addr.s_addr,
107 				       "impossible interface name %.*s",
108 				       IFNAMSIZ, inbuf.ifname);
109 			} else if (((aifp->int_if_flags & IFF_POINTOPOINT)
110 				    && aifp->int_dstaddr!=from.sin_addr.s_addr)
111 				   || (!(aifp->int_if_flags & IFF_POINTOPOINT)
112 				       && !on_net(from.sin_addr.s_addr,
113 						  aifp->int_net,
114 						  aifp->int_mask))) {
115 				/* If it came via the wrong interface, do not
116 				 * trust it.
117 				 */
118 				aifp = 0;
119 			}
120 		}
121 #else
122 		aifp = iflookup(from.sin_addr.s_addr);
123 #endif
124 		if (sifp == 0)
125 			sifp = aifp;
126 
127 		input(&from, sifp, aifp, &inbuf.pbuf.rip, cc);
128 	}
129 }
130 
131 
132 /* Process a RIP packet
133  */
134 static void
135 input(struct sockaddr_in *from,		/* received from this IP address */
136       struct interface *sifp,		/* interface of incoming socket */
137       struct interface *aifp,		/* "authenticated" interface */
138       struct rip *rip,
139       int cc)
140 {
141 #	define FROM_NADDR from->sin_addr.s_addr
142 	static struct msg_limit use_auth, bad_len, bad_mask;
143 	static struct msg_limit unk_router, bad_router, bad_nhop;
144 
145 	struct rt_entry *rt;
146 	struct rt_spare new;
147 	struct netinfo *n, *lim;
148 	struct interface *ifp1;
149 	naddr gate, mask, v1_mask, dst, ddst_h = 0;
150 	struct auth *ap;
151 	struct tgate *tg = 0;
152 	struct tgate_net *tn;
153 	int i, j;
154 
155 	/* Notice when we hear from a remote gateway
156 	 */
157 	if (aifp != 0
158 	    && (aifp->int_state & IS_REMOTE))
159 		aifp->int_act_time = now.tv_sec;
160 
161 	trace_rip("Recv", "from", from, sifp, rip, cc);
162 
163 	if (sifp == 0) {
164 		trace_pkt("    discard a request from an indirect router"
165 		    " (possibly an attack)");
166 		return;
167 	}
168 
169 	if (rip->rip_vers == 0) {
170 		msglim(&bad_router, FROM_NADDR,
171 		       "RIP version 0, cmd %d, packet received from %s",
172 		       rip->rip_cmd, naddr_ntoa(FROM_NADDR));
173 		return;
174 	} else if (rip->rip_vers > RIPv2) {
175 		rip->rip_vers = RIPv2;
176 	}
177 	if (cc > (int)OVER_MAXPACKETSIZE) {
178 		msglim(&bad_router, FROM_NADDR,
179 		       "packet at least %d bytes too long received from %s",
180 		       cc-MAXPACKETSIZE, naddr_ntoa(FROM_NADDR));
181 		return;
182 	}
183 
184 	n = rip->rip_nets;
185 	lim = (struct netinfo *)((char*)rip + cc);
186 
187 	/* Notice authentication.
188 	 * As required by section 4.2 in RFC 1723, discard authenticated
189 	 * RIPv2 messages, but only if configured for that silliness.
190 	 *
191 	 * RIPv2 authentication is lame.  Why authenticate queries?
192 	 * Why should a RIPv2 implementation with authentication disabled
193 	 * not be able to listen to RIPv2 packets with authentication, while
194 	 * RIPv1 systems will listen?  Crazy!
195 	 */
196 	if (!auth_ok
197 	    && rip->rip_vers == RIPv2
198 	    && n < lim && n->n_family == RIP_AF_AUTH) {
199 		msglim(&use_auth, FROM_NADDR,
200 		       "RIPv2 message with authentication from %s discarded",
201 		       naddr_ntoa(FROM_NADDR));
202 		return;
203 	}
204 
205 	switch (rip->rip_cmd) {
206 	case RIPCMD_REQUEST:
207 		/* For mere requests, be a little sloppy about the source
208 		 */
209 		if (aifp == 0)
210 			aifp = sifp;
211 
212 		/* Are we talking to ourself or a remote gateway?
213 		 */
214 		ifp1 = ifwithaddr(FROM_NADDR, 0, 1);
215 		if (ifp1) {
216 			if (ifp1->int_state & IS_REMOTE) {
217 				/* remote gateway */
218 				aifp = ifp1;
219 				if (check_remote(aifp)) {
220 					aifp->int_act_time = now.tv_sec;
221 					(void)if_ok(aifp, "remote ");
222 				}
223 			} else if (from->sin_port == htons(RIP_PORT)) {
224 				trace_pkt("    discard our own RIP request");
225 				return;
226 			}
227 		}
228 
229 		/* did the request come from a router?
230 		 */
231 		if (from->sin_port == htons(RIP_PORT)) {
232 			/* yes, ignore the request if RIP is off so that
233 			 * the router does not depend on us.
234 			 */
235 			if (rip_sock < 0
236 			    || (aifp != 0
237 				&& IS_RIP_OUT_OFF(aifp->int_state))) {
238 				trace_pkt("    discard request while RIP off");
239 				return;
240 			}
241 		}
242 
243 		/* According to RFC 1723, we should ignore unauthenticated
244 		 * queries.  That is too silly to bother with.  Sheesh!
245 		 * Are forwarding tables supposed to be secret, when
246 		 * a bad guy can infer them with test traffic?  When RIP
247 		 * is still the most common router-discovery protocol
248 		 * and so hosts need to send queries that will be answered?
249 		 * What about `rtquery`?
250 		 * Maybe on firewalls you'd care, but not enough to
251 		 * give up the diagnostic facilities of remote probing.
252 		 */
253 
254 		if (n >= lim) {
255 			msglim(&bad_len, FROM_NADDR, "empty request from %s",
256 			       naddr_ntoa(FROM_NADDR));
257 			return;
258 		}
259 		if (cc%sizeof(*n) != sizeof(struct rip)%sizeof(*n)) {
260 			msglim(&bad_len, FROM_NADDR,
261 			       "request of bad length (%d) from %s",
262 			       cc, naddr_ntoa(FROM_NADDR));
263 		}
264 
265 		if (rip->rip_vers == RIPv2
266 		    && (aifp == 0 || (aifp->int_state & IS_NO_RIPV1_OUT))) {
267 			v12buf.buf->rip_vers = RIPv2;
268 			/* If we have a secret but it is a cleartext secret,
269 			 * do not disclose our secret unless the other guy
270 			 * already knows it.
271 			 */
272 			ap = find_auth(aifp);
273 			if (ap != 0 && ap->type == RIP_AUTH_PW
274 			    && n->n_family == RIP_AF_AUTH
275 			    && !ck_passwd(aifp,rip,lim,FROM_NADDR,&use_auth))
276 				ap = 0;
277 		} else {
278 			v12buf.buf->rip_vers = RIPv1;
279 			ap = 0;
280 		}
281 		clr_ws_buf(&v12buf, ap);
282 
283 		do {
284 			n->n_metric = ntohl(n->n_metric);
285 
286 			/* A single entry with family RIP_AF_UNSPEC and
287 			 * metric HOPCNT_INFINITY means "all routes".
288 			 * We respond to routers only if we are acting
289 			 * as a supplier, or to anyone other than a router
290 			 * (i.e. a query).
291 			 */
292 			if (n->n_family == RIP_AF_UNSPEC
293 			    && n->n_metric == HOPCNT_INFINITY) {
294 				/* Answer a query from a utility program
295 				 * with all we know.
296 				 */
297 				if (aifp == NULL) {
298 					trace_pkt("ignore remote query");
299 					return;
300 				}
301 				if (from->sin_port != htons(RIP_PORT)) {
302 					/*
303 					 * insecure: query from non-router node
304 					 *   > 1: allow from distant node
305 					 *   > 0: allow from neighbor node
306 					 *  == 0: deny
307 					 */
308 					if ((aifp != NULL && insecure > 0) ||
309 					    (aifp == NULL && insecure > 1))
310 						supply(from, aifp, OUT_QUERY, 0,
311 						       rip->rip_vers, ap != 0);
312 					else
313 						trace_pkt("Warning: "
314 						    "possible attack detected");
315 					return;
316 				}
317 
318 				/* A router trying to prime its tables.
319 				 * Filter the answer in the about same way
320 				 * broadcasts are filtered.
321 				 *
322 				 * Only answer a router if we are a supplier
323 				 * to keep an unwary host that is just starting
324 				 * from picking us as a router.
325 				 */
326 				if (aifp == 0) {
327 					trace_pkt("ignore distant router");
328 					return;
329 				}
330 				if (!supplier
331 				    || IS_RIP_OFF(aifp->int_state)) {
332 					trace_pkt("ignore; not supplying");
333 					return;
334 				}
335 
336 				/* Do not answer a RIPv1 router if
337 				 * we are sending RIPv2.  But do offer
338 				 * poor man's router discovery.
339 				 */
340 				if ((aifp->int_state & IS_NO_RIPV1_OUT)
341 				    && rip->rip_vers == RIPv1) {
342 					if (!(aifp->int_state & IS_PM_RDISC)) {
343 					    trace_pkt("ignore; sending RIPv2");
344 					    return;
345 					}
346 
347 					v12buf.n->n_family = RIP_AF_INET;
348 					v12buf.n->n_dst = RIP_DEFAULT;
349 					i = aifp->int_d_metric;
350 					if (0 != (rt = rtget(RIP_DEFAULT, 0))) {
351 					    j = (rt->rt_metric
352 						 +aifp->int_metric
353 						 +aifp->int_adj_outmetric
354 						 +1);
355 					    if (i > j)
356 						i = j;
357 					}
358 					v12buf.n->n_metric = htonl(i);
359 					v12buf.n++;
360 					break;
361 				}
362 
363 				/* Respond with RIPv1 instead of RIPv2 if
364 				 * that is what we are broadcasting on the
365 				 * interface to keep the remote router from
366 				 * getting the wrong initial idea of the
367 				 * routes we send.
368 				 */
369 				supply(from, aifp, OUT_UNICAST, 0,
370 				       (aifp->int_state & IS_NO_RIPV1_OUT)
371 				       ? RIPv2 : RIPv1,
372 				       ap != 0);
373 				return;
374 			}
375 
376 			/* Ignore authentication */
377 			if (n->n_family == RIP_AF_AUTH)
378 				continue;
379 
380 			if (n->n_family != RIP_AF_INET) {
381 				msglim(&bad_router, FROM_NADDR,
382 				       "request from %s for unsupported"
383 				       " (af %d) %s",
384 				       naddr_ntoa(FROM_NADDR),
385 				       ntohs(n->n_family),
386 				       naddr_ntoa(n->n_dst));
387 				return;
388 			}
389 
390 			/* We are being asked about a specific destination.
391 			 */
392 			dst = n->n_dst;
393 			if (!check_dst(dst)) {
394 				msglim(&bad_router, FROM_NADDR,
395 				       "bad queried destination %s from %s",
396 				       naddr_ntoa(dst),
397 				       naddr_ntoa(FROM_NADDR));
398 				return;
399 			}
400 
401 			/* decide what mask was intended */
402 			if (rip->rip_vers == RIPv1
403 			    || 0 == (mask = ntohl(n->n_mask))
404 			    || 0 != (ntohl(dst) & ~mask))
405 				mask = ripv1_mask_host(dst, aifp);
406 
407 			/* try to find the answer */
408 			rt = rtget(dst, mask);
409 			if (!rt && dst != RIP_DEFAULT)
410 				rt = rtfind(n->n_dst);
411 
412 			if (v12buf.buf->rip_vers != RIPv1)
413 				v12buf.n->n_mask = mask;
414 			if (rt == 0) {
415 				/* we do not have the answer */
416 				v12buf.n->n_metric = HOPCNT_INFINITY;
417 			} else {
418 				/* we have the answer, so compute the
419 				 * right metric and next hop.
420 				 */
421 				v12buf.n->n_family = RIP_AF_INET;
422 				v12buf.n->n_dst = dst;
423 				j = rt->rt_metric+1;
424 				if (!aifp)
425 					++j;
426 				else
427 					j += (aifp->int_metric
428 					      + aifp->int_adj_outmetric);
429 				if (j < HOPCNT_INFINITY)
430 					v12buf.n->n_metric = j;
431 				else
432 					v12buf.n->n_metric = HOPCNT_INFINITY;
433 				if (v12buf.buf->rip_vers != RIPv1) {
434 					v12buf.n->n_tag = rt->rt_tag;
435 					v12buf.n->n_mask = mask;
436 					if (aifp != 0
437 					    && on_net(rt->rt_gate,
438 						      aifp->int_net,
439 						      aifp->int_mask)
440 					    && rt->rt_gate != aifp->int_addr)
441 					    v12buf.n->n_nhop = rt->rt_gate;
442 				}
443 			}
444 			v12buf.n->n_metric = htonl(v12buf.n->n_metric);
445 
446 			/* Stop paying attention if we fill the output buffer.
447 			 */
448 			if (++v12buf.n >= v12buf.lim)
449 				break;
450 		} while (++n < lim);
451 
452 		/* Send the answer about specific routes.
453 		 */
454 		if (ap != 0 && ap->type == RIP_AUTH_MD5)
455 			end_md5_auth(&v12buf, ap);
456 
457 		if (from->sin_port != htons(RIP_PORT)) {
458 			/* query */
459 			(void)output(OUT_QUERY, from, aifp,
460 				     v12buf.buf,
461 				     ((char *)v12buf.n - (char*)v12buf.buf));
462 		} else if (supplier) {
463 			(void)output(OUT_UNICAST, from, aifp,
464 				     v12buf.buf,
465 				     ((char *)v12buf.n - (char*)v12buf.buf));
466 		} else {
467 			/* Only answer a router if we are a supplier
468 			 * to keep an unwary host that is just starting
469 			 * from picking us an a router.
470 			 */
471 			;
472 		}
473 		return;
474 
475 	case RIPCMD_TRACEON:
476 	case RIPCMD_TRACEOFF:
477 		/* Notice that trace messages are turned off for all possible
478 		 * abuse if _PATH_TRACE is undefined in pathnames.h.
479 		 * Notice also that because of the way the trace file is
480 		 * handled in trace.c, no abuse is plausible even if
481 		 * _PATH_TRACE_ is defined.
482 		 *
483 		 * First verify message came from a privileged port. */
484 		if (ntohs(from->sin_port) > IPPORT_RESERVED) {
485 			msglog("trace command from untrusted port on %s",
486 			       naddr_ntoa(FROM_NADDR));
487 			return;
488 		}
489 		if (aifp == 0) {
490 			msglog("trace command from unknown router %s",
491 			       naddr_ntoa(FROM_NADDR));
492 			return;
493 		}
494 		if (rip->rip_cmd == RIPCMD_TRACEON) {
495 			rip->rip_tracefile[cc-4] = '\0';
496 			set_tracefile((char*)rip->rip_tracefile,
497 				      "trace command: %s\n", 0);
498 		} else {
499 			trace_off("tracing turned off by %s",
500 				  naddr_ntoa(FROM_NADDR));
501 		}
502 		return;
503 
504 	case RIPCMD_RESPONSE:
505 		if (cc%sizeof(*n) != sizeof(struct rip)%sizeof(*n)) {
506 			msglim(&bad_len, FROM_NADDR,
507 			       "response of bad length (%d) from %s",
508 			       cc, naddr_ntoa(FROM_NADDR));
509 		}
510 
511 		/* verify message came from a router */
512 		if (from->sin_port != ntohs(RIP_PORT)) {
513 			msglim(&bad_router, FROM_NADDR,
514 			       "    discard RIP response from unknown port"
515 			       " %d on %s",
516 			       ntohs(from->sin_port), naddr_ntoa(FROM_NADDR));
517 			return;
518 		}
519 
520 		if (rip_sock < 0) {
521 			trace_pkt("    discard response while RIP off");
522 			return;
523 		}
524 
525 		/* Are we talking to ourself or a remote gateway?
526 		 */
527 		ifp1 = ifwithaddr(FROM_NADDR, 0, 1);
528 		if (ifp1) {
529 			if (ifp1->int_state & IS_REMOTE) {
530 				/* remote gateway */
531 				aifp = ifp1;
532 				if (check_remote(aifp)) {
533 					aifp->int_act_time = now.tv_sec;
534 					(void)if_ok(aifp, "remote ");
535 				}
536 			} else {
537 				trace_pkt("    discard our own RIP response");
538 				return;
539 			}
540 		}
541 
542 		/* Accept routing packets from routers directly connected
543 		 * via broadcast or point-to-point networks, and from
544 		 * those listed in /etc/gateways.
545 		 */
546 		if (aifp == 0) {
547 			msglim(&unk_router, FROM_NADDR,
548 			       "   discard response from %s"
549 			       " via unexpected interface",
550 			       naddr_ntoa(FROM_NADDR));
551 			return;
552 		}
553 		if (IS_RIP_IN_OFF(aifp->int_state)) {
554 			trace_pkt("    discard RIPv%d response"
555 				  " via disabled interface %s",
556 				  rip->rip_vers, aifp->int_name);
557 			return;
558 		}
559 
560 		if (n >= lim) {
561 			msglim(&bad_len, FROM_NADDR, "empty response from %s",
562 			       naddr_ntoa(FROM_NADDR));
563 			return;
564 		}
565 
566 		if (((aifp->int_state & IS_NO_RIPV1_IN)
567 		     && rip->rip_vers == RIPv1)
568 		    || ((aifp->int_state & IS_NO_RIPV2_IN)
569 			&& rip->rip_vers != RIPv1)) {
570 			trace_pkt("    discard RIPv%d response",
571 				  rip->rip_vers);
572 			return;
573 		}
574 
575 		/* Ignore routes via dead interface.
576 		 */
577 		if (aifp->int_state & IS_BROKE) {
578 			trace_pkt("discard response via broken interface %s",
579 				  aifp->int_name);
580 			return;
581 		}
582 
583 		/* If the interface cares, ignore bad routers.
584 		 * Trace but do not log this problem, because where it
585 		 * happens, it happens frequently.
586 		 */
587 		if (aifp->int_state & IS_DISTRUST) {
588 			tg = tgates;
589 			while (tg->tgate_addr != FROM_NADDR) {
590 				tg = tg->tgate_next;
591 				if (tg == 0) {
592 					trace_pkt("    discard RIP response"
593 						  " from untrusted router %s",
594 						  naddr_ntoa(FROM_NADDR));
595 					return;
596 				}
597 			}
598 		}
599 
600 		/* Authenticate the packet if we have a secret.
601 		 * If we do not have any secrets, ignore the error in
602 		 * RFC 1723 and accept it regardless.
603 		 */
604 		if (aifp->int_auth[0].type != RIP_AUTH_NONE
605 		    && rip->rip_vers != RIPv1
606 		    && !ck_passwd(aifp,rip,lim,FROM_NADDR,&use_auth))
607 			return;
608 
609 		do {
610 			if (n->n_family == RIP_AF_AUTH)
611 				continue;
612 
613 			n->n_metric = ntohl(n->n_metric);
614 			dst = n->n_dst;
615 			if (n->n_family != RIP_AF_INET
616 			    && (n->n_family != RIP_AF_UNSPEC
617 				|| dst != RIP_DEFAULT)) {
618 				msglim(&bad_router, FROM_NADDR,
619 				       "route from %s to unsupported"
620 				       " address family=%d destination=%s",
621 				       naddr_ntoa(FROM_NADDR),
622 				       n->n_family,
623 				       naddr_ntoa(dst));
624 				continue;
625 			}
626 			if (!check_dst(dst)) {
627 				msglim(&bad_router, FROM_NADDR,
628 				       "bad destination %s from %s",
629 				       naddr_ntoa(dst),
630 				       naddr_ntoa(FROM_NADDR));
631 				return;
632 			}
633 			if (n->n_metric == 0
634 			    || n->n_metric > HOPCNT_INFINITY) {
635 				msglim(&bad_router, FROM_NADDR,
636 				       "bad metric %d from %s"
637 				       " for destination %s",
638 				       n->n_metric,
639 				       naddr_ntoa(FROM_NADDR),
640 				       naddr_ntoa(dst));
641 				return;
642 			}
643 
644 			/* Notice the next-hop.
645 			 */
646 			gate = FROM_NADDR;
647 			if (n->n_nhop != 0) {
648 				if (rip->rip_vers == RIPv1) {
649 					n->n_nhop = 0;
650 				} else {
651 				    /* Use it only if it is valid. */
652 				    if (on_net(n->n_nhop,
653 					       aifp->int_net, aifp->int_mask)
654 					&& check_dst(n->n_nhop)) {
655 					    gate = n->n_nhop;
656 				    } else {
657 					    msglim(&bad_nhop, FROM_NADDR,
658 						   "router %s to %s"
659 						   " has bad next hop %s",
660 						   naddr_ntoa(FROM_NADDR),
661 						   naddr_ntoa(dst),
662 						   naddr_ntoa(n->n_nhop));
663 					    n->n_nhop = 0;
664 				    }
665 				}
666 			}
667 
668 			if (rip->rip_vers == RIPv1
669 			    || 0 == (mask = ntohl(n->n_mask))) {
670 				mask = ripv1_mask_host(dst,aifp);
671 			} else if ((ntohl(dst) & ~mask) != 0) {
672 				msglim(&bad_mask, FROM_NADDR,
673 				       "router %s sent bad netmask"
674 				       " %#lx with %s",
675 				       naddr_ntoa(FROM_NADDR),
676 				       (u_long)mask,
677 				       naddr_ntoa(dst));
678 				continue;
679 			}
680 			if (rip->rip_vers == RIPv1)
681 				n->n_tag = 0;
682 
683 			/* Adjust metric according to incoming interface..
684 			 */
685 			n->n_metric += (aifp->int_metric
686 					+ aifp->int_adj_inmetric);
687 			if (n->n_metric > HOPCNT_INFINITY)
688 				n->n_metric = HOPCNT_INFINITY;
689 
690 			/* Should we trust this route from this router? */
691 			if (tg && (tn = tg->tgate_nets)->mask != 0) {
692 				for (i = 0; i < MAX_TGATE_NETS; i++, tn++) {
693 					if (on_net(dst, tn->net, tn->mask)
694 					    && tn->mask <= mask)
695 					    break;
696 				}
697 				if (i >= MAX_TGATE_NETS || tn->mask == 0) {
698 					trace_pkt("   ignored unauthorized %s",
699 						  addrname(dst,mask,0));
700 					continue;
701 				}
702 			}
703 
704 			/* Recognize and ignore a default route we faked
705 			 * which is being sent back to us by a machine with
706 			 * broken split-horizon.
707 			 * Be a little more paranoid than that, and reject
708 			 * default routes with the same metric we advertised.
709 			 */
710 			if (aifp->int_d_metric != 0
711 			    && dst == RIP_DEFAULT
712 			    && (int)n->n_metric >= aifp->int_d_metric)
713 				continue;
714 
715 			/* We can receive aggregated RIPv2 routes that must
716 			 * be broken down before they are transmitted by
717 			 * RIPv1 via an interface on a subnet.
718 			 * We might also receive the same routes aggregated
719 			 * via other RIPv2 interfaces.
720 			 * This could cause duplicate routes to be sent on
721 			 * the RIPv1 interfaces.  "Longest matching variable
722 			 * length netmasks" lets RIPv2 listeners understand,
723 			 * but breaking down the aggregated routes for RIPv1
724 			 * listeners can produce duplicate routes.
725 			 *
726 			 * Breaking down aggregated routes here bloats
727 			 * the daemon table, but does not hurt the kernel
728 			 * table, since routes are always aggregated for
729 			 * the kernel.
730 			 *
731 			 * Notice that this does not break down network
732 			 * routes corresponding to subnets.  This is part
733 			 * of the defense against RS_NET_SYN.
734 			 */
735 			if (have_ripv1_out
736 			    && (((rt = rtget(dst,mask)) == 0
737 				 || !(rt->rt_state & RS_NET_SYN)))
738 			    && (v1_mask = ripv1_mask_net(dst,0)) > mask) {
739 				ddst_h = v1_mask & -v1_mask;
740 				i = (v1_mask & ~mask)/ddst_h;
741 				if (i >= 511) {
742 					/* Punt if we would have to generate
743 					 * an unreasonable number of routes.
744 					 */
745 					if (TRACECONTENTS)
746 					    trace_misc("accept %s-->%s as 1"
747 						       " instead of %d routes",
748 						       addrname(dst,mask,0),
749 						       naddr_ntoa(FROM_NADDR),
750 						       i+1);
751 					i = 0;
752 				} else {
753 					mask = v1_mask;
754 				}
755 			} else {
756 				i = 0;
757 			}
758 
759 			new.rts_gate = gate;
760 			new.rts_router = FROM_NADDR;
761 			new.rts_metric = n->n_metric;
762 			new.rts_tag = n->n_tag;
763 			new.rts_time = now.tv_sec;
764 			new.rts_ifp = aifp;
765 			new.rts_de_ag = i;
766 			j = 0;
767 			for (;;) {
768 				input_route(dst, mask, &new, n);
769 				if (++j > i)
770 					break;
771 				dst = htonl(ntohl(dst) + ddst_h);
772 			}
773 		} while (++n < lim);
774 		break;
775 	}
776 #undef FROM_NADDR
777 }
778 
779 
780 /* Process a single input route.
781  */
782 static void
783 input_route(naddr dst,			/* network order */
784 	    naddr mask,
785 	    struct rt_spare *new,
786 	    struct netinfo *n)
787 {
788 	int i;
789 	struct rt_entry *rt;
790 	struct rt_spare *rts, *rts0;
791 	struct interface *ifp1;
792 
793 
794 	/* See if the other guy is telling us to send our packets to him.
795 	 * Sometimes network routes arrive over a point-to-point link for
796 	 * the network containing the address(es) of the link.
797 	 *
798 	 * If our interface is broken, switch to using the other guy.
799 	 */
800 	ifp1 = ifwithaddr(dst, 1, 1);
801 	if (ifp1 != 0
802 	    && (!(ifp1->int_state & IS_BROKE)
803 		|| (ifp1->int_state & IS_PASSIVE)))
804 		return;
805 
806 	/* Look for the route in our table.
807 	 */
808 	rt = rtget(dst, mask);
809 
810 	/* Consider adding the route if we do not already have it.
811 	 */
812 	if (rt == 0) {
813 		/* Ignore unknown routes being poisoned.
814 		 */
815 		if (new->rts_metric == HOPCNT_INFINITY)
816 			return;
817 
818 		/* Ignore the route if it points to us */
819 		if (n->n_nhop != 0
820 		    && 0 != ifwithaddr(n->n_nhop, 1, 0))
821 			return;
822 
823 		/* If something has not gone crazy and tried to fill
824 		 * our memory, accept the new route.
825 		 */
826 		if (total_routes < MAX_ROUTES)
827 			rtadd(dst, mask, 0, new);
828 		return;
829 	}
830 
831 	/* We already know about the route.  Consider this update.
832 	 *
833 	 * If (rt->rt_state & RS_NET_SYN), then this route
834 	 * is the same as a network route we have inferred
835 	 * for subnets we know, in order to tell RIPv1 routers
836 	 * about the subnets.
837 	 *
838 	 * It is impossible to tell if the route is coming
839 	 * from a distant RIPv2 router with the standard
840 	 * netmask because that router knows about the entire
841 	 * network, or if it is a round-about echo of a
842 	 * synthetic, RIPv1 network route of our own.
843 	 * The worst is that both kinds of routes might be
844 	 * received, and the bad one might have the smaller
845 	 * metric.  Partly solve this problem by never
846 	 * aggregating into such a route.  Also keep it
847 	 * around as long as the interface exists.
848 	 */
849 
850 	rts0 = rt->rt_spares;
851 	for (rts = rts0, i = NUM_SPARES; i != 0; i--, rts++) {
852 		if (rts->rts_router == new->rts_router)
853 			break;
854 		/* Note the worst slot to reuse,
855 		 * other than the current slot.
856 		 */
857 		if (rts0 == rt->rt_spares
858 		    || BETTER_LINK(rt, rts0, rts))
859 			rts0 = rts;
860 	}
861 	if (i != 0) {
862 		/* Found a route from the router already in the table.
863 		 */
864 
865 		/* If the new route is a route broken down from an
866 		 * aggregated route, and if the previous route is either
867 		 * not a broken down route or was broken down from a finer
868 		 * netmask, and if the previous route is current,
869 		 * then forget this one.
870 		 */
871 		if (new->rts_de_ag > rts->rts_de_ag
872 		    && now_stale <= rts->rts_time)
873 			return;
874 
875 		/* Keep poisoned routes around only long enough to pass
876 		 * the poison on.  Use a new timestamp for good routes.
877 		 */
878 		if (rts->rts_metric == HOPCNT_INFINITY
879 		    && new->rts_metric == HOPCNT_INFINITY)
880 			new->rts_time = rts->rts_time;
881 
882 		/* If this is an update for the router we currently prefer,
883 		 * then note it.
884 		 */
885 		if (i == NUM_SPARES) {
886 			rtchange(rt, rt->rt_state, new, 0);
887 			/* If the route got worse, check for something better.
888 			 */
889 			if (new->rts_metric > rts->rts_metric)
890 				rtswitch(rt, 0);
891 			return;
892 		}
893 
894 		/* This is an update for a spare route.
895 		 * Finished if the route is unchanged.
896 		 */
897 		if (rts->rts_gate == new->rts_gate
898 		    && rts->rts_metric == new->rts_metric
899 		    && rts->rts_tag == new->rts_tag) {
900 			trace_upslot(rt, rts, new);
901 			*rts = *new;
902 			return;
903 		}
904 		/* Forget it if it has gone bad.
905 		 */
906 		if (new->rts_metric == HOPCNT_INFINITY) {
907 			rts_delete(rt, rts);
908 			return;
909 		}
910 
911 	} else {
912 		/* The update is for a route we know about,
913 		 * but not from a familiar router.
914 		 *
915 		 * Ignore the route if it points to us.
916 		 */
917 		if (n->n_nhop != 0
918 		    && 0 != ifwithaddr(n->n_nhop, 1, 0))
919 			return;
920 
921 		/* the loop above set rts0=worst spare */
922 		rts = rts0;
923 
924 		/* Save the route as a spare only if it has
925 		 * a better metric than our worst spare.
926 		 * This also ignores poisoned routes (those
927 		 * received with metric HOPCNT_INFINITY).
928 		 */
929 		if (new->rts_metric >= rts->rts_metric)
930 			return;
931 	}
932 
933 	trace_upslot(rt, rts, new);
934 	*rts = *new;
935 
936 	/* try to switch to a better route */
937 	rtswitch(rt, rts);
938 }
939 
940 
941 static int				/* 0 if bad */
942 ck_passwd(struct interface *aifp,
943 	  struct rip *rip,
944 	  void *lim,
945 	  naddr from,
946 	  struct msg_limit *use_authp)
947 {
948 #	define NA (rip->rip_auths)
949 	struct netauth *na2;
950 	struct auth *ap;
951 	MD5_CTX md5_ctx;
952 	u_char hash[RIP_AUTH_PW_LEN];
953 	int i, len;
954 
955 	assert(aifp != NULL);
956 	if ((void *)NA >= lim || NA->a_family != RIP_AF_AUTH) {
957 		msglim(use_authp, from, "missing password from %s",
958 		       naddr_ntoa(from));
959 		return 0;
960 	}
961 
962 	/* accept any current (+/- 24 hours) password
963 	 */
964 	for (ap = aifp->int_auth, i = 0; i < MAX_AUTH_KEYS; i++, ap++) {
965 		if (ap->type != NA->a_type
966 		    || (u_long)ap->start > (u_long)clk.tv_sec+DAY
967 		    || (u_long)ap->end+DAY < (u_long)clk.tv_sec)
968 			continue;
969 
970 		if (NA->a_type == RIP_AUTH_PW) {
971 			if (!memcmp(NA->au.au_pw, ap->key, RIP_AUTH_PW_LEN))
972 				return 1;
973 
974 		} else {
975 			/* accept MD5 secret with the right key ID
976 			 */
977 			if (NA->au.a_md5.md5_keyid != ap->keyid)
978 				continue;
979 
980 			len = ntohs(NA->au.a_md5.md5_pkt_len);
981 			if ((len-sizeof(*rip)) % sizeof(*NA) != 0
982 			    || len != (char *)lim-(char*)rip-(int)sizeof(*NA)) {
983 				msglim(use_authp, from,
984 				       "wrong MD5 RIPv2 packet length of %d"
985 				       " instead of %d from %s",
986 				       len, (int)((char *)lim-(char *)rip
987 						  -sizeof(*NA)),
988 				       naddr_ntoa(from));
989 				return 0;
990 			}
991 			na2 = (struct netauth *)((char *)rip+len);
992 
993 			/* Given a good hash value, these are not security
994 			 * problems so be generous and accept the routes,
995 			 * after complaining.
996 			 */
997 			if (TRACEPACKETS) {
998 				if (NA->au.a_md5.md5_auth_len
999 				    != RIP_AUTH_MD5_HASH_LEN)
1000 					msglim(use_authp, from,
1001 					       "unknown MD5 RIPv2 auth len %#x"
1002 					       " instead of %#x from %s",
1003 					       NA->au.a_md5.md5_auth_len,
1004 					       (unsigned)RIP_AUTH_MD5_HASH_LEN,
1005 					       naddr_ntoa(from));
1006 				if (na2->a_family != RIP_AF_AUTH)
1007 					msglim(use_authp, from,
1008 					       "unknown MD5 RIPv2 family %#x"
1009 					       " instead of %#x from %s",
1010 					       na2->a_family, RIP_AF_AUTH,
1011 					       naddr_ntoa(from));
1012 				if (na2->a_type != ntohs(1))
1013 					msglim(use_authp, from,
1014 					       "MD5 RIPv2 hash has %#x"
1015 					       " instead of %#x from %s",
1016 					       na2->a_type, ntohs(1),
1017 					       naddr_ntoa(from));
1018 			}
1019 
1020 			MD5Init(&md5_ctx);
1021 			MD5Update(&md5_ctx, (u_char *)rip,
1022 				  len + RIP_AUTH_MD5_HASH_XTRA);
1023 			MD5Update(&md5_ctx, ap->key, RIP_AUTH_MD5_KEY_LEN);
1024 			MD5Final(hash, &md5_ctx);
1025 			if (!memcmp(hash, na2->au.au_pw, sizeof(hash)))
1026 				return 1;
1027 		}
1028 	}
1029 
1030 	msglim(use_authp, from, "bad password from %s",
1031 	       naddr_ntoa(from));
1032 	return 0;
1033 #undef NA
1034 }
1035