1 /*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 1983, 1988, 1993 5 * The Regents of the University of California. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the University nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 * 31 * $FreeBSD$ 32 */ 33 34 #include "defs.h" 35 36 __RCSID("$FreeBSD$"); 37 38 static void input(struct sockaddr_in *, struct interface *, struct interface *, 39 struct rip *, int); 40 static void input_route(naddr, naddr, struct rt_spare *, struct netinfo *); 41 static int ck_passwd(struct interface *, struct rip *, void *, 42 naddr, struct msg_limit *); 43 44 45 /* process RIP input 46 */ 47 void 48 read_rip(int sock, 49 struct interface *sifp) 50 { 51 struct sockaddr_in from; 52 struct interface *aifp; 53 socklen_t fromlen; 54 int cc; 55 #ifdef USE_PASSIFNAME 56 static struct msg_limit bad_name; 57 struct { 58 char ifname[IFNAMSIZ]; 59 union pkt_buf pbuf; 60 } inbuf; 61 #else 62 struct { 63 union pkt_buf pbuf; 64 } inbuf; 65 #endif 66 67 68 for (;;) { 69 fromlen = sizeof(from); 70 cc = recvfrom(sock, &inbuf, sizeof(inbuf), 0, 71 (struct sockaddr*)&from, &fromlen); 72 if (cc <= 0) { 73 if (cc < 0 && errno != EWOULDBLOCK) 74 LOGERR("recvfrom(rip)"); 75 break; 76 } 77 if (fromlen != sizeof(struct sockaddr_in)) 78 logbad(1,"impossible recvfrom(rip) fromlen=%d", 79 (int)fromlen); 80 81 /* aifp is the "authenticated" interface via which the packet 82 * arrived. In fact, it is only the interface on which 83 * the packet should have arrived based on is source 84 * address. 85 * sifp is interface associated with the socket through which 86 * the packet was received. 87 */ 88 #ifdef USE_PASSIFNAME 89 if ((cc -= sizeof(inbuf.ifname)) < 0) 90 logbad(0,"missing USE_PASSIFNAME; only %d bytes", 91 cc+sizeof(inbuf.ifname)); 92 93 /* check the remote interfaces first */ 94 LIST_FOREACH(aifp, &remote_if, remote_list) { 95 if (aifp->int_addr == from.sin_addr.s_addr) 96 break; 97 } 98 if (aifp == NULL) { 99 aifp = ifwithname(inbuf.ifname, 0); 100 if (aifp == NULL) { 101 msglim(&bad_name, from.sin_addr.s_addr, 102 "impossible interface name %.*s", 103 IFNAMSIZ, inbuf.ifname); 104 } else if (((aifp->int_if_flags & IFF_POINTOPOINT) 105 && aifp->int_dstaddr!=from.sin_addr.s_addr) 106 || (!(aifp->int_if_flags & IFF_POINTOPOINT) 107 && !on_net(from.sin_addr.s_addr, 108 aifp->int_net, 109 aifp->int_mask))) { 110 /* If it came via the wrong interface, do not 111 * trust it. 112 */ 113 aifp = NULL; 114 } 115 } 116 #else 117 aifp = iflookup(from.sin_addr.s_addr); 118 #endif 119 if (sifp == NULL) 120 sifp = aifp; 121 122 input(&from, sifp, aifp, &inbuf.pbuf.rip, cc); 123 } 124 } 125 126 127 /* Process a RIP packet 128 */ 129 static void 130 input(struct sockaddr_in *from, /* received from this IP address */ 131 struct interface *sifp, /* interface of incoming socket */ 132 struct interface *aifp, /* "authenticated" interface */ 133 struct rip *rip, 134 int cc) 135 { 136 # define FROM_NADDR from->sin_addr.s_addr 137 static struct msg_limit use_auth, bad_len, bad_mask; 138 static struct msg_limit unk_router, bad_router, bad_nhop; 139 140 struct rt_entry *rt; 141 struct rt_spare new; 142 struct netinfo *n, *lim; 143 struct interface *ifp1; 144 naddr gate, mask, v1_mask, dst, ddst_h = 0; 145 struct auth *ap; 146 struct tgate *tg = NULL; 147 struct tgate_net *tn; 148 int i, j; 149 150 /* Notice when we hear from a remote gateway 151 */ 152 if (aifp != NULL 153 && (aifp->int_state & IS_REMOTE)) 154 aifp->int_act_time = now.tv_sec; 155 156 trace_rip("Recv", "from", from, sifp, rip, cc); 157 158 if (sifp == NULL) { 159 trace_pkt(" discard a request from an indirect router" 160 " (possibly an attack)"); 161 return; 162 } 163 164 if (rip->rip_vers == 0) { 165 msglim(&bad_router, FROM_NADDR, 166 "RIP version 0, cmd %d, packet received from %s", 167 rip->rip_cmd, naddr_ntoa(FROM_NADDR)); 168 return; 169 } else if (rip->rip_vers > RIPv2) { 170 rip->rip_vers = RIPv2; 171 } 172 if (cc > (int)OVER_MAXPACKETSIZE) { 173 msglim(&bad_router, FROM_NADDR, 174 "packet at least %d bytes too long received from %s", 175 cc-MAXPACKETSIZE, naddr_ntoa(FROM_NADDR)); 176 return; 177 } 178 179 n = rip->rip_nets; 180 lim = (struct netinfo *)((char*)rip + cc); 181 182 /* Notice authentication. 183 * As required by section 4.2 in RFC 1723, discard authenticated 184 * RIPv2 messages, but only if configured for that silliness. 185 * 186 * RIPv2 authentication is lame. Why authenticate queries? 187 * Why should a RIPv2 implementation with authentication disabled 188 * not be able to listen to RIPv2 packets with authentication, while 189 * RIPv1 systems will listen? Crazy! 190 */ 191 if (!auth_ok 192 && rip->rip_vers == RIPv2 193 && n < lim && n->n_family == RIP_AF_AUTH) { 194 msglim(&use_auth, FROM_NADDR, 195 "RIPv2 message with authentication from %s discarded", 196 naddr_ntoa(FROM_NADDR)); 197 return; 198 } 199 200 switch (rip->rip_cmd) { 201 case RIPCMD_REQUEST: 202 /* For mere requests, be a little sloppy about the source 203 */ 204 if (aifp == NULL) 205 aifp = sifp; 206 207 /* Are we talking to ourself or a remote gateway? 208 */ 209 ifp1 = ifwithaddr(FROM_NADDR, 0, 1); 210 if (ifp1) { 211 if (ifp1->int_state & IS_REMOTE) { 212 /* remote gateway */ 213 aifp = ifp1; 214 if (check_remote(aifp)) { 215 aifp->int_act_time = now.tv_sec; 216 (void)if_ok(aifp, "remote "); 217 } 218 } else if (from->sin_port == htons(RIP_PORT)) { 219 trace_pkt(" discard our own RIP request"); 220 return; 221 } 222 } 223 224 /* did the request come from a router? 225 */ 226 if (from->sin_port == htons(RIP_PORT)) { 227 /* yes, ignore the request if RIP is off so that 228 * the router does not depend on us. 229 */ 230 if (rip_sock < 0 231 || (aifp != NULL 232 && IS_RIP_OUT_OFF(aifp->int_state))) { 233 trace_pkt(" discard request while RIP off"); 234 return; 235 } 236 } 237 238 /* According to RFC 1723, we should ignore unauthenticated 239 * queries. That is too silly to bother with. Sheesh! 240 * Are forwarding tables supposed to be secret, when 241 * a bad guy can infer them with test traffic? When RIP 242 * is still the most common router-discovery protocol 243 * and so hosts need to send queries that will be answered? 244 * What about `rtquery`? 245 * Maybe on firewalls you'd care, but not enough to 246 * give up the diagnostic facilities of remote probing. 247 */ 248 249 if (n >= lim) { 250 msglim(&bad_len, FROM_NADDR, "empty request from %s", 251 naddr_ntoa(FROM_NADDR)); 252 return; 253 } 254 if (cc%sizeof(*n) != sizeof(struct rip)%sizeof(*n)) { 255 msglim(&bad_len, FROM_NADDR, 256 "request of bad length (%d) from %s", 257 cc, naddr_ntoa(FROM_NADDR)); 258 } 259 260 if (rip->rip_vers == RIPv2 261 && (aifp == NULL || (aifp->int_state & IS_NO_RIPV1_OUT))) { 262 v12buf.buf->rip_vers = RIPv2; 263 /* If we have a secret but it is a cleartext secret, 264 * do not disclose our secret unless the other guy 265 * already knows it. 266 */ 267 ap = find_auth(aifp); 268 if (ap != NULL && ap->type == RIP_AUTH_PW 269 && n->n_family == RIP_AF_AUTH 270 && !ck_passwd(aifp,rip,lim,FROM_NADDR,&use_auth)) 271 ap = NULL; 272 } else { 273 v12buf.buf->rip_vers = RIPv1; 274 ap = NULL; 275 } 276 clr_ws_buf(&v12buf, ap); 277 278 do { 279 n->n_metric = ntohl(n->n_metric); 280 281 /* A single entry with family RIP_AF_UNSPEC and 282 * metric HOPCNT_INFINITY means "all routes". 283 * We respond to routers only if we are acting 284 * as a supplier, or to anyone other than a router 285 * (i.e. a query). 286 */ 287 if (n->n_family == RIP_AF_UNSPEC 288 && n->n_metric == HOPCNT_INFINITY) { 289 /* Answer a query from a utility program 290 * with all we know. 291 */ 292 if (aifp == NULL) { 293 trace_pkt("ignore remote query"); 294 return; 295 } 296 if (from->sin_port != htons(RIP_PORT)) { 297 /* 298 * insecure: query from non-router node 299 * > 1: allow from distant node 300 * > 0: allow from neighbor node 301 * == 0: deny 302 */ 303 if ((aifp != NULL && insecure > 0) || 304 (aifp == NULL && insecure > 1)) 305 supply(from, aifp, OUT_QUERY, 0, 306 rip->rip_vers, 307 ap != NULL); 308 else 309 trace_pkt("Warning: " 310 "possible attack detected"); 311 return; 312 } 313 314 /* A router trying to prime its tables. 315 * Filter the answer in the about same way 316 * broadcasts are filtered. 317 * 318 * Only answer a router if we are a supplier 319 * to keep an unwary host that is just starting 320 * from picking us as a router. 321 */ 322 if (aifp == NULL) { 323 trace_pkt("ignore distant router"); 324 return; 325 } 326 if (!supplier 327 || IS_RIP_OFF(aifp->int_state)) { 328 trace_pkt("ignore; not supplying"); 329 return; 330 } 331 332 /* Do not answer a RIPv1 router if 333 * we are sending RIPv2. But do offer 334 * poor man's router discovery. 335 */ 336 if ((aifp->int_state & IS_NO_RIPV1_OUT) 337 && rip->rip_vers == RIPv1) { 338 if (!(aifp->int_state & IS_PM_RDISC)) { 339 trace_pkt("ignore; sending RIPv2"); 340 return; 341 } 342 343 v12buf.n->n_family = RIP_AF_INET; 344 v12buf.n->n_dst = RIP_DEFAULT; 345 i = aifp->int_d_metric; 346 if (NULL != (rt = rtget(RIP_DEFAULT, 0))) { 347 j = (rt->rt_metric 348 +aifp->int_metric 349 +aifp->int_adj_outmetric 350 +1); 351 if (i > j) 352 i = j; 353 } 354 v12buf.n->n_metric = htonl(i); 355 v12buf.n++; 356 break; 357 } 358 359 /* Respond with RIPv1 instead of RIPv2 if 360 * that is what we are broadcasting on the 361 * interface to keep the remote router from 362 * getting the wrong initial idea of the 363 * routes we send. 364 */ 365 supply(from, aifp, OUT_UNICAST, 0, 366 (aifp->int_state & IS_NO_RIPV1_OUT) 367 ? RIPv2 : RIPv1, 368 ap != NULL); 369 return; 370 } 371 372 /* Ignore authentication */ 373 if (n->n_family == RIP_AF_AUTH) 374 continue; 375 376 if (n->n_family != RIP_AF_INET) { 377 msglim(&bad_router, FROM_NADDR, 378 "request from %s for unsupported" 379 " (af %d) %s", 380 naddr_ntoa(FROM_NADDR), 381 ntohs(n->n_family), 382 naddr_ntoa(n->n_dst)); 383 return; 384 } 385 386 /* We are being asked about a specific destination. 387 */ 388 dst = n->n_dst; 389 if (!check_dst(dst)) { 390 msglim(&bad_router, FROM_NADDR, 391 "bad queried destination %s from %s", 392 naddr_ntoa(dst), 393 naddr_ntoa(FROM_NADDR)); 394 return; 395 } 396 397 /* decide what mask was intended */ 398 if (rip->rip_vers == RIPv1 399 || 0 == (mask = ntohl(n->n_mask)) 400 || 0 != (ntohl(dst) & ~mask)) 401 mask = ripv1_mask_host(dst, aifp); 402 403 /* try to find the answer */ 404 rt = rtget(dst, mask); 405 if (!rt && dst != RIP_DEFAULT) 406 rt = rtfind(n->n_dst); 407 408 if (v12buf.buf->rip_vers != RIPv1) 409 v12buf.n->n_mask = mask; 410 if (rt == NULL) { 411 /* we do not have the answer */ 412 v12buf.n->n_metric = HOPCNT_INFINITY; 413 } else { 414 /* we have the answer, so compute the 415 * right metric and next hop. 416 */ 417 v12buf.n->n_family = RIP_AF_INET; 418 v12buf.n->n_dst = dst; 419 j = rt->rt_metric+1; 420 if (!aifp) 421 ++j; 422 else 423 j += (aifp->int_metric 424 + aifp->int_adj_outmetric); 425 if (j < HOPCNT_INFINITY) 426 v12buf.n->n_metric = j; 427 else 428 v12buf.n->n_metric = HOPCNT_INFINITY; 429 if (v12buf.buf->rip_vers != RIPv1) { 430 v12buf.n->n_tag = rt->rt_tag; 431 v12buf.n->n_mask = mask; 432 if (aifp != NULL 433 && on_net(rt->rt_gate, 434 aifp->int_net, 435 aifp->int_mask) 436 && rt->rt_gate != aifp->int_addr) 437 v12buf.n->n_nhop = rt->rt_gate; 438 } 439 } 440 v12buf.n->n_metric = htonl(v12buf.n->n_metric); 441 442 /* Stop paying attention if we fill the output buffer. 443 */ 444 if (++v12buf.n >= v12buf.lim) 445 break; 446 } while (++n < lim); 447 448 /* Send the answer about specific routes. 449 */ 450 if (ap != NULL && ap->type == RIP_AUTH_MD5) 451 end_md5_auth(&v12buf, ap); 452 453 if (from->sin_port != htons(RIP_PORT)) { 454 /* query */ 455 (void)output(OUT_QUERY, from, aifp, 456 v12buf.buf, 457 ((char *)v12buf.n - (char*)v12buf.buf)); 458 } else if (supplier) { 459 (void)output(OUT_UNICAST, from, aifp, 460 v12buf.buf, 461 ((char *)v12buf.n - (char*)v12buf.buf)); 462 } else { 463 /* Only answer a router if we are a supplier 464 * to keep an unwary host that is just starting 465 * from picking us an a router. 466 */ 467 ; 468 } 469 return; 470 471 case RIPCMD_TRACEON: 472 case RIPCMD_TRACEOFF: 473 /* Notice that trace messages are turned off for all possible 474 * abuse if _PATH_TRACE is undefined in pathnames.h. 475 * Notice also that because of the way the trace file is 476 * handled in trace.c, no abuse is plausible even if 477 * _PATH_TRACE_ is defined. 478 * 479 * First verify message came from a privileged port. */ 480 if (ntohs(from->sin_port) > IPPORT_RESERVED) { 481 msglog("trace command from untrusted port on %s", 482 naddr_ntoa(FROM_NADDR)); 483 return; 484 } 485 if (aifp == NULL) { 486 msglog("trace command from unknown router %s", 487 naddr_ntoa(FROM_NADDR)); 488 return; 489 } 490 if (rip->rip_cmd == RIPCMD_TRACEON) { 491 rip->rip_tracefile[cc-4] = '\0'; 492 set_tracefile((char*)rip->rip_tracefile, 493 "trace command: %s\n", 0); 494 } else { 495 trace_off("tracing turned off by %s", 496 naddr_ntoa(FROM_NADDR)); 497 } 498 return; 499 500 case RIPCMD_RESPONSE: 501 if (cc%sizeof(*n) != sizeof(struct rip)%sizeof(*n)) { 502 msglim(&bad_len, FROM_NADDR, 503 "response of bad length (%d) from %s", 504 cc, naddr_ntoa(FROM_NADDR)); 505 } 506 507 /* verify message came from a router */ 508 if (from->sin_port != ntohs(RIP_PORT)) { 509 msglim(&bad_router, FROM_NADDR, 510 " discard RIP response from unknown port" 511 " %d on %s", 512 ntohs(from->sin_port), naddr_ntoa(FROM_NADDR)); 513 return; 514 } 515 516 if (rip_sock < 0) { 517 trace_pkt(" discard response while RIP off"); 518 return; 519 } 520 521 /* Are we talking to ourself or a remote gateway? 522 */ 523 ifp1 = ifwithaddr(FROM_NADDR, 0, 1); 524 if (ifp1) { 525 if (ifp1->int_state & IS_REMOTE) { 526 /* remote gateway */ 527 aifp = ifp1; 528 if (check_remote(aifp)) { 529 aifp->int_act_time = now.tv_sec; 530 (void)if_ok(aifp, "remote "); 531 } 532 } else { 533 trace_pkt(" discard our own RIP response"); 534 return; 535 } 536 } 537 538 /* Accept routing packets from routers directly connected 539 * via broadcast or point-to-point networks, and from 540 * those listed in /etc/gateways. 541 */ 542 if (aifp == NULL) { 543 msglim(&unk_router, FROM_NADDR, 544 " discard response from %s" 545 " via unexpected interface", 546 naddr_ntoa(FROM_NADDR)); 547 return; 548 } 549 if (IS_RIP_IN_OFF(aifp->int_state)) { 550 trace_pkt(" discard RIPv%d response" 551 " via disabled interface %s", 552 rip->rip_vers, aifp->int_name); 553 return; 554 } 555 556 if (n >= lim) { 557 msglim(&bad_len, FROM_NADDR, "empty response from %s", 558 naddr_ntoa(FROM_NADDR)); 559 return; 560 } 561 562 if (((aifp->int_state & IS_NO_RIPV1_IN) 563 && rip->rip_vers == RIPv1) 564 || ((aifp->int_state & IS_NO_RIPV2_IN) 565 && rip->rip_vers != RIPv1)) { 566 trace_pkt(" discard RIPv%d response", 567 rip->rip_vers); 568 return; 569 } 570 571 /* Ignore routes via dead interface. 572 */ 573 if (aifp->int_state & IS_BROKE) { 574 trace_pkt("discard response via broken interface %s", 575 aifp->int_name); 576 return; 577 } 578 579 /* If the interface cares, ignore bad routers. 580 * Trace but do not log this problem, because where it 581 * happens, it happens frequently. 582 */ 583 if (aifp->int_state & IS_DISTRUST) { 584 tg = tgates; 585 while (tg->tgate_addr != FROM_NADDR) { 586 tg = tg->tgate_next; 587 if (tg == NULL) { 588 trace_pkt(" discard RIP response" 589 " from untrusted router %s", 590 naddr_ntoa(FROM_NADDR)); 591 return; 592 } 593 } 594 } 595 596 /* Authenticate the packet if we have a secret. 597 * If we do not have any secrets, ignore the error in 598 * RFC 1723 and accept it regardless. 599 */ 600 if (aifp->int_auth[0].type != RIP_AUTH_NONE 601 && rip->rip_vers != RIPv1 602 && !ck_passwd(aifp,rip,lim,FROM_NADDR,&use_auth)) 603 return; 604 605 do { 606 if (n->n_family == RIP_AF_AUTH) 607 continue; 608 609 n->n_metric = ntohl(n->n_metric); 610 dst = n->n_dst; 611 if (n->n_family != RIP_AF_INET 612 && (n->n_family != RIP_AF_UNSPEC 613 || dst != RIP_DEFAULT)) { 614 msglim(&bad_router, FROM_NADDR, 615 "route from %s to unsupported" 616 " address family=%d destination=%s", 617 naddr_ntoa(FROM_NADDR), 618 n->n_family, 619 naddr_ntoa(dst)); 620 continue; 621 } 622 if (!check_dst(dst)) { 623 msglim(&bad_router, FROM_NADDR, 624 "bad destination %s from %s", 625 naddr_ntoa(dst), 626 naddr_ntoa(FROM_NADDR)); 627 return; 628 } 629 if (n->n_metric == 0 630 || n->n_metric > HOPCNT_INFINITY) { 631 msglim(&bad_router, FROM_NADDR, 632 "bad metric %d from %s" 633 " for destination %s", 634 n->n_metric, 635 naddr_ntoa(FROM_NADDR), 636 naddr_ntoa(dst)); 637 return; 638 } 639 640 /* Notice the next-hop. 641 */ 642 gate = FROM_NADDR; 643 if (n->n_nhop != 0) { 644 if (rip->rip_vers == RIPv1) { 645 n->n_nhop = 0; 646 } else { 647 /* Use it only if it is valid. */ 648 if (on_net(n->n_nhop, 649 aifp->int_net, aifp->int_mask) 650 && check_dst(n->n_nhop)) { 651 gate = n->n_nhop; 652 } else { 653 msglim(&bad_nhop, FROM_NADDR, 654 "router %s to %s" 655 " has bad next hop %s", 656 naddr_ntoa(FROM_NADDR), 657 naddr_ntoa(dst), 658 naddr_ntoa(n->n_nhop)); 659 n->n_nhop = 0; 660 } 661 } 662 } 663 664 if (rip->rip_vers == RIPv1 665 || 0 == (mask = ntohl(n->n_mask))) { 666 mask = ripv1_mask_host(dst,aifp); 667 } else if ((ntohl(dst) & ~mask) != 0) { 668 msglim(&bad_mask, FROM_NADDR, 669 "router %s sent bad netmask" 670 " %#lx with %s", 671 naddr_ntoa(FROM_NADDR), 672 (u_long)mask, 673 naddr_ntoa(dst)); 674 continue; 675 } 676 if (rip->rip_vers == RIPv1) 677 n->n_tag = 0; 678 679 /* Adjust metric according to incoming interface.. 680 */ 681 n->n_metric += (aifp->int_metric 682 + aifp->int_adj_inmetric); 683 if (n->n_metric > HOPCNT_INFINITY) 684 n->n_metric = HOPCNT_INFINITY; 685 686 /* Should we trust this route from this router? */ 687 if (tg && (tn = tg->tgate_nets)->mask != 0) { 688 for (i = 0; i < MAX_TGATE_NETS; i++, tn++) { 689 if (on_net(dst, tn->net, tn->mask) 690 && tn->mask <= mask) 691 break; 692 } 693 if (i >= MAX_TGATE_NETS || tn->mask == 0) { 694 trace_pkt(" ignored unauthorized %s", 695 addrname(dst,mask,0)); 696 continue; 697 } 698 } 699 700 /* Recognize and ignore a default route we faked 701 * which is being sent back to us by a machine with 702 * broken split-horizon. 703 * Be a little more paranoid than that, and reject 704 * default routes with the same metric we advertised. 705 */ 706 if (aifp->int_d_metric != 0 707 && dst == RIP_DEFAULT 708 && (int)n->n_metric >= aifp->int_d_metric) 709 continue; 710 711 /* We can receive aggregated RIPv2 routes that must 712 * be broken down before they are transmitted by 713 * RIPv1 via an interface on a subnet. 714 * We might also receive the same routes aggregated 715 * via other RIPv2 interfaces. 716 * This could cause duplicate routes to be sent on 717 * the RIPv1 interfaces. "Longest matching variable 718 * length netmasks" lets RIPv2 listeners understand, 719 * but breaking down the aggregated routes for RIPv1 720 * listeners can produce duplicate routes. 721 * 722 * Breaking down aggregated routes here bloats 723 * the daemon table, but does not hurt the kernel 724 * table, since routes are always aggregated for 725 * the kernel. 726 * 727 * Notice that this does not break down network 728 * routes corresponding to subnets. This is part 729 * of the defense against RS_NET_SYN. 730 */ 731 if (have_ripv1_out 732 && (((rt = rtget(dst,mask)) == NULL 733 || !(rt->rt_state & RS_NET_SYN))) 734 && (v1_mask = ripv1_mask_net(dst,0)) > mask) { 735 ddst_h = v1_mask & -v1_mask; 736 i = (v1_mask & ~mask)/ddst_h; 737 if (i >= 511) { 738 /* Punt if we would have to generate 739 * an unreasonable number of routes. 740 */ 741 if (TRACECONTENTS) 742 trace_misc("accept %s-->%s as 1" 743 " instead of %d routes", 744 addrname(dst,mask,0), 745 naddr_ntoa(FROM_NADDR), 746 i+1); 747 i = 0; 748 } else { 749 mask = v1_mask; 750 } 751 } else { 752 i = 0; 753 } 754 755 new.rts_gate = gate; 756 new.rts_router = FROM_NADDR; 757 new.rts_metric = n->n_metric; 758 new.rts_tag = n->n_tag; 759 new.rts_time = now.tv_sec; 760 new.rts_ifp = aifp; 761 new.rts_de_ag = i; 762 j = 0; 763 for (;;) { 764 input_route(dst, mask, &new, n); 765 if (++j > i) 766 break; 767 dst = htonl(ntohl(dst) + ddst_h); 768 } 769 } while (++n < lim); 770 break; 771 } 772 #undef FROM_NADDR 773 } 774 775 776 /* Process a single input route. 777 */ 778 static void 779 input_route(naddr dst, /* network order */ 780 naddr mask, 781 struct rt_spare *new, 782 struct netinfo *n) 783 { 784 int i; 785 struct rt_entry *rt; 786 struct rt_spare *rts, *rts0; 787 struct interface *ifp1; 788 789 790 /* See if the other guy is telling us to send our packets to him. 791 * Sometimes network routes arrive over a point-to-point link for 792 * the network containing the address(es) of the link. 793 * 794 * If our interface is broken, switch to using the other guy. 795 */ 796 ifp1 = ifwithaddr(dst, 1, 1); 797 if (ifp1 != NULL 798 && (!(ifp1->int_state & IS_BROKE) 799 || (ifp1->int_state & IS_PASSIVE))) 800 return; 801 802 /* Look for the route in our table. 803 */ 804 rt = rtget(dst, mask); 805 806 /* Consider adding the route if we do not already have it. 807 */ 808 if (rt == NULL) { 809 /* Ignore unknown routes being poisoned. 810 */ 811 if (new->rts_metric == HOPCNT_INFINITY) 812 return; 813 814 /* Ignore the route if it points to us */ 815 if (n->n_nhop != 0 816 && ifwithaddr(n->n_nhop, 1, 0) != NULL) 817 return; 818 819 /* If something has not gone crazy and tried to fill 820 * our memory, accept the new route. 821 */ 822 if (total_routes < MAX_ROUTES) 823 rtadd(dst, mask, 0, new); 824 return; 825 } 826 827 /* We already know about the route. Consider this update. 828 * 829 * If (rt->rt_state & RS_NET_SYN), then this route 830 * is the same as a network route we have inferred 831 * for subnets we know, in order to tell RIPv1 routers 832 * about the subnets. 833 * 834 * It is impossible to tell if the route is coming 835 * from a distant RIPv2 router with the standard 836 * netmask because that router knows about the entire 837 * network, or if it is a round-about echo of a 838 * synthetic, RIPv1 network route of our own. 839 * The worst is that both kinds of routes might be 840 * received, and the bad one might have the smaller 841 * metric. Partly solve this problem by never 842 * aggregating into such a route. Also keep it 843 * around as long as the interface exists. 844 */ 845 846 rts0 = rt->rt_spares; 847 for (rts = rts0, i = NUM_SPARES; i != 0; i--, rts++) { 848 if (rts->rts_router == new->rts_router) 849 break; 850 /* Note the worst slot to reuse, 851 * other than the current slot. 852 */ 853 if (rts0 == rt->rt_spares 854 || BETTER_LINK(rt, rts0, rts)) 855 rts0 = rts; 856 } 857 if (i != 0) { 858 /* Found a route from the router already in the table. 859 */ 860 861 /* If the new route is a route broken down from an 862 * aggregated route, and if the previous route is either 863 * not a broken down route or was broken down from a finer 864 * netmask, and if the previous route is current, 865 * then forget this one. 866 */ 867 if (new->rts_de_ag > rts->rts_de_ag 868 && now_stale <= rts->rts_time) 869 return; 870 871 /* Keep poisoned routes around only long enough to pass 872 * the poison on. Use a new timestamp for good routes. 873 */ 874 if (rts->rts_metric == HOPCNT_INFINITY 875 && new->rts_metric == HOPCNT_INFINITY) 876 new->rts_time = rts->rts_time; 877 878 /* If this is an update for the router we currently prefer, 879 * then note it. 880 */ 881 if (i == NUM_SPARES) { 882 rtchange(rt, rt->rt_state, new, 0); 883 /* If the route got worse, check for something better. 884 */ 885 if (new->rts_metric > rts->rts_metric) 886 rtswitch(rt, 0); 887 return; 888 } 889 890 /* This is an update for a spare route. 891 * Finished if the route is unchanged. 892 */ 893 if (rts->rts_gate == new->rts_gate 894 && rts->rts_metric == new->rts_metric 895 && rts->rts_tag == new->rts_tag) { 896 trace_upslot(rt, rts, new); 897 *rts = *new; 898 return; 899 } 900 /* Forget it if it has gone bad. 901 */ 902 if (new->rts_metric == HOPCNT_INFINITY) { 903 rts_delete(rt, rts); 904 return; 905 } 906 907 } else { 908 /* The update is for a route we know about, 909 * but not from a familiar router. 910 * 911 * Ignore the route if it points to us. 912 */ 913 if (n->n_nhop != 0 914 && NULL != ifwithaddr(n->n_nhop, 1, 0)) 915 return; 916 917 /* the loop above set rts0=worst spare */ 918 rts = rts0; 919 920 /* Save the route as a spare only if it has 921 * a better metric than our worst spare. 922 * This also ignores poisoned routes (those 923 * received with metric HOPCNT_INFINITY). 924 */ 925 if (new->rts_metric >= rts->rts_metric) 926 return; 927 } 928 929 trace_upslot(rt, rts, new); 930 *rts = *new; 931 932 /* try to switch to a better route */ 933 rtswitch(rt, rts); 934 } 935 936 937 static int /* 0 if bad */ 938 ck_passwd(struct interface *aifp, 939 struct rip *rip, 940 void *lim, 941 naddr from, 942 struct msg_limit *use_authp) 943 { 944 # define NA (rip->rip_auths) 945 struct netauth *na2; 946 struct auth *ap; 947 MD5_CTX md5_ctx; 948 u_char hash[RIP_AUTH_PW_LEN]; 949 int i, len; 950 951 assert(aifp != NULL); 952 if ((void *)NA >= lim || NA->a_family != RIP_AF_AUTH) { 953 msglim(use_authp, from, "missing password from %s", 954 naddr_ntoa(from)); 955 return 0; 956 } 957 958 /* accept any current (+/- 24 hours) password 959 */ 960 for (ap = aifp->int_auth, i = 0; i < MAX_AUTH_KEYS; i++, ap++) { 961 if (ap->type != NA->a_type 962 || (u_long)ap->start > (u_long)clk.tv_sec+DAY 963 || (u_long)ap->end+DAY < (u_long)clk.tv_sec) 964 continue; 965 966 if (NA->a_type == RIP_AUTH_PW) { 967 if (!memcmp(NA->au.au_pw, ap->key, RIP_AUTH_PW_LEN)) 968 return 1; 969 970 } else { 971 /* accept MD5 secret with the right key ID 972 */ 973 if (NA->au.a_md5.md5_keyid != ap->keyid) 974 continue; 975 976 len = ntohs(NA->au.a_md5.md5_pkt_len); 977 if ((len-sizeof(*rip)) % sizeof(*NA) != 0 978 || len != (char *)lim-(char*)rip-(int)sizeof(*NA)) { 979 msglim(use_authp, from, 980 "wrong MD5 RIPv2 packet length of %d" 981 " instead of %d from %s", 982 len, (int)((char *)lim-(char *)rip 983 -sizeof(*NA)), 984 naddr_ntoa(from)); 985 return 0; 986 } 987 na2 = (struct netauth *)((char *)rip+len); 988 989 /* Given a good hash value, these are not security 990 * problems so be generous and accept the routes, 991 * after complaining. 992 */ 993 if (TRACEPACKETS) { 994 if (NA->au.a_md5.md5_auth_len 995 != RIP_AUTH_MD5_HASH_LEN) 996 msglim(use_authp, from, 997 "unknown MD5 RIPv2 auth len %#x" 998 " instead of %#x from %s", 999 NA->au.a_md5.md5_auth_len, 1000 (unsigned)RIP_AUTH_MD5_HASH_LEN, 1001 naddr_ntoa(from)); 1002 if (na2->a_family != RIP_AF_AUTH) 1003 msglim(use_authp, from, 1004 "unknown MD5 RIPv2 family %#x" 1005 " instead of %#x from %s", 1006 na2->a_family, RIP_AF_AUTH, 1007 naddr_ntoa(from)); 1008 if (na2->a_type != ntohs(1)) 1009 msglim(use_authp, from, 1010 "MD5 RIPv2 hash has %#x" 1011 " instead of %#x from %s", 1012 na2->a_type, ntohs(1), 1013 naddr_ntoa(from)); 1014 } 1015 1016 MD5Init(&md5_ctx); 1017 MD5Update(&md5_ctx, (u_char *)rip, 1018 len + RIP_AUTH_MD5_HASH_XTRA); 1019 MD5Update(&md5_ctx, ap->key, RIP_AUTH_MD5_KEY_LEN); 1020 MD5Final(hash, &md5_ctx); 1021 if (!memcmp(hash, na2->au.au_pw, sizeof(hash))) 1022 return 1; 1023 } 1024 } 1025 1026 msglim(use_authp, from, "bad password from %s", 1027 naddr_ntoa(from)); 1028 return 0; 1029 #undef NA 1030 } 1031