1 /* 2 * Copyright (c) 1983, 1988, 1993 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 4. Neither the name of the University nor the names of its contributors 14 * may be used to endorse or promote products derived from this software 15 * without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 * $FreeBSD$ 30 */ 31 32 #include "defs.h" 33 34 #ifdef __NetBSD__ 35 __RCSID("$NetBSD$"); 36 #elif defined(__FreeBSD__) 37 __RCSID("$FreeBSD$"); 38 #else 39 __RCSID("$Revision: 2.26 $"); 40 #ident "$Revision: 2.26 $" 41 #endif 42 43 static void input(struct sockaddr_in *, struct interface *, struct interface *, 44 struct rip *, int); 45 static void input_route(naddr, naddr, struct rt_spare *, struct netinfo *); 46 static int ck_passwd(struct interface *, struct rip *, void *, 47 naddr, struct msg_limit *); 48 49 50 /* process RIP input 51 */ 52 void 53 read_rip(int sock, 54 struct interface *sifp) 55 { 56 struct sockaddr_in from; 57 struct interface *aifp; 58 socklen_t fromlen; 59 int cc; 60 #ifdef USE_PASSIFNAME 61 static struct msg_limit bad_name; 62 struct { 63 char ifname[IFNAMSIZ]; 64 union pkt_buf pbuf; 65 } inbuf; 66 #else 67 struct { 68 union pkt_buf pbuf; 69 } inbuf; 70 #endif 71 72 73 for (;;) { 74 fromlen = sizeof(from); 75 cc = recvfrom(sock, &inbuf, sizeof(inbuf), 0, 76 (struct sockaddr*)&from, &fromlen); 77 if (cc <= 0) { 78 if (cc < 0 && errno != EWOULDBLOCK) 79 LOGERR("recvfrom(rip)"); 80 break; 81 } 82 if (fromlen != sizeof(struct sockaddr_in)) 83 logbad(1,"impossible recvfrom(rip) fromlen=%d", 84 (int)fromlen); 85 86 /* aifp is the "authenticated" interface via which the packet 87 * arrived. In fact, it is only the interface on which 88 * the packet should have arrived based on is source 89 * address. 90 * sifp is interface associated with the socket through which 91 * the packet was received. 92 */ 93 #ifdef USE_PASSIFNAME 94 if ((cc -= sizeof(inbuf.ifname)) < 0) 95 logbad(0,"missing USE_PASSIFNAME; only %d bytes", 96 cc+sizeof(inbuf.ifname)); 97 98 /* check the remote interfaces first */ 99 LIST_FOREACH(aifp, &remote_if, remote_list) { 100 if (aifp->int_addr == from.sin_addr.s_addr) 101 break; 102 } 103 if (aifp == 0) { 104 aifp = ifwithname(inbuf.ifname, 0); 105 if (aifp == 0) { 106 msglim(&bad_name, from.sin_addr.s_addr, 107 "impossible interface name %.*s", 108 IFNAMSIZ, inbuf.ifname); 109 } else if (((aifp->int_if_flags & IFF_POINTOPOINT) 110 && aifp->int_dstaddr!=from.sin_addr.s_addr) 111 || (!(aifp->int_if_flags & IFF_POINTOPOINT) 112 && !on_net(from.sin_addr.s_addr, 113 aifp->int_net, 114 aifp->int_mask))) { 115 /* If it came via the wrong interface, do not 116 * trust it. 117 */ 118 aifp = 0; 119 } 120 } 121 #else 122 aifp = iflookup(from.sin_addr.s_addr); 123 #endif 124 if (sifp == 0) 125 sifp = aifp; 126 127 input(&from, sifp, aifp, &inbuf.pbuf.rip, cc); 128 } 129 } 130 131 132 /* Process a RIP packet 133 */ 134 static void 135 input(struct sockaddr_in *from, /* received from this IP address */ 136 struct interface *sifp, /* interface of incoming socket */ 137 struct interface *aifp, /* "authenticated" interface */ 138 struct rip *rip, 139 int cc) 140 { 141 # define FROM_NADDR from->sin_addr.s_addr 142 static struct msg_limit use_auth, bad_len, bad_mask; 143 static struct msg_limit unk_router, bad_router, bad_nhop; 144 145 struct rt_entry *rt; 146 struct rt_spare new; 147 struct netinfo *n, *lim; 148 struct interface *ifp1; 149 naddr gate, mask, v1_mask, dst, ddst_h = 0; 150 struct auth *ap; 151 struct tgate *tg = 0; 152 struct tgate_net *tn; 153 int i, j; 154 155 /* Notice when we hear from a remote gateway 156 */ 157 if (aifp != 0 158 && (aifp->int_state & IS_REMOTE)) 159 aifp->int_act_time = now.tv_sec; 160 161 trace_rip("Recv", "from", from, sifp, rip, cc); 162 163 if (rip->rip_vers == 0) { 164 msglim(&bad_router, FROM_NADDR, 165 "RIP version 0, cmd %d, packet received from %s", 166 rip->rip_cmd, naddr_ntoa(FROM_NADDR)); 167 return; 168 } else if (rip->rip_vers > RIPv2) { 169 rip->rip_vers = RIPv2; 170 } 171 if (cc > (int)OVER_MAXPACKETSIZE) { 172 msglim(&bad_router, FROM_NADDR, 173 "packet at least %d bytes too long received from %s", 174 cc-MAXPACKETSIZE, naddr_ntoa(FROM_NADDR)); 175 return; 176 } 177 178 n = rip->rip_nets; 179 lim = (struct netinfo *)((char*)rip + cc); 180 181 /* Notice authentication. 182 * As required by section 4.2 in RFC 1723, discard authenticated 183 * RIPv2 messages, but only if configured for that silliness. 184 * 185 * RIPv2 authentication is lame. Why authenticate queries? 186 * Why should a RIPv2 implementation with authentication disabled 187 * not be able to listen to RIPv2 packets with authentication, while 188 * RIPv1 systems will listen? Crazy! 189 */ 190 if (!auth_ok 191 && rip->rip_vers == RIPv2 192 && n < lim && n->n_family == RIP_AF_AUTH) { 193 msglim(&use_auth, FROM_NADDR, 194 "RIPv2 message with authentication from %s discarded", 195 naddr_ntoa(FROM_NADDR)); 196 return; 197 } 198 199 switch (rip->rip_cmd) { 200 case RIPCMD_REQUEST: 201 /* For mere requests, be a little sloppy about the source 202 */ 203 if (aifp == 0) 204 aifp = sifp; 205 206 /* Are we talking to ourself or a remote gateway? 207 */ 208 ifp1 = ifwithaddr(FROM_NADDR, 0, 1); 209 if (ifp1) { 210 if (ifp1->int_state & IS_REMOTE) { 211 /* remote gateway */ 212 aifp = ifp1; 213 if (check_remote(aifp)) { 214 aifp->int_act_time = now.tv_sec; 215 (void)if_ok(aifp, "remote "); 216 } 217 } else if (from->sin_port == htons(RIP_PORT)) { 218 trace_pkt(" discard our own RIP request"); 219 return; 220 } 221 } 222 223 /* did the request come from a router? 224 */ 225 if (from->sin_port == htons(RIP_PORT)) { 226 /* yes, ignore the request if RIP is off so that 227 * the router does not depend on us. 228 */ 229 if (rip_sock < 0 230 || (aifp != 0 231 && IS_RIP_OUT_OFF(aifp->int_state))) { 232 trace_pkt(" discard request while RIP off"); 233 return; 234 } 235 } 236 237 /* According to RFC 1723, we should ignore unauthenticated 238 * queries. That is too silly to bother with. Sheesh! 239 * Are forwarding tables supposed to be secret, when 240 * a bad guy can infer them with test traffic? When RIP 241 * is still the most common router-discovery protocol 242 * and so hosts need to send queries that will be answered? 243 * What about `rtquery`? 244 * Maybe on firewalls you'd care, but not enough to 245 * give up the diagnostic facilities of remote probing. 246 */ 247 248 if (n >= lim) { 249 msglim(&bad_len, FROM_NADDR, "empty request from %s", 250 naddr_ntoa(FROM_NADDR)); 251 return; 252 } 253 if (cc%sizeof(*n) != sizeof(struct rip)%sizeof(*n)) { 254 msglim(&bad_len, FROM_NADDR, 255 "request of bad length (%d) from %s", 256 cc, naddr_ntoa(FROM_NADDR)); 257 } 258 259 if (rip->rip_vers == RIPv2 260 && (aifp == 0 || (aifp->int_state & IS_NO_RIPV1_OUT))) { 261 v12buf.buf->rip_vers = RIPv2; 262 /* If we have a secret but it is a cleartext secret, 263 * do not disclose our secret unless the other guy 264 * already knows it. 265 */ 266 ap = find_auth(aifp); 267 if (ap != 0 && ap->type == RIP_AUTH_PW 268 && n->n_family == RIP_AF_AUTH 269 && !ck_passwd(aifp,rip,lim,FROM_NADDR,&use_auth)) 270 ap = 0; 271 } else { 272 v12buf.buf->rip_vers = RIPv1; 273 ap = 0; 274 } 275 clr_ws_buf(&v12buf, ap); 276 277 do { 278 n->n_metric = ntohl(n->n_metric); 279 280 /* A single entry with family RIP_AF_UNSPEC and 281 * metric HOPCNT_INFINITY means "all routes". 282 * We respond to routers only if we are acting 283 * as a supplier, or to anyone other than a router 284 * (i.e. a query). 285 */ 286 if (n->n_family == RIP_AF_UNSPEC 287 && n->n_metric == HOPCNT_INFINITY) { 288 /* Answer a query from a utility program 289 * with all we know. 290 */ 291 if (from->sin_port != htons(RIP_PORT)) { 292 /* 293 * insecure: query from non-router node 294 * > 1: allow from distant node 295 * > 0: allow from neighbor node 296 * == 0: deny 297 */ 298 if ((aifp != NULL && insecure > 0) || 299 (aifp == NULL && insecure > 1)) 300 supply(from, aifp, OUT_QUERY, 0, 301 rip->rip_vers, ap != 0); 302 else 303 trace_pkt("Warning: " 304 "possible attack detected"); 305 return; 306 } 307 308 /* A router trying to prime its tables. 309 * Filter the answer in the about same way 310 * broadcasts are filtered. 311 * 312 * Only answer a router if we are a supplier 313 * to keep an unwary host that is just starting 314 * from picking us as a router. 315 */ 316 if (aifp == 0) { 317 trace_pkt("ignore distant router"); 318 return; 319 } 320 if (!supplier 321 || IS_RIP_OFF(aifp->int_state)) { 322 trace_pkt("ignore; not supplying"); 323 return; 324 } 325 326 /* Do not answer a RIPv1 router if 327 * we are sending RIPv2. But do offer 328 * poor man's router discovery. 329 */ 330 if ((aifp->int_state & IS_NO_RIPV1_OUT) 331 && rip->rip_vers == RIPv1) { 332 if (!(aifp->int_state & IS_PM_RDISC)) { 333 trace_pkt("ignore; sending RIPv2"); 334 return; 335 } 336 337 v12buf.n->n_family = RIP_AF_INET; 338 v12buf.n->n_dst = RIP_DEFAULT; 339 i = aifp->int_d_metric; 340 if (0 != (rt = rtget(RIP_DEFAULT, 0))) { 341 j = (rt->rt_metric 342 +aifp->int_metric 343 +aifp->int_adj_outmetric 344 +1); 345 if (i > j) 346 i = j; 347 } 348 v12buf.n->n_metric = htonl(i); 349 v12buf.n++; 350 break; 351 } 352 353 /* Respond with RIPv1 instead of RIPv2 if 354 * that is what we are broadcasting on the 355 * interface to keep the remote router from 356 * getting the wrong initial idea of the 357 * routes we send. 358 */ 359 supply(from, aifp, OUT_UNICAST, 0, 360 (aifp->int_state & IS_NO_RIPV1_OUT) 361 ? RIPv2 : RIPv1, 362 ap != 0); 363 return; 364 } 365 366 /* Ignore authentication */ 367 if (n->n_family == RIP_AF_AUTH) 368 continue; 369 370 if (n->n_family != RIP_AF_INET) { 371 msglim(&bad_router, FROM_NADDR, 372 "request from %s for unsupported" 373 " (af %d) %s", 374 naddr_ntoa(FROM_NADDR), 375 ntohs(n->n_family), 376 naddr_ntoa(n->n_dst)); 377 return; 378 } 379 380 /* We are being asked about a specific destination. 381 */ 382 dst = n->n_dst; 383 if (!check_dst(dst)) { 384 msglim(&bad_router, FROM_NADDR, 385 "bad queried destination %s from %s", 386 naddr_ntoa(dst), 387 naddr_ntoa(FROM_NADDR)); 388 return; 389 } 390 391 /* decide what mask was intended */ 392 if (rip->rip_vers == RIPv1 393 || 0 == (mask = ntohl(n->n_mask)) 394 || 0 != (ntohl(dst) & ~mask)) 395 mask = ripv1_mask_host(dst, aifp); 396 397 /* try to find the answer */ 398 rt = rtget(dst, mask); 399 if (!rt && dst != RIP_DEFAULT) 400 rt = rtfind(n->n_dst); 401 402 if (v12buf.buf->rip_vers != RIPv1) 403 v12buf.n->n_mask = mask; 404 if (rt == 0) { 405 /* we do not have the answer */ 406 v12buf.n->n_metric = HOPCNT_INFINITY; 407 } else { 408 /* we have the answer, so compute the 409 * right metric and next hop. 410 */ 411 v12buf.n->n_family = RIP_AF_INET; 412 v12buf.n->n_dst = dst; 413 j = rt->rt_metric+1; 414 if (!aifp) 415 ++j; 416 else 417 j += (aifp->int_metric 418 + aifp->int_adj_outmetric); 419 if (j < HOPCNT_INFINITY) 420 v12buf.n->n_metric = j; 421 else 422 v12buf.n->n_metric = HOPCNT_INFINITY; 423 if (v12buf.buf->rip_vers != RIPv1) { 424 v12buf.n->n_tag = rt->rt_tag; 425 v12buf.n->n_mask = mask; 426 if (aifp != 0 427 && on_net(rt->rt_gate, 428 aifp->int_net, 429 aifp->int_mask) 430 && rt->rt_gate != aifp->int_addr) 431 v12buf.n->n_nhop = rt->rt_gate; 432 } 433 } 434 v12buf.n->n_metric = htonl(v12buf.n->n_metric); 435 436 /* Stop paying attention if we fill the output buffer. 437 */ 438 if (++v12buf.n >= v12buf.lim) 439 break; 440 } while (++n < lim); 441 442 /* Send the answer about specific routes. 443 */ 444 if (ap != 0 && ap->type == RIP_AUTH_MD5) 445 end_md5_auth(&v12buf, ap); 446 447 if (from->sin_port != htons(RIP_PORT)) { 448 /* query */ 449 (void)output(OUT_QUERY, from, aifp, 450 v12buf.buf, 451 ((char *)v12buf.n - (char*)v12buf.buf)); 452 } else if (supplier) { 453 (void)output(OUT_UNICAST, from, aifp, 454 v12buf.buf, 455 ((char *)v12buf.n - (char*)v12buf.buf)); 456 } else { 457 /* Only answer a router if we are a supplier 458 * to keep an unwary host that is just starting 459 * from picking us an a router. 460 */ 461 ; 462 } 463 return; 464 465 case RIPCMD_TRACEON: 466 case RIPCMD_TRACEOFF: 467 /* Notice that trace messages are turned off for all possible 468 * abuse if _PATH_TRACE is undefined in pathnames.h. 469 * Notice also that because of the way the trace file is 470 * handled in trace.c, no abuse is plausible even if 471 * _PATH_TRACE_ is defined. 472 * 473 * First verify message came from a privileged port. */ 474 if (ntohs(from->sin_port) > IPPORT_RESERVED) { 475 msglog("trace command from untrusted port on %s", 476 naddr_ntoa(FROM_NADDR)); 477 return; 478 } 479 if (aifp == 0) { 480 msglog("trace command from unknown router %s", 481 naddr_ntoa(FROM_NADDR)); 482 return; 483 } 484 if (rip->rip_cmd == RIPCMD_TRACEON) { 485 rip->rip_tracefile[cc-4] = '\0'; 486 set_tracefile((char*)rip->rip_tracefile, 487 "trace command: %s\n", 0); 488 } else { 489 trace_off("tracing turned off by %s", 490 naddr_ntoa(FROM_NADDR)); 491 } 492 return; 493 494 case RIPCMD_RESPONSE: 495 if (cc%sizeof(*n) != sizeof(struct rip)%sizeof(*n)) { 496 msglim(&bad_len, FROM_NADDR, 497 "response of bad length (%d) from %s", 498 cc, naddr_ntoa(FROM_NADDR)); 499 } 500 501 /* verify message came from a router */ 502 if (from->sin_port != ntohs(RIP_PORT)) { 503 msglim(&bad_router, FROM_NADDR, 504 " discard RIP response from unknown port" 505 " %d on %s", 506 ntohs(from->sin_port), naddr_ntoa(FROM_NADDR)); 507 return; 508 } 509 510 if (rip_sock < 0) { 511 trace_pkt(" discard response while RIP off"); 512 return; 513 } 514 515 /* Are we talking to ourself or a remote gateway? 516 */ 517 ifp1 = ifwithaddr(FROM_NADDR, 0, 1); 518 if (ifp1) { 519 if (ifp1->int_state & IS_REMOTE) { 520 /* remote gateway */ 521 aifp = ifp1; 522 if (check_remote(aifp)) { 523 aifp->int_act_time = now.tv_sec; 524 (void)if_ok(aifp, "remote "); 525 } 526 } else { 527 trace_pkt(" discard our own RIP response"); 528 return; 529 } 530 } 531 532 /* Accept routing packets from routers directly connected 533 * via broadcast or point-to-point networks, and from 534 * those listed in /etc/gateways. 535 */ 536 if (aifp == 0) { 537 msglim(&unk_router, FROM_NADDR, 538 " discard response from %s" 539 " via unexpected interface", 540 naddr_ntoa(FROM_NADDR)); 541 return; 542 } 543 if (IS_RIP_IN_OFF(aifp->int_state)) { 544 trace_pkt(" discard RIPv%d response" 545 " via disabled interface %s", 546 rip->rip_vers, aifp->int_name); 547 return; 548 } 549 550 if (n >= lim) { 551 msglim(&bad_len, FROM_NADDR, "empty response from %s", 552 naddr_ntoa(FROM_NADDR)); 553 return; 554 } 555 556 if (((aifp->int_state & IS_NO_RIPV1_IN) 557 && rip->rip_vers == RIPv1) 558 || ((aifp->int_state & IS_NO_RIPV2_IN) 559 && rip->rip_vers != RIPv1)) { 560 trace_pkt(" discard RIPv%d response", 561 rip->rip_vers); 562 return; 563 } 564 565 /* Ignore routes via dead interface. 566 */ 567 if (aifp->int_state & IS_BROKE) { 568 trace_pkt("discard response via broken interface %s", 569 aifp->int_name); 570 return; 571 } 572 573 /* If the interface cares, ignore bad routers. 574 * Trace but do not log this problem, because where it 575 * happens, it happens frequently. 576 */ 577 if (aifp->int_state & IS_DISTRUST) { 578 tg = tgates; 579 while (tg->tgate_addr != FROM_NADDR) { 580 tg = tg->tgate_next; 581 if (tg == 0) { 582 trace_pkt(" discard RIP response" 583 " from untrusted router %s", 584 naddr_ntoa(FROM_NADDR)); 585 return; 586 } 587 } 588 } 589 590 /* Authenticate the packet if we have a secret. 591 * If we do not have any secrets, ignore the error in 592 * RFC 1723 and accept it regardless. 593 */ 594 if (aifp->int_auth[0].type != RIP_AUTH_NONE 595 && rip->rip_vers != RIPv1 596 && !ck_passwd(aifp,rip,lim,FROM_NADDR,&use_auth)) 597 return; 598 599 do { 600 if (n->n_family == RIP_AF_AUTH) 601 continue; 602 603 n->n_metric = ntohl(n->n_metric); 604 dst = n->n_dst; 605 if (n->n_family != RIP_AF_INET 606 && (n->n_family != RIP_AF_UNSPEC 607 || dst != RIP_DEFAULT)) { 608 msglim(&bad_router, FROM_NADDR, 609 "route from %s to unsupported" 610 " address family=%d destination=%s", 611 naddr_ntoa(FROM_NADDR), 612 n->n_family, 613 naddr_ntoa(dst)); 614 continue; 615 } 616 if (!check_dst(dst)) { 617 msglim(&bad_router, FROM_NADDR, 618 "bad destination %s from %s", 619 naddr_ntoa(dst), 620 naddr_ntoa(FROM_NADDR)); 621 return; 622 } 623 if (n->n_metric == 0 624 || n->n_metric > HOPCNT_INFINITY) { 625 msglim(&bad_router, FROM_NADDR, 626 "bad metric %d from %s" 627 " for destination %s", 628 n->n_metric, 629 naddr_ntoa(FROM_NADDR), 630 naddr_ntoa(dst)); 631 return; 632 } 633 634 /* Notice the next-hop. 635 */ 636 gate = FROM_NADDR; 637 if (n->n_nhop != 0) { 638 if (rip->rip_vers == RIPv1) { 639 n->n_nhop = 0; 640 } else { 641 /* Use it only if it is valid. */ 642 if (on_net(n->n_nhop, 643 aifp->int_net, aifp->int_mask) 644 && check_dst(n->n_nhop)) { 645 gate = n->n_nhop; 646 } else { 647 msglim(&bad_nhop, FROM_NADDR, 648 "router %s to %s" 649 " has bad next hop %s", 650 naddr_ntoa(FROM_NADDR), 651 naddr_ntoa(dst), 652 naddr_ntoa(n->n_nhop)); 653 n->n_nhop = 0; 654 } 655 } 656 } 657 658 if (rip->rip_vers == RIPv1 659 || 0 == (mask = ntohl(n->n_mask))) { 660 mask = ripv1_mask_host(dst,aifp); 661 } else if ((ntohl(dst) & ~mask) != 0) { 662 msglim(&bad_mask, FROM_NADDR, 663 "router %s sent bad netmask" 664 " %#lx with %s", 665 naddr_ntoa(FROM_NADDR), 666 (u_long)mask, 667 naddr_ntoa(dst)); 668 continue; 669 } 670 if (rip->rip_vers == RIPv1) 671 n->n_tag = 0; 672 673 /* Adjust metric according to incoming interface.. 674 */ 675 n->n_metric += (aifp->int_metric 676 + aifp->int_adj_inmetric); 677 if (n->n_metric > HOPCNT_INFINITY) 678 n->n_metric = HOPCNT_INFINITY; 679 680 /* Should we trust this route from this router? */ 681 if (tg && (tn = tg->tgate_nets)->mask != 0) { 682 for (i = 0; i < MAX_TGATE_NETS; i++, tn++) { 683 if (on_net(dst, tn->net, tn->mask) 684 && tn->mask <= mask) 685 break; 686 } 687 if (i >= MAX_TGATE_NETS || tn->mask == 0) { 688 trace_pkt(" ignored unauthorized %s", 689 addrname(dst,mask,0)); 690 continue; 691 } 692 } 693 694 /* Recognize and ignore a default route we faked 695 * which is being sent back to us by a machine with 696 * broken split-horizon. 697 * Be a little more paranoid than that, and reject 698 * default routes with the same metric we advertised. 699 */ 700 if (aifp->int_d_metric != 0 701 && dst == RIP_DEFAULT 702 && (int)n->n_metric >= aifp->int_d_metric) 703 continue; 704 705 /* We can receive aggregated RIPv2 routes that must 706 * be broken down before they are transmitted by 707 * RIPv1 via an interface on a subnet. 708 * We might also receive the same routes aggregated 709 * via other RIPv2 interfaces. 710 * This could cause duplicate routes to be sent on 711 * the RIPv1 interfaces. "Longest matching variable 712 * length netmasks" lets RIPv2 listeners understand, 713 * but breaking down the aggregated routes for RIPv1 714 * listeners can produce duplicate routes. 715 * 716 * Breaking down aggregated routes here bloats 717 * the daemon table, but does not hurt the kernel 718 * table, since routes are always aggregated for 719 * the kernel. 720 * 721 * Notice that this does not break down network 722 * routes corresponding to subnets. This is part 723 * of the defense against RS_NET_SYN. 724 */ 725 if (have_ripv1_out 726 && (((rt = rtget(dst,mask)) == 0 727 || !(rt->rt_state & RS_NET_SYN))) 728 && (v1_mask = ripv1_mask_net(dst,0)) > mask) { 729 ddst_h = v1_mask & -v1_mask; 730 i = (v1_mask & ~mask)/ddst_h; 731 if (i >= 511) { 732 /* Punt if we would have to generate 733 * an unreasonable number of routes. 734 */ 735 if (TRACECONTENTS) 736 trace_misc("accept %s-->%s as 1" 737 " instead of %d routes", 738 addrname(dst,mask,0), 739 naddr_ntoa(FROM_NADDR), 740 i+1); 741 i = 0; 742 } else { 743 mask = v1_mask; 744 } 745 } else { 746 i = 0; 747 } 748 749 new.rts_gate = gate; 750 new.rts_router = FROM_NADDR; 751 new.rts_metric = n->n_metric; 752 new.rts_tag = n->n_tag; 753 new.rts_time = now.tv_sec; 754 new.rts_ifp = aifp; 755 new.rts_de_ag = i; 756 j = 0; 757 for (;;) { 758 input_route(dst, mask, &new, n); 759 if (++j > i) 760 break; 761 dst = htonl(ntohl(dst) + ddst_h); 762 } 763 } while (++n < lim); 764 break; 765 } 766 #undef FROM_NADDR 767 } 768 769 770 /* Process a single input route. 771 */ 772 static void 773 input_route(naddr dst, /* network order */ 774 naddr mask, 775 struct rt_spare *new, 776 struct netinfo *n) 777 { 778 int i; 779 struct rt_entry *rt; 780 struct rt_spare *rts, *rts0; 781 struct interface *ifp1; 782 783 784 /* See if the other guy is telling us to send our packets to him. 785 * Sometimes network routes arrive over a point-to-point link for 786 * the network containing the address(es) of the link. 787 * 788 * If our interface is broken, switch to using the other guy. 789 */ 790 ifp1 = ifwithaddr(dst, 1, 1); 791 if (ifp1 != 0 792 && (!(ifp1->int_state & IS_BROKE) 793 || (ifp1->int_state & IS_PASSIVE))) 794 return; 795 796 /* Look for the route in our table. 797 */ 798 rt = rtget(dst, mask); 799 800 /* Consider adding the route if we do not already have it. 801 */ 802 if (rt == 0) { 803 /* Ignore unknown routes being poisoned. 804 */ 805 if (new->rts_metric == HOPCNT_INFINITY) 806 return; 807 808 /* Ignore the route if it points to us */ 809 if (n->n_nhop != 0 810 && 0 != ifwithaddr(n->n_nhop, 1, 0)) 811 return; 812 813 /* If something has not gone crazy and tried to fill 814 * our memory, accept the new route. 815 */ 816 if (total_routes < MAX_ROUTES) 817 rtadd(dst, mask, 0, new); 818 return; 819 } 820 821 /* We already know about the route. Consider this update. 822 * 823 * If (rt->rt_state & RS_NET_SYN), then this route 824 * is the same as a network route we have inferred 825 * for subnets we know, in order to tell RIPv1 routers 826 * about the subnets. 827 * 828 * It is impossible to tell if the route is coming 829 * from a distant RIPv2 router with the standard 830 * netmask because that router knows about the entire 831 * network, or if it is a round-about echo of a 832 * synthetic, RIPv1 network route of our own. 833 * The worst is that both kinds of routes might be 834 * received, and the bad one might have the smaller 835 * metric. Partly solve this problem by never 836 * aggregating into such a route. Also keep it 837 * around as long as the interface exists. 838 */ 839 840 rts0 = rt->rt_spares; 841 for (rts = rts0, i = NUM_SPARES; i != 0; i--, rts++) { 842 if (rts->rts_router == new->rts_router) 843 break; 844 /* Note the worst slot to reuse, 845 * other than the current slot. 846 */ 847 if (rts0 == rt->rt_spares 848 || BETTER_LINK(rt, rts0, rts)) 849 rts0 = rts; 850 } 851 if (i != 0) { 852 /* Found a route from the router already in the table. 853 */ 854 855 /* If the new route is a route broken down from an 856 * aggregated route, and if the previous route is either 857 * not a broken down route or was broken down from a finer 858 * netmask, and if the previous route is current, 859 * then forget this one. 860 */ 861 if (new->rts_de_ag > rts->rts_de_ag 862 && now_stale <= rts->rts_time) 863 return; 864 865 /* Keep poisoned routes around only long enough to pass 866 * the poison on. Use a new timestamp for good routes. 867 */ 868 if (rts->rts_metric == HOPCNT_INFINITY 869 && new->rts_metric == HOPCNT_INFINITY) 870 new->rts_time = rts->rts_time; 871 872 /* If this is an update for the router we currently prefer, 873 * then note it. 874 */ 875 if (i == NUM_SPARES) { 876 rtchange(rt, rt->rt_state, new, 0); 877 /* If the route got worse, check for something better. 878 */ 879 if (new->rts_metric > rts->rts_metric) 880 rtswitch(rt, 0); 881 return; 882 } 883 884 /* This is an update for a spare route. 885 * Finished if the route is unchanged. 886 */ 887 if (rts->rts_gate == new->rts_gate 888 && rts->rts_metric == new->rts_metric 889 && rts->rts_tag == new->rts_tag) { 890 trace_upslot(rt, rts, new); 891 *rts = *new; 892 return; 893 } 894 /* Forget it if it has gone bad. 895 */ 896 if (new->rts_metric == HOPCNT_INFINITY) { 897 rts_delete(rt, rts); 898 return; 899 } 900 901 } else { 902 /* The update is for a route we know about, 903 * but not from a familiar router. 904 * 905 * Ignore the route if it points to us. 906 */ 907 if (n->n_nhop != 0 908 && 0 != ifwithaddr(n->n_nhop, 1, 0)) 909 return; 910 911 /* the loop above set rts0=worst spare */ 912 rts = rts0; 913 914 /* Save the route as a spare only if it has 915 * a better metric than our worst spare. 916 * This also ignores poisoned routes (those 917 * received with metric HOPCNT_INFINITY). 918 */ 919 if (new->rts_metric >= rts->rts_metric) 920 return; 921 } 922 923 trace_upslot(rt, rts, new); 924 *rts = *new; 925 926 /* try to switch to a better route */ 927 rtswitch(rt, rts); 928 } 929 930 931 static int /* 0 if bad */ 932 ck_passwd(struct interface *aifp, 933 struct rip *rip, 934 void *lim, 935 naddr from, 936 struct msg_limit *use_authp) 937 { 938 # define NA (rip->rip_auths) 939 struct netauth *na2; 940 struct auth *ap; 941 MD5_CTX md5_ctx; 942 u_char hash[RIP_AUTH_PW_LEN]; 943 int i, len; 944 945 assert(aifp != NULL); 946 if ((void *)NA >= lim || NA->a_family != RIP_AF_AUTH) { 947 msglim(use_authp, from, "missing password from %s", 948 naddr_ntoa(from)); 949 return 0; 950 } 951 952 /* accept any current (+/- 24 hours) password 953 */ 954 for (ap = aifp->int_auth, i = 0; i < MAX_AUTH_KEYS; i++, ap++) { 955 if (ap->type != NA->a_type 956 || (u_long)ap->start > (u_long)clk.tv_sec+DAY 957 || (u_long)ap->end+DAY < (u_long)clk.tv_sec) 958 continue; 959 960 if (NA->a_type == RIP_AUTH_PW) { 961 if (!memcmp(NA->au.au_pw, ap->key, RIP_AUTH_PW_LEN)) 962 return 1; 963 964 } else { 965 /* accept MD5 secret with the right key ID 966 */ 967 if (NA->au.a_md5.md5_keyid != ap->keyid) 968 continue; 969 970 len = ntohs(NA->au.a_md5.md5_pkt_len); 971 if ((len-sizeof(*rip)) % sizeof(*NA) != 0 972 || len != (char *)lim-(char*)rip-(int)sizeof(*NA)) { 973 msglim(use_authp, from, 974 "wrong MD5 RIPv2 packet length of %d" 975 " instead of %d from %s", 976 len, (int)((char *)lim-(char *)rip 977 -sizeof(*NA)), 978 naddr_ntoa(from)); 979 return 0; 980 } 981 na2 = (struct netauth *)((char *)rip+len); 982 983 /* Given a good hash value, these are not security 984 * problems so be generous and accept the routes, 985 * after complaining. 986 */ 987 if (TRACEPACKETS) { 988 if (NA->au.a_md5.md5_auth_len 989 != RIP_AUTH_MD5_HASH_LEN) 990 msglim(use_authp, from, 991 "unknown MD5 RIPv2 auth len %#x" 992 " instead of %#x from %s", 993 NA->au.a_md5.md5_auth_len, 994 (unsigned)RIP_AUTH_MD5_HASH_LEN, 995 naddr_ntoa(from)); 996 if (na2->a_family != RIP_AF_AUTH) 997 msglim(use_authp, from, 998 "unknown MD5 RIPv2 family %#x" 999 " instead of %#x from %s", 1000 na2->a_family, RIP_AF_AUTH, 1001 naddr_ntoa(from)); 1002 if (na2->a_type != ntohs(1)) 1003 msglim(use_authp, from, 1004 "MD5 RIPv2 hash has %#x" 1005 " instead of %#x from %s", 1006 na2->a_type, ntohs(1), 1007 naddr_ntoa(from)); 1008 } 1009 1010 MD5Init(&md5_ctx); 1011 MD5Update(&md5_ctx, (u_char *)rip, 1012 len + RIP_AUTH_MD5_HASH_XTRA); 1013 MD5Update(&md5_ctx, ap->key, RIP_AUTH_MD5_KEY_LEN); 1014 MD5Final(hash, &md5_ctx); 1015 if (!memcmp(hash, na2->au.au_pw, sizeof(hash))) 1016 return 1; 1017 } 1018 } 1019 1020 msglim(use_authp, from, "bad password from %s", 1021 naddr_ntoa(from)); 1022 return 0; 1023 #undef NA 1024 } 1025