xref: /freebsd/sbin/routed/input.c (revision 7f3dea244c40159a41ab22da77a434d7c5b5e85a)
1 /*
2  * Copyright (c) 1983, 1988, 1993
3  *	The Regents of the University of California.  All rights reserved.
4  *
5  * Redistribution and use in source and binary forms, with or without
6  * modification, are permitted provided that the following conditions
7  * are met:
8  * 1. Redistributions of source code must retain the above copyright
9  *    notice, this list of conditions and the following disclaimer.
10  * 2. Redistributions in binary form must reproduce the above copyright
11  *    notice, this list of conditions and the following disclaimer in the
12  *    documentation and/or other materials provided with the distribution.
13  * 3. All advertising materials mentioning features or use of this software
14  *    must display the following acknowledgment:
15  *	This product includes software developed by the University of
16  *	California, Berkeley and its contributors.
17  * 4. Neither the name of the University nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  *
33  * $FreeBSD$
34  */
35 
36 #include "defs.h"
37 
38 #if !defined(sgi) && !defined(__NetBSD__)
39 static char sccsid[] __attribute__((unused)) = "@(#)input.c	8.1 (Berkeley) 6/5/93";
40 #elif defined(__NetBSD__)
41 #include <sys/cdefs.h>
42 __RCSID("$NetBSD$");
43 #endif
44 #ident "$Revision: 1.5 $"
45 
46 static void input(struct sockaddr_in *, struct interface *, struct interface *,
47 		  struct rip *, int);
48 static void input_route(naddr, naddr, struct rt_spare *, struct netinfo *);
49 static int ck_passwd(struct interface *, struct rip *, void *,
50 		     naddr, struct msg_limit *);
51 
52 
53 /* process RIP input
54  */
55 void
56 read_rip(int sock,
57 	 struct interface *sifp)
58 {
59 	struct sockaddr_in from;
60 	struct interface *aifp;
61 	int fromlen, cc;
62 #ifdef USE_PASSIFNAME
63 	static struct msg_limit  bad_name;
64 	struct {
65 		char	ifname[IFNAMSIZ];
66 		union pkt_buf pbuf;
67 	} inbuf;
68 #else
69 	struct {
70 		union pkt_buf pbuf;
71 	} inbuf;
72 #endif
73 
74 
75 	for (;;) {
76 		fromlen = sizeof(from);
77 		cc = recvfrom(sock, &inbuf, sizeof(inbuf), 0,
78 			      (struct sockaddr*)&from, &fromlen);
79 		if (cc <= 0) {
80 			if (cc < 0 && errno != EWOULDBLOCK)
81 				LOGERR("recvfrom(rip)");
82 			break;
83 		}
84 		if (fromlen != sizeof(struct sockaddr_in))
85 			logbad(1,"impossible recvfrom(rip) fromlen=%d",
86 			       fromlen);
87 
88 		/* aifp is the "authenticated" interface via which the packet
89 		 *	arrived.  In fact, it is only the interface on which
90 		 *	the packet should have arrived based on is source
91 		 *	address.
92 		 * sifp is interface associated with the socket through which
93 		 *	the packet was received.
94 		 */
95 #ifdef USE_PASSIFNAME
96 		if ((cc -= sizeof(inbuf.ifname)) < 0)
97 			logbad(0,"missing USE_PASSIFNAME; only %d bytes",
98 			       cc+sizeof(inbuf.ifname));
99 
100 		/* check the remote interfaces first */
101 		for (aifp = remote_if; aifp; aifp = aifp->int_rlink) {
102 			if (aifp->int_addr == from.sin_addr.s_addr)
103 				break;
104 		}
105 		if (aifp == 0) {
106 			aifp = ifwithname(inbuf.ifname, 0);
107 			if (aifp == 0) {
108 				msglim(&bad_name, from.sin_addr.s_addr,
109 				       "impossible interface name %.*s",
110 				       IFNAMSIZ, inbuf.ifname);
111 			} else if (((aifp->int_if_flags & IFF_POINTOPOINT)
112 				    && aifp->int_dstaddr!=from.sin_addr.s_addr)
113 				   || (!(aifp->int_if_flags & IFF_POINTOPOINT)
114 				       && !on_net(from.sin_addr.s_addr,
115 						  aifp->int_net,
116 						  aifp->int_mask))) {
117 				/* If it came via the wrong interface, do not
118 				 * trust it.
119 				 */
120 				aifp = 0;
121 			}
122 		}
123 #else
124 		aifp = iflookup(from.sin_addr.s_addr);
125 #endif
126 		if (sifp == 0)
127 			sifp = aifp;
128 
129 		input(&from, sifp, aifp, &inbuf.pbuf.rip, cc);
130 	}
131 }
132 
133 
134 /* Process a RIP packet
135  */
136 static void
137 input(struct sockaddr_in *from,		/* received from this IP address */
138       struct interface *sifp,		/* interface of incoming socket */
139       struct interface *aifp,		/* "authenticated" interface */
140       struct rip *rip,
141       int cc)
142 {
143 #	define FROM_NADDR from->sin_addr.s_addr
144 	static struct msg_limit use_auth, bad_len, bad_mask;
145 	static struct msg_limit unk_router, bad_router, bad_nhop;
146 
147 	struct rt_entry *rt;
148 	struct rt_spare new;
149 	struct netinfo *n, *lim;
150 	struct interface *ifp1;
151 	naddr gate, mask, v1_mask, dst, ddst_h = 0;
152 	struct auth *ap;
153 	struct tgate *tg = 0;
154 	struct tgate_net *tn;
155 	int i, j;
156 
157 	/* Notice when we hear from a remote gateway
158 	 */
159 	if (aifp != 0
160 	    && (aifp->int_state & IS_REMOTE))
161 		aifp->int_act_time = now.tv_sec;
162 
163 	trace_rip("Recv", "from", from, sifp, rip, cc);
164 
165 	if (rip->rip_vers == 0) {
166 		msglim(&bad_router, FROM_NADDR,
167 		       "RIP version 0, cmd %d, packet received from %s",
168 		       rip->rip_cmd, naddr_ntoa(FROM_NADDR));
169 		return;
170 	} else if (rip->rip_vers > RIPv2) {
171 		rip->rip_vers = RIPv2;
172 	}
173 	if (cc > (int)OVER_MAXPACKETSIZE) {
174 		msglim(&bad_router, FROM_NADDR,
175 		       "packet at least %d bytes too long received from %s",
176 		       cc-MAXPACKETSIZE, naddr_ntoa(FROM_NADDR));
177 		return;
178 	}
179 
180 	n = rip->rip_nets;
181 	lim = (struct netinfo *)((char*)rip + cc);
182 
183 	/* Notice authentication.
184 	 * As required by section 4.2 in RFC 1723, discard authenticated
185 	 * RIPv2 messages, but only if configured for that silliness.
186 	 *
187 	 * RIPv2 authentication is lame.  Why authenticate queries?
188 	 * Why should a RIPv2 implementation with authentication disabled
189 	 * not be able to listen to RIPv2 packets with authentication, while
190 	 * RIPv1 systems will listen?  Crazy!
191 	 */
192 	if (!auth_ok
193 	    && rip->rip_vers == RIPv2
194 	    && n < lim && n->n_family == RIP_AF_AUTH) {
195 		msglim(&use_auth, FROM_NADDR,
196 		       "RIPv2 message with authentication from %s discarded",
197 		       naddr_ntoa(FROM_NADDR));
198 		return;
199 	}
200 
201 	switch (rip->rip_cmd) {
202 	case RIPCMD_REQUEST:
203 		/* For mere requests, be a little sloppy about the source
204 		 */
205 		if (aifp == 0)
206 			aifp = sifp;
207 
208 		/* Are we talking to ourself or a remote gateway?
209 		 */
210 		ifp1 = ifwithaddr(FROM_NADDR, 0, 1);
211 		if (ifp1) {
212 			if (ifp1->int_state & IS_REMOTE) {
213 				/* remote gateway */
214 				aifp = ifp1;
215 				if (check_remote(aifp)) {
216 					aifp->int_act_time = now.tv_sec;
217 					(void)if_ok(aifp, "remote ");
218 				}
219 			} else if (from->sin_port == htons(RIP_PORT)) {
220 				trace_pkt("    discard our own RIP request");
221 				return;
222 			}
223 		}
224 
225 		/* did the request come from a router?
226 		 */
227 		if (from->sin_port == htons(RIP_PORT)) {
228 			/* yes, ignore the request if RIP is off so that
229 			 * the router does not depend on us.
230 			 */
231 			if (rip_sock < 0
232 			    || (aifp != 0
233 				&& IS_RIP_OUT_OFF(aifp->int_state))) {
234 				trace_pkt("    discard request while RIP off");
235 				return;
236 			}
237 		}
238 
239 		/* According to RFC 1723, we should ignore unauthenticated
240 		 * queries.  That is too silly to bother with.  Sheesh!
241 		 * Are forwarding tables supposed to be secret, when
242 		 * a bad guy can infer them with test traffic?  When RIP
243 		 * is still the most common router-discovery protocol
244 		 * and so hosts need to send queries that will be answered?
245 		 * What about `rtquery`?
246 		 * Maybe on firewalls you'd care, but not enough to
247 		 * give up the diagnostic facilities of remote probing.
248 		 */
249 
250 		if (n >= lim) {
251 			msglim(&bad_len, FROM_NADDR, "empty request from %s",
252 			       naddr_ntoa(FROM_NADDR));
253 			return;
254 		}
255 		if (cc%sizeof(*n) != sizeof(struct rip)%sizeof(*n)) {
256 			msglim(&bad_len, FROM_NADDR,
257 			       "request of bad length (%d) from %s",
258 			       cc, naddr_ntoa(FROM_NADDR));
259 		}
260 
261 		if (rip->rip_vers == RIPv2
262 		    && (aifp == 0 || (aifp->int_state & IS_NO_RIPV1_OUT))) {
263 			v12buf.buf->rip_vers = RIPv2;
264 			/* If we have a secret but it is a cleartext secret,
265 			 * do not disclose our secret unless the other guy
266 			 * already knows it.
267 			 */
268 			ap = find_auth(aifp);
269 			if (ap != 0 && ap->type == RIP_AUTH_PW
270 			    && n->n_family == RIP_AF_AUTH
271 			    && !ck_passwd(aifp,rip,lim,FROM_NADDR,&use_auth))
272 				ap = 0;
273 		} else {
274 			v12buf.buf->rip_vers = RIPv1;
275 			ap = 0;
276 		}
277 		clr_ws_buf(&v12buf, ap);
278 
279 		do {
280 			NTOHL(n->n_metric);
281 
282 			/* A single entry with family RIP_AF_UNSPEC and
283 			 * metric HOPCNT_INFINITY means "all routes".
284 			 * We respond to routers only if we are acting
285 			 * as a supplier, or to anyone other than a router
286 			 * (i.e. a query).
287 			 */
288 			if (n->n_family == RIP_AF_UNSPEC
289 			    && n->n_metric == HOPCNT_INFINITY) {
290 				/* Answer a query from a utility program
291 				 * with all we know.
292 				 */
293 				if (from->sin_port != htons(RIP_PORT)) {
294 					supply(from, aifp, OUT_QUERY, 0,
295 					       rip->rip_vers, ap != 0);
296 					return;
297 				}
298 
299 				/* A router trying to prime its tables.
300 				 * Filter the answer in the about same way
301 				 * broadcasts are filtered.
302 				 *
303 				 * Only answer a router if we are a supplier
304 				 * to keep an unwary host that is just starting
305 				 * from picking us as a router.
306 				 */
307 				if (aifp == 0) {
308 					trace_pkt("ignore distant router");
309 					return;
310 				}
311 				if (!supplier
312 				    || IS_RIP_OFF(aifp->int_state)) {
313 					trace_pkt("ignore; not supplying");
314 					return;
315 				}
316 
317 				/* Do not answer a RIPv1 router if
318 				 * we are sending RIPv2.  But do offer
319 				 * poor man's router discovery.
320 				 */
321 				if ((aifp->int_state & IS_NO_RIPV1_OUT)
322 				    && rip->rip_vers == RIPv1) {
323 					if (!(aifp->int_state & IS_PM_RDISC)) {
324 					    trace_pkt("ignore; sending RIPv2");
325 					    return;
326 					}
327 
328 					v12buf.n->n_family = RIP_AF_INET;
329 					v12buf.n->n_dst = RIP_DEFAULT;
330 					i = aifp->int_d_metric;
331 					if (0 != (rt = rtget(RIP_DEFAULT, 0)))
332 					    i = MIN(i, (rt->rt_metric
333 							+aifp->int_metric+1));
334 					v12buf.n->n_metric = htonl(i);
335 					v12buf.n++;
336 					break;
337 				}
338 
339 				/* Respond with RIPv1 instead of RIPv2 if
340 				 * that is what we are broadcasting on the
341 				 * interface to keep the remote router from
342 				 * getting the wrong initial idea of the
343 				 * routes we send.
344 				 */
345 				supply(from, aifp, OUT_UNICAST, 0,
346 				       (aifp->int_state & IS_NO_RIPV1_OUT)
347 				       ? RIPv2 : RIPv1,
348 				       ap != 0);
349 				return;
350 			}
351 
352 			/* Ignore authentication */
353 			if (n->n_family == RIP_AF_AUTH)
354 				continue;
355 
356 			if (n->n_family != RIP_AF_INET) {
357 				msglim(&bad_router, FROM_NADDR,
358 				       "request from %s for unsupported"
359 				       " (af %d) %s",
360 				       naddr_ntoa(FROM_NADDR),
361 				       ntohs(n->n_family),
362 				       naddr_ntoa(n->n_dst));
363 				return;
364 			}
365 
366 			/* We are being asked about a specific destination.
367 			 */
368 			dst = n->n_dst;
369 			if (!check_dst(dst)) {
370 				msglim(&bad_router, FROM_NADDR,
371 				       "bad queried destination %s from %s",
372 				       naddr_ntoa(dst),
373 				       naddr_ntoa(FROM_NADDR));
374 				return;
375 			}
376 
377 			/* decide what mask was intended */
378 			if (rip->rip_vers == RIPv1
379 			    || 0 == (mask = ntohl(n->n_mask))
380 			    || 0 != (ntohl(dst) & ~mask))
381 				mask = ripv1_mask_host(dst, aifp);
382 
383 			/* try to find the answer */
384 			rt = rtget(dst, mask);
385 			if (!rt && dst != RIP_DEFAULT)
386 				rt = rtfind(n->n_dst);
387 
388 			if (v12buf.buf->rip_vers != RIPv1)
389 				v12buf.n->n_mask = mask;
390 			if (rt == 0) {
391 				/* we do not have the answer */
392 				v12buf.n->n_metric = HOPCNT_INFINITY;
393 			} else {
394 				/* we have the answer, so compute the
395 				 * right metric and next hop.
396 				 */
397 				v12buf.n->n_family = RIP_AF_INET;
398 				v12buf.n->n_dst = dst;
399 				v12buf.n->n_metric = (rt->rt_metric+1
400 						      + ((aifp!=0)
401 							  ? aifp->int_metric
402 							  : 1));
403 				if (v12buf.n->n_metric > HOPCNT_INFINITY)
404 					v12buf.n->n_metric = HOPCNT_INFINITY;
405 				if (v12buf.buf->rip_vers != RIPv1) {
406 					v12buf.n->n_tag = rt->rt_tag;
407 					v12buf.n->n_mask = mask;
408 					if (aifp != 0
409 					    && on_net(rt->rt_gate,
410 						      aifp->int_net,
411 						      aifp->int_mask)
412 					    && rt->rt_gate != aifp->int_addr)
413 					    v12buf.n->n_nhop = rt->rt_gate;
414 				}
415 			}
416 			HTONL(v12buf.n->n_metric);
417 
418 			/* Stop paying attention if we fill the output buffer.
419 			 */
420 			if (++v12buf.n >= v12buf.lim)
421 				break;
422 		} while (++n < lim);
423 
424 		/* Send the answer about specific routes.
425 		 */
426 		if (ap != 0 && ap->type == RIP_AUTH_MD5)
427 			end_md5_auth(&v12buf, ap);
428 
429 		if (from->sin_port != htons(RIP_PORT)) {
430 			/* query */
431 			(void)output(OUT_QUERY, from, aifp,
432 				     v12buf.buf,
433 				     ((char *)v12buf.n - (char*)v12buf.buf));
434 		} else if (supplier) {
435 			(void)output(OUT_UNICAST, from, aifp,
436 				     v12buf.buf,
437 				     ((char *)v12buf.n - (char*)v12buf.buf));
438 		} else {
439 			/* Only answer a router if we are a supplier
440 			 * to keep an unwary host that is just starting
441 			 * from picking us an a router.
442 			 */
443 			;
444 		}
445 		return;
446 
447 	case RIPCMD_TRACEON:
448 	case RIPCMD_TRACEOFF:
449 		/* Notice that trace messages are turned off for all possible
450 		 * abuse if _PATH_TRACE is undefined in pathnames.h.
451 		 * Notice also that because of the way the trace file is
452 		 * handled in trace.c, no abuse is plausible even if
453 		 * _PATH_TRACE_ is defined.
454 		 *
455 		 * First verify message came from a privileged port. */
456 		if (ntohs(from->sin_port) > IPPORT_RESERVED) {
457 			msglog("trace command from untrusted port on %s",
458 			       naddr_ntoa(FROM_NADDR));
459 			return;
460 		}
461 		if (aifp == 0) {
462 			msglog("trace command from unknown router %s",
463 			       naddr_ntoa(FROM_NADDR));
464 			return;
465 		}
466 		if (rip->rip_cmd == RIPCMD_TRACEON) {
467 			rip->rip_tracefile[cc-4] = '\0';
468 			set_tracefile((char*)rip->rip_tracefile,
469 				      "trace command: %s\n", 0);
470 		} else {
471 			trace_off("tracing turned off by %s",
472 				  naddr_ntoa(FROM_NADDR));
473 		}
474 		return;
475 
476 	case RIPCMD_RESPONSE:
477 		if (cc%sizeof(*n) != sizeof(struct rip)%sizeof(*n)) {
478 			msglim(&bad_len, FROM_NADDR,
479 			       "response of bad length (%d) from %s",
480 			       cc, naddr_ntoa(FROM_NADDR));
481 		}
482 
483 		/* verify message came from a router */
484 		if (from->sin_port != ntohs(RIP_PORT)) {
485 			msglim(&bad_router, FROM_NADDR,
486 			       "    discard RIP response from unknown port"
487 			       " %d", from->sin_port);
488 			return;
489 		}
490 
491 		if (rip_sock < 0) {
492 			trace_pkt("    discard response while RIP off");
493 			return;
494 		}
495 
496 		/* Are we talking to ourself or a remote gateway?
497 		 */
498 		ifp1 = ifwithaddr(FROM_NADDR, 0, 1);
499 		if (ifp1) {
500 			if (ifp1->int_state & IS_REMOTE) {
501 				/* remote gateway */
502 				aifp = ifp1;
503 				if (check_remote(aifp)) {
504 					aifp->int_act_time = now.tv_sec;
505 					(void)if_ok(aifp, "remote ");
506 				}
507 			} else {
508 				trace_pkt("    discard our own RIP response");
509 				return;
510 			}
511 		}
512 
513 		/* Accept routing packets from routers directly connected
514 		 * via broadcast or point-to-point networks, and from
515 		 * those listed in /etc/gateways.
516 		 */
517 		if (aifp == 0) {
518 			msglim(&unk_router, FROM_NADDR,
519 			       "   discard response from %s"
520 			       " via unexpected interface",
521 			       naddr_ntoa(FROM_NADDR));
522 			return;
523 		}
524 		if (IS_RIP_IN_OFF(aifp->int_state)) {
525 			trace_pkt("    discard RIPv%d response"
526 				  " via disabled interface %s",
527 				  rip->rip_vers, aifp->int_name);
528 			return;
529 		}
530 
531 		if (n >= lim) {
532 			msglim(&bad_len, FROM_NADDR, "empty response from %s",
533 			       naddr_ntoa(FROM_NADDR));
534 			return;
535 		}
536 
537 		if (((aifp->int_state & IS_NO_RIPV1_IN)
538 		     && rip->rip_vers == RIPv1)
539 		    || ((aifp->int_state & IS_NO_RIPV2_IN)
540 			&& rip->rip_vers != RIPv1)) {
541 			trace_pkt("    discard RIPv%d response",
542 				  rip->rip_vers);
543 			return;
544 		}
545 
546 		/* Ignore routes via dead interface.
547 		 */
548 		if (aifp->int_state & IS_BROKE) {
549 			trace_pkt("discard response via broken interface %s",
550 				  aifp->int_name);
551 			return;
552 		}
553 
554 		/* If the interface cares, ignore bad routers.
555 		 * Trace but do not log this problem, because where it
556 		 * happens, it happens frequently.
557 		 */
558 		if (aifp->int_state & IS_DISTRUST) {
559 			tg = tgates;
560 			while (tg->tgate_addr != FROM_NADDR) {
561 				tg = tg->tgate_next;
562 				if (tg == 0) {
563 					trace_pkt("    discard RIP response"
564 						  " from untrusted router %s",
565 						  naddr_ntoa(FROM_NADDR));
566 					return;
567 				}
568 			}
569 		}
570 
571 		/* Authenticate the packet if we have a secret.
572 		 * If we do not have any secrets, ignore the error in
573 		 * RFC 1723 and accept it regardless.
574 		 */
575 		if (aifp->int_auth[0].type != RIP_AUTH_NONE
576 		    && rip->rip_vers != RIPv1
577 		    && !ck_passwd(aifp,rip,lim,FROM_NADDR,&use_auth))
578 			return;
579 
580 		do {
581 			if (n->n_family == RIP_AF_AUTH)
582 				continue;
583 
584 			NTOHL(n->n_metric);
585 			dst = n->n_dst;
586 			if (n->n_family != RIP_AF_INET
587 			    && (n->n_family != RIP_AF_UNSPEC
588 				|| dst != RIP_DEFAULT)) {
589 				msglim(&bad_router, FROM_NADDR,
590 				       "route from %s to unsupported"
591 				       " address family=%d destination=%s",
592 				       naddr_ntoa(FROM_NADDR),
593 				       n->n_family,
594 				       naddr_ntoa(dst));
595 				continue;
596 			}
597 			if (!check_dst(dst)) {
598 				msglim(&bad_router, FROM_NADDR,
599 				       "bad destination %s from %s",
600 				       naddr_ntoa(dst),
601 				       naddr_ntoa(FROM_NADDR));
602 				return;
603 			}
604 			if (n->n_metric == 0
605 			    || n->n_metric > HOPCNT_INFINITY) {
606 				msglim(&bad_router, FROM_NADDR,
607 				       "bad metric %d from %s"
608 				       " for destination %s",
609 				       n->n_metric,
610 				       naddr_ntoa(FROM_NADDR),
611 				       naddr_ntoa(dst));
612 				return;
613 			}
614 
615 			/* Notice the next-hop.
616 			 */
617 			gate = FROM_NADDR;
618 			if (n->n_nhop != 0) {
619 				if (rip->rip_vers == RIPv1) {
620 					n->n_nhop = 0;
621 				} else {
622 				    /* Use it only if it is valid. */
623 				    if (on_net(n->n_nhop,
624 					       aifp->int_net, aifp->int_mask)
625 					&& check_dst(n->n_nhop)) {
626 					    gate = n->n_nhop;
627 				    } else {
628 					    msglim(&bad_nhop, FROM_NADDR,
629 						   "router %s to %s"
630 						   " has bad next hop %s",
631 						   naddr_ntoa(FROM_NADDR),
632 						   naddr_ntoa(dst),
633 						   naddr_ntoa(n->n_nhop));
634 					    n->n_nhop = 0;
635 				    }
636 				}
637 			}
638 
639 			if (rip->rip_vers == RIPv1
640 			    || 0 == (mask = ntohl(n->n_mask))) {
641 				mask = ripv1_mask_host(dst,aifp);
642 			} else if ((ntohl(dst) & ~mask) != 0) {
643 				msglim(&bad_mask, FROM_NADDR,
644 				       "router %s sent bad netmask"
645 				       " %#lx with %s",
646 				       naddr_ntoa(FROM_NADDR),
647 				       (u_long)mask,
648 				       naddr_ntoa(dst));
649 				continue;
650 			}
651 			if (rip->rip_vers == RIPv1)
652 				n->n_tag = 0;
653 
654 			/* Adjust metric according to incoming interface..
655 			 */
656 			n->n_metric += aifp->int_metric;
657 			if (n->n_metric > HOPCNT_INFINITY)
658 				n->n_metric = HOPCNT_INFINITY;
659 
660 			/* Should we trust this route from this router? */
661 			if (tg && (tn = tg->tgate_nets)->mask != 0) {
662 				for (i = 0; i < MAX_TGATE_NETS; i++, tn++) {
663 					if (on_net(dst, tn->net, tn->mask)
664 					    && tn->mask <= mask)
665 					    break;
666 				}
667 				if (i >= MAX_TGATE_NETS || tn->mask == 0) {
668 					trace_pkt("   ignored unauthorized %s",
669 						  addrname(dst,mask,0));
670 					continue;
671 				}
672 			}
673 
674 			/* Recognize and ignore a default route we faked
675 			 * which is being sent back to us by a machine with
676 			 * broken split-horizon.
677 			 * Be a little more paranoid than that, and reject
678 			 * default routes with the same metric we advertised.
679 			 */
680 			if (aifp->int_d_metric != 0
681 			    && dst == RIP_DEFAULT
682 			    && (int)n->n_metric >= aifp->int_d_metric)
683 				continue;
684 
685 			/* We can receive aggregated RIPv2 routes that must
686 			 * be broken down before they are transmitted by
687 			 * RIPv1 via an interface on a subnet.
688 			 * We might also receive the same routes aggregated
689 			 * via other RIPv2 interfaces.
690 			 * This could cause duplicate routes to be sent on
691 			 * the RIPv1 interfaces.  "Longest matching variable
692 			 * length netmasks" lets RIPv2 listeners understand,
693 			 * but breaking down the aggregated routes for RIPv1
694 			 * listeners can produce duplicate routes.
695 			 *
696 			 * Breaking down aggregated routes here bloats
697 			 * the daemon table, but does not hurt the kernel
698 			 * table, since routes are always aggregated for
699 			 * the kernel.
700 			 *
701 			 * Notice that this does not break down network
702 			 * routes corresponding to subnets.  This is part
703 			 * of the defense against RS_NET_SYN.
704 			 */
705 			if (have_ripv1_out
706 			    && (((rt = rtget(dst,mask)) == 0
707 				 || !(rt->rt_state & RS_NET_SYN)))
708 			    && (v1_mask = ripv1_mask_net(dst,0)) > mask) {
709 				ddst_h = v1_mask & -v1_mask;
710 				i = (v1_mask & ~mask)/ddst_h;
711 				if (i >= 511) {
712 					/* Punt if we would have to generate
713 					 * an unreasonable number of routes.
714 					 */
715 					if (TRACECONTENTS)
716 					    trace_misc("accept %s-->%s as 1"
717 						       " instead of %d routes",
718 						       addrname(dst,mask,0),
719 						       naddr_ntoa(FROM_NADDR),
720 						       i+1);
721 					i = 0;
722 				} else {
723 					mask = v1_mask;
724 				}
725 			} else {
726 				i = 0;
727 			}
728 
729 			new.rts_gate = gate;
730 			new.rts_router = FROM_NADDR;
731 			new.rts_metric = n->n_metric;
732 			new.rts_tag = n->n_tag;
733 			new.rts_time = now.tv_sec;
734 			new.rts_ifp = aifp;
735 			new.rts_de_ag = i;
736 			j = 0;
737 			for (;;) {
738 				input_route(dst, mask, &new, n);
739 				if (++j > i)
740 					break;
741 				dst = htonl(ntohl(dst) + ddst_h);
742 			}
743 		} while (++n < lim);
744 		break;
745 	}
746 #undef FROM_NADDR
747 }
748 
749 
750 /* Process a single input route.
751  */
752 static void
753 input_route(naddr dst,			/* network order */
754 	    naddr mask,
755 	    struct rt_spare *new,
756 	    struct netinfo *n)
757 {
758 	int i;
759 	struct rt_entry *rt;
760 	struct rt_spare *rts, *rts0;
761 	struct interface *ifp1;
762 
763 
764 	/* See if the other guy is telling us to send our packets to him.
765 	 * Sometimes network routes arrive over a point-to-point link for
766 	 * the network containing the address(es) of the link.
767 	 *
768 	 * If our interface is broken, switch to using the other guy.
769 	 */
770 	ifp1 = ifwithaddr(dst, 1, 1);
771 	if (ifp1 != 0
772 	    && (!(ifp1->int_state & IS_BROKE)
773 		|| (ifp1->int_state & IS_PASSIVE)))
774 		return;
775 
776 	/* Look for the route in our table.
777 	 */
778 	rt = rtget(dst, mask);
779 
780 	/* Consider adding the route if we do not already have it.
781 	 */
782 	if (rt == 0) {
783 		/* Ignore unknown routes being poisoned.
784 		 */
785 		if (new->rts_metric == HOPCNT_INFINITY)
786 			return;
787 
788 		/* Ignore the route if it points to us */
789 		if (n->n_nhop != 0
790 		    && 0 != ifwithaddr(n->n_nhop, 1, 0))
791 			return;
792 
793 		/* If something has not gone crazy and tried to fill
794 		 * our memory, accept the new route.
795 		 */
796 		if (total_routes < MAX_ROUTES)
797 			rtadd(dst, mask, 0, new);
798 		return;
799 	}
800 
801 	/* We already know about the route.  Consider this update.
802 	 *
803 	 * If (rt->rt_state & RS_NET_SYN), then this route
804 	 * is the same as a network route we have inferred
805 	 * for subnets we know, in order to tell RIPv1 routers
806 	 * about the subnets.
807 	 *
808 	 * It is impossible to tell if the route is coming
809 	 * from a distant RIPv2 router with the standard
810 	 * netmask because that router knows about the entire
811 	 * network, or if it is a round-about echo of a
812 	 * synthetic, RIPv1 network route of our own.
813 	 * The worst is that both kinds of routes might be
814 	 * received, and the bad one might have the smaller
815 	 * metric.  Partly solve this problem by never
816 	 * aggregating into such a route.  Also keep it
817 	 * around as long as the interface exists.
818 	 */
819 
820 	rts0 = rt->rt_spares;
821 	for (rts = rts0, i = NUM_SPARES; i != 0; i--, rts++) {
822 		if (rts->rts_router == new->rts_router)
823 			break;
824 		/* Note the worst slot to reuse,
825 		 * other than the current slot.
826 		 */
827 		if (rts0 == rt->rt_spares
828 		    || BETTER_LINK(rt, rts0, rts))
829 			rts0 = rts;
830 	}
831 	if (i != 0) {
832 		/* Found a route from the router already in the table.
833 		 */
834 
835 		/* If the new route is a route broken down from an
836 		 * aggregated route, and if the previous route is either
837 		 * not a broken down route or was broken down from a finer
838 		 * netmask, and if the previous route is current,
839 		 * then forget this one.
840 		 */
841 		if (new->rts_de_ag > rts->rts_de_ag
842 		    && now_stale <= rts->rts_time)
843 			return;
844 
845 		/* Keep poisoned routes around only long enough to pass
846 		 * the poison on.  Use a new timestamp for good routes.
847 		 */
848 		if (rts->rts_metric == HOPCNT_INFINITY
849 		    && new->rts_metric == HOPCNT_INFINITY)
850 			new->rts_time = rts->rts_time;
851 
852 		/* If this is an update for the router we currently prefer,
853 		 * then note it.
854 		 */
855 		if (i == NUM_SPARES) {
856 			rtchange(rt, rt->rt_state, new, 0);
857 			/* If the route got worse, check for something better.
858 			 */
859 			if (new->rts_metric > rts->rts_metric)
860 				rtswitch(rt, 0);
861 			return;
862 		}
863 
864 		/* This is an update for a spare route.
865 		 * Finished if the route is unchanged.
866 		 */
867 		if (rts->rts_gate == new->rts_gate
868 		    && rts->rts_metric == new->rts_metric
869 		    && rts->rts_tag == new->rts_tag) {
870 			trace_upslot(rt, rts, new);
871 			*rts = *new;
872 			return;
873 		}
874 		/* Forget it if it has gone bad.
875 		 */
876 		if (new->rts_metric == HOPCNT_INFINITY) {
877 			rts_delete(rt, rts);
878 			return;
879 		}
880 
881 	} else {
882 		/* The update is for a route we know about,
883 		 * but not from a familiar router.
884 		 *
885 		 * Ignore the route if it points to us.
886 		 */
887 		if (n->n_nhop != 0
888 		    && 0 != ifwithaddr(n->n_nhop, 1, 0))
889 			return;
890 
891 		/* the loop above set rts0=worst spare */
892 		rts = rts0;
893 
894 		/* Save the route as a spare only if it has
895 		 * a better metric than our worst spare.
896 		 * This also ignores poisoned routes (those
897 		 * received with metric HOPCNT_INFINITY).
898 		 */
899 		if (new->rts_metric >= rts->rts_metric)
900 			return;
901 	}
902 
903 	trace_upslot(rt, rts, new);
904 	*rts = *new;
905 
906 	/* try to switch to a better route */
907 	rtswitch(rt, rts);
908 }
909 
910 
911 static int				/* 0 if bad */
912 ck_passwd(struct interface *aifp,
913 	  struct rip *rip,
914 	  void *lim,
915 	  naddr from,
916 	  struct msg_limit *use_authp)
917 {
918 #	define NA (rip->rip_auths)
919 	struct netauth *na2;
920 	struct auth *ap;
921 	MD5_CTX md5_ctx;
922 	u_char hash[RIP_AUTH_PW_LEN];
923 	int i, len;
924 
925 
926 	if ((void *)NA >= lim || NA->a_family != RIP_AF_AUTH) {
927 		msglim(use_authp, from, "missing password from %s",
928 		       naddr_ntoa(from));
929 		return 0;
930 	}
931 
932 	/* accept any current (+/- 24 hours) password
933 	 */
934 	for (ap = aifp->int_auth, i = 0; i < MAX_AUTH_KEYS; i++, ap++) {
935 		if (ap->type != NA->a_type
936 		    || (u_long)ap->start > (u_long)clk.tv_sec+DAY
937 		    || (u_long)ap->end+DAY < (u_long)clk.tv_sec)
938 			continue;
939 
940 		if (NA->a_type == RIP_AUTH_PW) {
941 			if (!memcmp(NA->au.au_pw, ap->key, RIP_AUTH_PW_LEN))
942 				return 1;
943 
944 		} else {
945 			/* accept MD5 secret with the right key ID
946 			 */
947 			if (NA->au.a_md5.md5_keyid != ap->keyid)
948 				continue;
949 
950 			len = ntohs(NA->au.a_md5.md5_pkt_len);
951 			if ((len-sizeof(*rip)) % sizeof(*NA) != 0
952 			    || len != (char *)lim-(char*)rip-(int)sizeof(*NA)) {
953 				msglim(use_authp, from,
954 				       "wrong MD5 RIPv2 packet length of %d"
955 				       " instead of %d from %s",
956 				       len, (int)((char *)lim-(char *)rip
957 						  -sizeof(*NA)),
958 				       naddr_ntoa(from));
959 				return 0;
960 			}
961 			na2 = (struct netauth *)((char *)rip+len);
962 
963 			/* Given a good hash value, these are not security
964 			 * problems so be generous and accept the routes,
965 			 * after complaining.
966 			 */
967 			if (TRACEPACKETS) {
968 				if (NA->au.a_md5.md5_auth_len
969 				    != RIP_AUTH_MD5_LEN)
970 					msglim(use_authp, from,
971 					       "unknown MD5 RIPv2 auth len %#x"
972 					       " instead of %#x from %s",
973 					       NA->au.a_md5.md5_auth_len,
974 					       RIP_AUTH_MD5_LEN,
975 					       naddr_ntoa(from));
976 				if (na2->a_family != RIP_AF_AUTH)
977 					msglim(use_authp, from,
978 					       "unknown MD5 RIPv2 family %#x"
979 					       " instead of %#x from %s",
980 					       na2->a_family, RIP_AF_AUTH,
981 					       naddr_ntoa(from));
982 				if (na2->a_type != ntohs(1))
983 					msglim(use_authp, from,
984 					       "MD5 RIPv2 hash has %#x"
985 					       " instead of %#x from %s",
986 					       na2->a_type, ntohs(1),
987 					       naddr_ntoa(from));
988 			}
989 
990 			MD5Init(&md5_ctx);
991 			MD5Update(&md5_ctx, (u_char *)rip, len);
992 			MD5Update(&md5_ctx, ap->key, RIP_AUTH_MD5_LEN);
993 			MD5Final(hash, &md5_ctx);
994 			if (!memcmp(hash, na2->au.au_pw, sizeof(hash)))
995 				return 1;
996 		}
997 	}
998 
999 	msglim(use_authp, from, "bad password from %s",
1000 	       naddr_ntoa(from));
1001 	return 0;
1002 #undef NA
1003 }
1004