xref: /illumos-gate/usr/src/lib/libwrap/fix_options.c (revision 533affcbc7fc4d0c8132976ea454aaa715fe2307)
1 /*
2  * Copyright 2004 Sun Microsystems, Inc.  All rights reserved.
3  * Use is subject to license terms.
4  */
5 
6  /*
7   * Routine to disable IP-level socket options. This code was taken from 4.4BSD
8   * rlogind and kernel source, but all mistakes in it are my fault.
9   *
10   * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
11   */
12 
13 #ifndef lint
14 static char sccsid[] = "@(#) fix_options.c 1.6 97/04/08 02:29:19";
15 #endif
16 
17 #include <sys/types.h>
18 #include <sys/param.h>
19 #include <netinet/in.h>
20 #include <netinet/in_systm.h>
21 #include <netinet/ip.h>
22 #include <netdb.h>
23 #include <stdio.h>
24 #include <stdlib.h>
25 #include <unistd.h>
26 #include <syslog.h>
27 
28 #ifndef IPOPT_OPTVAL
29 #define IPOPT_OPTVAL	0
30 #define IPOPT_OLEN	1
31 #endif
32 
33 #include "tcpd.h"
34 
35 #define BUFFER_SIZE	512		/* Was: BUFSIZ */
36 
37 /* fix_options - get rid of IP-level socket options */
38 
39 void
40 fix_options(request)
41 struct request_info *request;
42 {
43 #ifdef IP_OPTIONS
44     unsigned char optbuf[BUFFER_SIZE / 3], *cp;
45     char    lbuf[BUFFER_SIZE], *lp;
46     int     optsize = sizeof(optbuf), ipproto;
47     struct protoent *ip;
48     int     fd = request->fd;
49     unsigned int opt;
50     int     optlen;
51     struct in_addr dummy;
52 
53     if ((ip = getprotobyname("ip")) != 0)
54 	ipproto = ip->p_proto;
55     else
56 	ipproto = IPPROTO_IP;
57 
58     if (getsockopt(fd, ipproto, IP_OPTIONS, (char *) optbuf, &optsize) == 0
59 	&& optsize != 0) {
60 
61 	/*
62 	 * Horror! 4.[34] BSD getsockopt() prepends the first-hop destination
63 	 * address to the result IP options list when source routing options
64 	 * are present (see <netinet/ip_var.h>), but produces no output for
65 	 * other IP options. Solaris 2.x getsockopt() does produce output for
66 	 * non-routing IP options, and uses the same format as BSD even when
67 	 * the space for the destination address is unused. The code below
68 	 * does the right thing with 4.[34]BSD derivatives and Solaris 2, but
69 	 * may occasionally miss source routing options on incompatible
70 	 * systems such as Linux. Their choice.
71 	 *
72 	 * Look for source routing options. Drop the connection when one is
73 	 * found. Just wiping the IP options is insufficient: we would still
74 	 * help the attacker by providing a real TCP sequence number, and the
75 	 * attacker would still be able to send packets (blind spoofing). I
76 	 * discussed this attack with Niels Provos, half a year before the
77 	 * attack was described in open mailing lists.
78 	 *
79 	 * It would be cleaner to just return a yes/no reply and let the caller
80 	 * decide how to deal with it. Resident servers should not terminate.
81 	 * However I am not prepared to make changes to internal interfaces
82 	 * on short notice.
83 	 */
84 #define ADDR_LEN sizeof(dummy.s_addr)
85 
86 	for (cp = optbuf + ADDR_LEN; cp < optbuf + optsize; cp += optlen) {
87 	    opt = cp[IPOPT_OPTVAL];
88 	    if (opt == IPOPT_LSRR || opt == IPOPT_SSRR) {
89 		syslog(LOG_WARNING,
90 		   "refused connect from %s with IP source routing options",
91 		       eval_client(request));
92 		shutdown(fd, 2);
93 		return;
94 	    }
95 	    if (opt == IPOPT_EOL)
96 		break;
97 	    if (opt == IPOPT_NOP) {
98 		optlen = 1;
99 	    } else {
100 		optlen = cp[IPOPT_OLEN];
101 		if (optlen <= 0)		/* Do not loop! */
102 		    break;
103 	    }
104 	}
105 	lp = lbuf;
106 	for (cp = optbuf; optsize > 0; cp++, optsize--, lp += 3)
107 	    sprintf(lp, " %2.2x", *cp);
108 	syslog(LOG_NOTICE,
109 	       "connect from %s with IP options (ignored):%s",
110 	       eval_client(request), lbuf);
111 	if (setsockopt(fd, ipproto, IP_OPTIONS, (char *) 0, optsize) != 0) {
112 	    syslog(LOG_ERR, "setsockopt IP_OPTIONS NULL: %m");
113 	    shutdown(fd, 2);
114 	}
115     }
116 #endif
117 }
118