1 /* 2 * Copyright 2004 Sun Microsystems, Inc. All rights reserved. 3 * Use is subject to license terms. 4 */ 5 6 #pragma ident "%Z%%M% %I% %E% SMI" 7 8 /* 9 * Routine to disable IP-level socket options. This code was taken from 4.4BSD 10 * rlogind and kernel source, but all mistakes in it are my fault. 11 * 12 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. 13 */ 14 15 #ifndef lint 16 static char sccsid[] = "@(#) fix_options.c 1.6 97/04/08 02:29:19"; 17 #endif 18 19 #include <sys/types.h> 20 #include <sys/param.h> 21 #include <netinet/in.h> 22 #include <netinet/in_systm.h> 23 #include <netinet/ip.h> 24 #include <netdb.h> 25 #include <stdio.h> 26 #include <stdlib.h> 27 #include <unistd.h> 28 #include <syslog.h> 29 30 #ifndef IPOPT_OPTVAL 31 #define IPOPT_OPTVAL 0 32 #define IPOPT_OLEN 1 33 #endif 34 35 #include "tcpd.h" 36 37 #define BUFFER_SIZE 512 /* Was: BUFSIZ */ 38 39 /* fix_options - get rid of IP-level socket options */ 40 41 void 42 fix_options(request) 43 struct request_info *request; 44 { 45 #ifdef IP_OPTIONS 46 unsigned char optbuf[BUFFER_SIZE / 3], *cp; 47 char lbuf[BUFFER_SIZE], *lp; 48 int optsize = sizeof(optbuf), ipproto; 49 struct protoent *ip; 50 int fd = request->fd; 51 unsigned int opt; 52 int optlen; 53 struct in_addr dummy; 54 55 if ((ip = getprotobyname("ip")) != 0) 56 ipproto = ip->p_proto; 57 else 58 ipproto = IPPROTO_IP; 59 60 if (getsockopt(fd, ipproto, IP_OPTIONS, (char *) optbuf, &optsize) == 0 61 && optsize != 0) { 62 63 /* 64 * Horror! 4.[34] BSD getsockopt() prepends the first-hop destination 65 * address to the result IP options list when source routing options 66 * are present (see <netinet/ip_var.h>), but produces no output for 67 * other IP options. Solaris 2.x getsockopt() does produce output for 68 * non-routing IP options, and uses the same format as BSD even when 69 * the space for the destination address is unused. The code below 70 * does the right thing with 4.[34]BSD derivatives and Solaris 2, but 71 * may occasionally miss source routing options on incompatible 72 * systems such as Linux. Their choice. 73 * 74 * Look for source routing options. Drop the connection when one is 75 * found. Just wiping the IP options is insufficient: we would still 76 * help the attacker by providing a real TCP sequence number, and the 77 * attacker would still be able to send packets (blind spoofing). I 78 * discussed this attack with Niels Provos, half a year before the 79 * attack was described in open mailing lists. 80 * 81 * It would be cleaner to just return a yes/no reply and let the caller 82 * decide how to deal with it. Resident servers should not terminate. 83 * However I am not prepared to make changes to internal interfaces 84 * on short notice. 85 */ 86 #define ADDR_LEN sizeof(dummy.s_addr) 87 88 for (cp = optbuf + ADDR_LEN; cp < optbuf + optsize; cp += optlen) { 89 opt = cp[IPOPT_OPTVAL]; 90 if (opt == IPOPT_LSRR || opt == IPOPT_SSRR) { 91 syslog(LOG_WARNING, 92 "refused connect from %s with IP source routing options", 93 eval_client(request)); 94 shutdown(fd, 2); 95 return; 96 } 97 if (opt == IPOPT_EOL) 98 break; 99 if (opt == IPOPT_NOP) { 100 optlen = 1; 101 } else { 102 optlen = cp[IPOPT_OLEN]; 103 if (optlen <= 0) /* Do not loop! */ 104 break; 105 } 106 } 107 lp = lbuf; 108 for (cp = optbuf; optsize > 0; cp++, optsize--, lp += 3) 109 sprintf(lp, " %2.2x", *cp); 110 syslog(LOG_NOTICE, 111 "connect from %s with IP options (ignored):%s", 112 eval_client(request), lbuf); 113 if (setsockopt(fd, ipproto, IP_OPTIONS, (char *) 0, optsize) != 0) { 114 syslog(LOG_ERR, "setsockopt IP_OPTIONS NULL: %m"); 115 shutdown(fd, 2); 116 } 117 } 118 #endif 119 } 120