1 /*
2 * Copyright 2004 Sun Microsystems, Inc. All rights reserved.
3 * Use is subject to license terms.
4 */
5
6 #pragma ident "%Z%%M% %I% %E% SMI"
7
8 /*
9 * Routine to disable IP-level socket options. This code was taken from 4.4BSD
10 * rlogind and kernel source, but all mistakes in it are my fault.
11 *
12 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
13 */
14
15 #ifndef lint
16 static char sccsid[] = "@(#) fix_options.c 1.6 97/04/08 02:29:19";
17 #endif
18
19 #include <sys/types.h>
20 #include <sys/param.h>
21 #include <netinet/in.h>
22 #include <netinet/in_systm.h>
23 #include <netinet/ip.h>
24 #include <netdb.h>
25 #include <stdio.h>
26 #include <stdlib.h>
27 #include <unistd.h>
28 #include <syslog.h>
29
30 #ifndef IPOPT_OPTVAL
31 #define IPOPT_OPTVAL 0
32 #define IPOPT_OLEN 1
33 #endif
34
35 #include "tcpd.h"
36
37 #define BUFFER_SIZE 512 /* Was: BUFSIZ */
38
39 /* fix_options - get rid of IP-level socket options */
40
41 void
fix_options(request)42 fix_options(request)
43 struct request_info *request;
44 {
45 #ifdef IP_OPTIONS
46 unsigned char optbuf[BUFFER_SIZE / 3], *cp;
47 char lbuf[BUFFER_SIZE], *lp;
48 int optsize = sizeof(optbuf), ipproto;
49 struct protoent *ip;
50 int fd = request->fd;
51 unsigned int opt;
52 int optlen;
53 struct in_addr dummy;
54
55 if ((ip = getprotobyname("ip")) != 0)
56 ipproto = ip->p_proto;
57 else
58 ipproto = IPPROTO_IP;
59
60 if (getsockopt(fd, ipproto, IP_OPTIONS, (char *) optbuf, &optsize) == 0
61 && optsize != 0) {
62
63 /*
64 * Horror! 4.[34] BSD getsockopt() prepends the first-hop destination
65 * address to the result IP options list when source routing options
66 * are present (see <netinet/ip_var.h>), but produces no output for
67 * other IP options. Solaris 2.x getsockopt() does produce output for
68 * non-routing IP options, and uses the same format as BSD even when
69 * the space for the destination address is unused. The code below
70 * does the right thing with 4.[34]BSD derivatives and Solaris 2, but
71 * may occasionally miss source routing options on incompatible
72 * systems such as Linux. Their choice.
73 *
74 * Look for source routing options. Drop the connection when one is
75 * found. Just wiping the IP options is insufficient: we would still
76 * help the attacker by providing a real TCP sequence number, and the
77 * attacker would still be able to send packets (blind spoofing). I
78 * discussed this attack with Niels Provos, half a year before the
79 * attack was described in open mailing lists.
80 *
81 * It would be cleaner to just return a yes/no reply and let the caller
82 * decide how to deal with it. Resident servers should not terminate.
83 * However I am not prepared to make changes to internal interfaces
84 * on short notice.
85 */
86 #define ADDR_LEN sizeof(dummy.s_addr)
87
88 for (cp = optbuf + ADDR_LEN; cp < optbuf + optsize; cp += optlen) {
89 opt = cp[IPOPT_OPTVAL];
90 if (opt == IPOPT_LSRR || opt == IPOPT_SSRR) {
91 syslog(LOG_WARNING,
92 "refused connect from %s with IP source routing options",
93 eval_client(request));
94 shutdown(fd, 2);
95 return;
96 }
97 if (opt == IPOPT_EOL)
98 break;
99 if (opt == IPOPT_NOP) {
100 optlen = 1;
101 } else {
102 optlen = cp[IPOPT_OLEN];
103 if (optlen <= 0) /* Do not loop! */
104 break;
105 }
106 }
107 lp = lbuf;
108 for (cp = optbuf; optsize > 0; cp++, optsize--, lp += 3)
109 sprintf(lp, " %2.2x", *cp);
110 syslog(LOG_NOTICE,
111 "connect from %s with IP options (ignored):%s",
112 eval_client(request), lbuf);
113 if (setsockopt(fd, ipproto, IP_OPTIONS, (char *) 0, optsize) != 0) {
114 syslog(LOG_ERR, "setsockopt IP_OPTIONS NULL: %m");
115 shutdown(fd, 2);
116 }
117 }
118 #endif
119 }
120