1
2 /***************************************************************************
3 * netutil.cc *
4 * *
5 ***********************IMPORTANT NMAP LICENSE TERMS************************
6 * *
7 * The Nmap Security Scanner is (C) 1996-2020 Insecure.Com LLC ("The Nmap *
8 * Project"). Nmap is also a registered trademark of the Nmap Project. *
9 * *
10 * This program is distributed under the terms of the Nmap Public Source *
11 * License (NPSL). The exact license text applying to a particular Nmap *
12 * release or source code control revision is contained in the LICENSE *
13 * file distributed with that version of Nmap or source code control *
14 * revision. More Nmap copyright/legal information is available from *
15 * https://nmap.org/book/man-legal.html, and further information on the *
16 * NPSL license itself can be found at https://nmap.org/npsl. This header *
17 * summarizes some key points from the Nmap license, but is no substitute *
18 * for the actual license text. *
19 * *
20 * Nmap is generally free for end users to download and use themselves, *
21 * including commercial use. It is available from https://nmap.org. *
22 * *
23 * The Nmap license generally prohibits companies from using and *
24 * redistributing Nmap in commercial products, but we sell a special Nmap *
25 * OEM Edition with a more permissive license and special features for *
26 * this purpose. See https://nmap.org/oem *
27 * *
28 * If you have received a written Nmap license agreement or contract *
29 * stating terms other than these (such as an Nmap OEM license), you may *
30 * choose to use and redistribute Nmap under those terms instead. *
31 * *
32 * The official Nmap Windows builds include the Npcap software *
33 * (https://npcap.org) for packet capture and transmission. It is under *
34 * separate license terms which forbid redistribution without special *
35 * permission. So the official Nmap Windows builds may not be *
36 * redistributed without special permission (such as an Nmap OEM *
37 * license). *
38 * *
39 * Source is provided to this software because we believe users have a *
40 * right to know exactly what a program is going to do before they run it. *
41 * This also allows you to audit the software for security holes. *
42 * *
43 * Source code also allows you to port Nmap to new platforms, fix bugs, *
44 * and add new features. You are highly encouraged to submit your *
45 * changes as a Github PR or by email to the dev@nmap.org mailing list *
46 * for possible incorporation into the main distribution. Unless you *
47 * specify otherwise, it is understood that you are offering us very *
48 * broad rights to use your submissions as described in the Nmap Public *
49 * Source License Contributor Agreement. This is important because we *
50 * fund the project by selling licenses with various terms, and also *
51 * because the inability to relicense code has caused devastating *
52 * problems for other Free Software projects (such as KDE and NASM). *
53 * *
54 * The free version of Nmap is distributed in the hope that it will be *
55 * useful, but WITHOUT ANY WARRANTY; without even the implied warranty of *
56 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Warranties, *
57 * indemnification and commercial support are all available through the *
58 * Npcap OEM program--see https://nmap.org/oem. *
59 * *
60 ***************************************************************************/
61
62 /* Since OS X 10.7, we must declare whether we expect RFC 2292 or RFC 3542
63 behavior from <netinet6/in6.h>. */
64 #define __APPLE_USE_RFC_3542
65
66 #if HAVE_CONFIG_H
67 #include "../nmap_config.h"
68 #endif
69
70 #include "nbase.h"
71
72 #ifndef WIN32
73 #include <sys/uio.h>
74 #include <sys/ioctl.h>
75 #endif
76
77 #include <assert.h>
78 #include <errno.h>
79 #include <sys/types.h>
80 #if HAVE_SYS_SOCKET_H
81 #include <sys/socket.h>
82 #endif
83 #if HAVE_SYS_SOCKIO_H
84 #include <sys/sockio.h> /* SIOCGIFCONF for Solaris */
85 #endif
86
87 /* Define CMSG_* symbols for Solaris 9 and earlier. See
88 http://wiki.opencsw.org/porting-faq#toc10. */
89 #if defined(__sun) || defined(__sun__)
90 # ifndef CMSG_ALIGN
91 # ifdef __sun__
92 # define CMSG_ALIGN(len) _CMSG_DATA_ALIGN (len)
93 # else
94 /* aligning to sizeof (long) is assumed to be portable (fd.o#40235) */
95 # define CMSG_ALIGN(len) (((len) + sizeof (long) - 1) & ~(sizeof (long) - 1))
96 # endif
97 # endif
98 # ifndef CMSG_SPACE
99 # define CMSG_SPACE(len) (CMSG_ALIGN (sizeof (struct cmsghdr)) + CMSG_ALIGN (len))
100 # endif
101 # ifndef CMSG_LEN
102 # define CMSG_LEN(len) (CMSG_ALIGN (sizeof (struct cmsghdr)) + (len))
103 # endif
104 #endif /* Solaris */
105
106 #ifdef WIN32
107 typedef unsigned __int32 u_int32_t;
108 typedef unsigned __int16 u_int16_t;
109 typedef unsigned __int8 u_int8_t;
110 #endif
111
112 #if HAVE_NETINET_IN_H
113 #include <netinet/in.h>
114 #endif
115 #ifdef HAVE_LINUX_RTNETLINK_H
116 #include <linux/rtnetlink.h>
117 #endif
118
119 #ifndef NETINET_IN_SYSTM_H /* This guarding is needed for at least some versions of OpenBSD */
120 #include <netinet/in_systm.h>
121 #define NETINET_IN_SYSTM_H
122 #endif
123
124 #include "netutil.h"
125
126 #if HAVE_NET_IF_H
127 #ifndef NET_IF_H /* This guarding is needed for at least some versions of OpenBSD */
128 #include <net/if.h>
129 #define NET_IF_H
130 #endif
131 #endif
132 #ifndef NETINET_IP_H /* This guarding is needed for at least some versions of OpenBSD */
133 #include <netinet/ip.h>
134 #define NETINET_IP_H
135 #endif
136 #include <net/if_arp.h>
137
138 #if HAVE_SYS_RESOURCE_H
139 #include <sys/resource.h>
140 #endif
141
142 #define NBASE_MAX_ERR_STR_LEN 1024 /* Max length of an error message */
143
144 #ifndef PCAP_NETMASK_UNKNOWN
145 /* libpcap before 1.1.1 (e.g. WinPcap) doesn't handle this specially, so just use 0 netmask */
146 #define PCAP_NETMASK_UNKNOWN 0
147 #endif
148
149 /** Print fatal error messages to stderr and then exits. A newline
150 character is printed automatically after the supplied text.
151 * @warning This function does not return because it calls exit() */
netutil_fatal(const char * str,...)152 void netutil_fatal(const char *str, ...){
153 va_list list;
154 char errstr[NBASE_MAX_ERR_STR_LEN];
155 memset(errstr,0, NBASE_MAX_ERR_STR_LEN);
156
157 va_start(list, str);
158
159 fflush(stdout);
160
161 /* Print error msg to strerr */
162 vfprintf(stderr, str, list);
163 fprintf(stderr,"\n");
164 va_end(list);
165
166 exit(EXIT_FAILURE);
167 } /* End of fatal() */
168
169 /** Print error messages to stderr and then return. A newline
170 character is printed automatically after the supplied text.*/
netutil_error(const char * str,...)171 int netutil_error(const char *str, ...){
172 va_list list;
173 char errstr[NBASE_MAX_ERR_STR_LEN];
174 memset(errstr,0, NBASE_MAX_ERR_STR_LEN);
175
176 va_start(list, str);
177
178 fflush(stdout);
179
180 /* Print error msg to strerr */
181 vfprintf(stderr, str, list);
182 fprintf(stderr,"\n");
183 va_end(list);
184
185 return 0;
186
187 } /* End of error() */
188
189 /* This function converts zero-terminated 'txt' string to binary 'data'.
190 It is used to parse user input for ip options. Some examples of possible input
191 strings and results:
192 '\x01*2\xA2' -> [0x01,0x01,0xA2] // with 'x' number is parsed in hex
193 '\01\01\255' -> [0x01,0x01,0xFF] // without 'x' its in decimal
194 '\x01\x00*2' -> [0x01,0x00,0x00] // '*' is copying char
195 'R' -> Record Route with 9 slots
196 'S 192.168.0.1 172.16.0.1' -> Strict Route with 2 slots
197 'L 192.168.0.1 172.16.0.1' -> Loose Route with 2 slots
198 'T' -> Record Timestamp with 9 slots
199 'U' -> Record Timestamp and Ip Address with 4 slots
200 On success, the function returns the length of the final binary
201 options stored in "data". In case of error, OP_FAILURE is returned
202 and the "errstr" buffer is filled with an error message
203 (unless it's NULL). Note that the returned error message does NOT
204 contain a newline character at the end. */
parse_ip_options(const char * txt,u8 * data,int datalen,int * firsthopoff,int * lasthopoff,char * errstr,size_t errstrlen)205 int parse_ip_options(const char *txt, u8 *data, int datalen, int* firsthopoff, int* lasthopoff, char *errstr, size_t errstrlen){
206 enum{
207 NONE = 0,
208 SLASH = 1,
209 MUL = 2,
210 RR = 3,
211 TIME = 4,
212 } s = NONE;
213 char *n, lc;
214 const char *c = txt;
215 u8 *d = data;
216 int i,j;
217 int base = 10;
218 u8 *dataend = &data[datalen];
219 u8 *len = NULL;
220 char buf[32];
221 memset(data, 0, datalen);
222 int sourcerouting = 0;
223 long strtolbyte = 0; // used to check strtol() return boundaries
224
225 for(;*c;c++){
226 switch(s){
227 case SLASH:
228 // parse \x00 string
229 if(*c == 'x'){// just ignore this char
230 base = 16;
231 break;
232 }
233 if(isxdigit(*c)){
234 strtolbyte = strtol(c, &n, base);
235 if((strtolbyte < 0) || (strtolbyte > 255)){
236 if(errstr) Snprintf(errstr, errstrlen, "invalid ipv4 address format");
237 return OP_FAILURE;
238 }
239 *d++ = (u8) strtolbyte;
240 c = n-1;
241 }else{
242 if(errstr) Snprintf(errstr, errstrlen, "not a digit after '\\'");
243 return OP_FAILURE;
244 }
245 s = NONE;
246 break;
247 case MUL:
248 if(d==data){
249 if(errstr) Snprintf(errstr, errstrlen, "nothing before '*' char");
250 return OP_FAILURE;
251 }
252 i = strtol(c, &n, 10);
253 if(i<2){
254 if(errstr) Snprintf(errstr, errstrlen, "bad number after '*'");
255 return OP_FAILURE;
256 }
257 c = n-1; // move current txt pointer
258 lc = *(d-1); // last char, we'll copy this
259 for(j=1; j<i; j++){
260 *d++ = lc;
261 if(d == dataend) // check for overflow
262 goto after;
263 }
264 s = NONE;
265 break;
266 case RR:
267 if(*c==' ' || *c==',')
268 break;
269 n = buf;
270 while((*c=='.' || (*c>='0' && *c<='9')) && n-buf <= ((int)sizeof(buf)-1))
271 *n++ = *c++;
272 *n = '\0'; c--;
273 if(d+4>=dataend){
274 if(errstr) Snprintf(errstr, errstrlen, "Buffer too small. Or input data too big :)");
275 return OP_FAILURE;
276 }
277 i = inet_pton(AF_INET, buf, d);
278 if(i<1){
279 if(errstr) Snprintf(errstr, errstrlen, "Not a valid ipv4 address '%s'",buf);
280 return OP_FAILURE;
281 }
282 // remember offset of first hop
283 if(sourcerouting && !*firsthopoff)
284 *firsthopoff = d - data;
285 d+=4;
286 if(*len<37)
287 *len += 4;
288 break;
289 case TIME:
290 if(errstr) Snprintf(errstr, errstrlen, "No more arguments allowed!");
291 return OP_FAILURE;
292 default:
293 switch(*c){
294 case '\\':s = SLASH;base=10;break;
295 case '*':s = MUL;break;
296 case 'R':
297 case 'S':
298 case 'L':
299 if(d != data){
300 if(errstr) Snprintf(errstr, errstrlen, "This option can't be used in that way");
301 return OP_FAILURE;
302 }
303 *d++ = '\x01';//NOP
304 switch(*c){
305 case 'R':*d++ = 7;break;
306 case 'S':*d++ = 137; sourcerouting=1; break;
307 case 'L':*d++ = 131; sourcerouting=1; break;
308 }
309 len = d;
310 *d++ = (*c=='R')? 39 : 3; // length: 3+4*9 bytes
311 *d++ = 4; //pointer
312 s = RR;
313 break;
314 case 'T':
315 case 'U':
316 if(d != data){
317 if(errstr) Snprintf(errstr, errstrlen, "This option can't be used in that way");
318 return OP_FAILURE;
319 }
320 *d++ = 68; // option type
321 len = d;
322 *d++ = (*c=='U') ? 36 : 40; // length: 3+4*9 bytes or 4+4*9 bytes
323 *d++ = 5; // pointer
324 *d++ = (*c=='U') ? 1 : 0; // flag: address and Time fields
325 s = TIME;
326 break;
327 default://*d++ = *c;
328 if(errstr) Snprintf(errstr, errstrlen, "Bad character in ip option '%c'",*c);
329 return OP_FAILURE;
330 }
331 }
332 if(d == dataend)
333 break;
334 assert(d<dataend);
335 }
336 if(sourcerouting){
337 if(*len<37){
338 *len+=4;
339 *lasthopoff = d - data;
340 *d++ = 0;*d++ = 0;*d++ = 0;*d++ = 0;
341 }else{
342 if(errstr) Snprintf(errstr, errstrlen, "When using source routing you must leave at least one slot for target's ip.");
343 return OP_FAILURE;
344 }
345 }
346 if(s == RR)
347 return(*len+1); // because we inject NOP before
348 if(s == TIME)
349 return(*len);
350 after:
351 return(d - data);
352 }
353
354 /* Internal helper for resolve and resolve_numeric. addl_flags is ored into
355 hints.ai_flags, so you can add AI_NUMERICHOST. */
resolve_internal(const char * hostname,unsigned short port,struct sockaddr_storage * ss,size_t * sslen,int af,int addl_flags)356 static int resolve_internal(const char *hostname, unsigned short port,
357 struct sockaddr_storage *ss, size_t *sslen, int af, int addl_flags) {
358 struct addrinfo hints;
359 struct addrinfo *result;
360 char portbuf[16];
361 int rc;
362
363 assert(hostname);
364 assert(ss);
365 assert(sslen);
366
367 memset(&hints, 0, sizeof(hints));
368 hints.ai_family = af;
369 hints.ai_socktype = SOCK_DGRAM;
370 hints.ai_flags |= addl_flags;
371
372 /* Make the port number a string to give to getaddrinfo. */
373 rc = Snprintf(portbuf, sizeof(portbuf), "%hu", port);
374 assert(rc >= 0 && (size_t) rc < sizeof(portbuf));
375
376 rc = getaddrinfo(hostname, portbuf, &hints, &result);
377 if (rc != 0)
378 return rc;
379 if (result == NULL)
380 return EAI_NONAME;
381 assert(result->ai_addrlen > 0 && result->ai_addrlen <= (int) sizeof(struct sockaddr_storage));
382 *sslen = result->ai_addrlen;
383 memcpy(ss, result->ai_addr, *sslen);
384 freeaddrinfo(result);
385
386 return 0;
387 }
388
389 /* Resolves the given hostname or IP address with getaddrinfo, and stores the
390 first result (if any) in *ss and *sslen. The value of port will be set in the
391 appropriate place in *ss; set to 0 if you don't care. af may be AF_UNSPEC, in
392 which case getaddrinfo may return e.g. both IPv4 and IPv6 results; which one
393 is first depends on the system configuration. Returns 0 on success, or a
394 getaddrinfo return code (suitable for passing to gai_strerror) on failure.
395 *ss and *sslen are always defined when this function returns 0. */
resolve(const char * hostname,unsigned short port,struct sockaddr_storage * ss,size_t * sslen,int af)396 int resolve(const char *hostname, unsigned short port,
397 struct sockaddr_storage *ss, size_t *sslen, int af) {
398 return resolve_internal(hostname, port, ss, sslen, af, 0);
399 }
400
401 /* As resolve, but do not do DNS resolution of hostnames; the first argument
402 must be the string representation of a numeric IP address. */
resolve_numeric(const char * ip,unsigned short port,struct sockaddr_storage * ss,size_t * sslen,int af)403 int resolve_numeric(const char *ip, unsigned short port,
404 struct sockaddr_storage *ss, size_t *sslen, int af) {
405 return resolve_internal(ip, port, ss, sslen, af, AI_NUMERICHOST);
406 }
407
408 /*
409 * Returns 1 if this is a reserved IP address, where "reserved" means
410 * either a private address, non-routable address, or even a non-reserved
411 * but unassigned address which has an extremely high probability of being
412 * black-holed.
413 *
414 * We try to optimize speed when ordering the tests. This optimization
415 * assumes that all byte values are equally likely in the input.
416 *
417 * Check
418 * <http://www.iana.org/assignments/ipv4-address-space/ipv4-address-space.txt>
419 * for the most recent assigments and
420 * <http://www.cymru.com/Documents/bogon-bn-nonagg.txt> for bogon
421 * netblocks.
422 */
ip_is_reserved(struct in_addr * ip)423 int ip_is_reserved(struct in_addr *ip)
424 {
425 char *ipc = (char *) &(ip->s_addr);
426 unsigned char i1 = ipc[0], i2 = ipc[1], i3 = ipc[2]; /* i4 not currently used - , i4 = ipc[3]; */
427
428 /* do all the /7's and /8's with a big switch statement, hopefully the
429 * compiler will be able to optimize this a little better using a jump table
430 * or what have you
431 */
432 switch (i1)
433 {
434 case 0: /* 000/8 is IANA reserved */
435 case 10: /* the infamous 10.0.0.0/8 */
436 case 127: /* 127/8 is reserved for loopback */
437 return 1;
438 default:
439 break;
440 }
441
442 /* 172.16.0.0/12 is reserved for private nets by RFC1918 */
443 if (i1 == 172 && i2 >= 16 && i2 <= 31)
444 return 1;
445
446 /* 192.0.2.0/24 is reserved for documentation and examples (RFC5737) */
447 /* 192.88.99.0/24 is used as 6to4 Relay anycast prefix by RFC3068 */
448 /* 192.168.0.0/16 is reserved for private nets by RFC1918 */
449 if (i1 == 192) {
450 if (i2 == 0 && i3 == 2)
451 return 1;
452 if (i2 == 88 && i3 == 99)
453 return 1;
454 if (i2 == 168)
455 return 1;
456 }
457
458 /* 198.18.0.0/15 is used for benchmark tests by RFC2544 */
459 /* 198.51.100.0/24 is reserved for documentation (RFC5737) */
460 if (i1 == 198) {
461 if (i2 == 18 || i2 == 19)
462 return 1;
463 if (i2 == 51 && i3 == 100)
464 return 1;
465 }
466
467 /* 169.254.0.0/16 is reserved for DHCP clients seeking addresses - RFC3927 */
468 if (i1 == 169 && i2 == 254)
469 return 1;
470
471 /* 203.0.113.0/24 is reserved for documentation (RFC5737) */
472 if (i1 == 203 && i2 == 0 && i3 == 113)
473 return 1;
474
475 /* 224-239/8 is all multicast stuff */
476 /* 240-255/8 is IANA reserved */
477 if (i1 >= 224)
478 return 1;
479
480 return 0;
481 }
482
483 /* A trivial functon that maintains a cache of IP to MAC Address
484 entries. If the command is MACCACHE_GET, this func looks for the
485 IPv4 address in ss and fills in the 'mac' parameter and returns
486 true if it is found. Otherwise (not found), the function returns
487 false. If the command is MACCACHE_SET, the function adds an entry
488 with the given ip (ss) and mac address. An existing entry for the
489 IP ss will be overwritten with the new MAC address. true is always
490 returned for the set command. */
491 #define MACCACHE_GET 1
492 #define MACCACHE_SET 2
do_mac_cache(int command,const struct sockaddr_storage * ss,u8 * mac)493 static int do_mac_cache(int command, const struct sockaddr_storage *ss, u8 *mac) {
494 struct MacCache {
495 struct sockaddr_storage ip;
496 u8 mac[6];
497 };
498 static struct MacCache *Cache = NULL;
499 static int MacCapacity = 0;
500 static int MacCacheSz = 0;
501 int i;
502
503 if (command == MACCACHE_GET) {
504 for (i = 0; i < MacCacheSz; i++) {
505 if (sockaddr_storage_cmp(&Cache[i].ip, ss) == 0) {
506 memcpy(mac, Cache[i].mac, 6);
507 return 1;
508 }
509 }
510 return 0;
511 }
512 assert(command == MACCACHE_SET);
513 if (MacCacheSz == MacCapacity) {
514 if (MacCapacity == 0)
515 MacCapacity = 32;
516 else
517 MacCapacity <<= 2;
518 Cache = (struct MacCache *) safe_realloc(Cache, MacCapacity * sizeof(struct MacCache));
519 }
520
521 /* Ensure that it isn't already there ... */
522 for (i = 0; i < MacCacheSz; i++) {
523 if (sockaddr_storage_cmp(&Cache[i].ip, ss) == 0) {
524 memcpy(Cache[i].mac, mac, 6);
525 return 1;
526 }
527 }
528
529 /* Add it to the end of the list */
530 memcpy(&Cache[i].ip, ss, sizeof(struct sockaddr_storage));
531 memcpy(Cache[i].mac, mac, 6);
532 MacCacheSz++;
533 return 1;
534 }
535
536 /* A couple of trivial functions that maintain a cache of IP to MAC
537 * Address entries. Function mac_cache_get() looks for the IPv4 address
538 * in ss and fills in the 'mac' parameter and returns true if it is
539 * found. Otherwise (not found), the function returns false.
540 * Function mac_cache_set() adds an entry with the given ip (ss) and
541 * mac address. An existing entry for the IP ss will be overwritten
542 * with the new MAC address. mac_cache_set() always returns true.
543 * WARNING: The caller must ensure that the supplied "ss" is of family
544 * AF_INET. Otherwise the function will return 0 and there would be
545 * no way for the caller to tell tell the difference between an error
546 * or a cache miss.*/
mac_cache_get(const struct sockaddr_storage * ss,u8 * mac)547 int mac_cache_get(const struct sockaddr_storage *ss, u8 *mac){
548 return do_mac_cache(MACCACHE_GET, ss, mac);
549 }
mac_cache_set(const struct sockaddr_storage * ss,u8 * mac)550 int mac_cache_set(const struct sockaddr_storage *ss, u8 *mac){
551 return do_mac_cache(MACCACHE_SET, ss, mac);
552 }
553
554 /* Standard BSD internet checksum routine. Uses libdnet helper functions. */
in_cksum(u16 * ptr,int nbytes)555 unsigned short in_cksum(u16 *ptr,int nbytes) {
556 int sum;
557
558 sum = ip_cksum_add(ptr, nbytes, 0);
559
560 return ip_cksum_carry(sum);
561
562 return 0;
563 }
564
565
566 /* Return true iff this Next Header type is an extension header we must skip to
567 get to the upper-layer header. Types for which neither this function nor
568 ipv6_is_upperlayer return true are unknown and could be either. */
ipv6_is_extension_header(u8 type)569 static int ipv6_is_extension_header(u8 type)
570 {
571 switch (type) {
572 case IP_PROTO_HOPOPTS:
573 case IP_PROTO_DSTOPTS:
574 case IP_PROTO_ROUTING:
575 case IP_PROTO_FRAGMENT:
576 /*
577 case IP_PROTO_ESP:
578 case IP_PROTO_AH:
579 */
580 return 1;
581 default:
582 return 0;
583 }
584 }
585
586 /* Return true iff this Next Header type is a known upper-layer protocol, one
587 that isn't followed by any more headers. Types for which neither this
588 function nor ipv6_is_upperlayer return true are unknown and could be
589 either. */
ipv6_is_upperlayer(u8 type)590 static int ipv6_is_upperlayer(u8 type)
591 {
592 switch (type) {
593 case IP_PROTO_NONE:
594 case IP_PROTO_TCP:
595 case IP_PROTO_UDP:
596 case IP_PROTO_ICMP:
597 case IP_PROTO_ICMPV6:
598 case IP_PROTO_SCTP:
599 return 1;
600 default:
601 return 0;
602 }
603 }
604
605 /* upperlayer_only controls whether we require a known upper-layer protocol at
606 the end of the chain, or return the last readable header even if it is not an
607 upper-layer protocol (may even be another extension header). */
ipv6_get_data_primitive(const struct ip6_hdr * ip6,unsigned int * len,u8 * nxt,bool upperlayer_only)608 static const void *ipv6_get_data_primitive(const struct ip6_hdr *ip6,
609 unsigned int *len, u8 *nxt, bool upperlayer_only)
610 {
611 const unsigned char *p, *end;
612
613 if (*len < sizeof(*ip6))
614 return NULL;
615
616 p = (unsigned char *) ip6;
617 end = p + *len;
618
619 *nxt = ip6->ip6_nxt;
620 p += sizeof(*ip6);
621 while (p < end && ipv6_is_extension_header(*nxt)) {
622 if (p + 2 > end)
623 return NULL;
624 *nxt = *p;
625 p += (*(p + 1) + 1) * 8;
626 }
627
628 *len = end - p;
629 if (upperlayer_only && !ipv6_is_upperlayer(*nxt))
630 return NULL;
631
632 return (char *) p;
633 }
634
ip_get_data_primitive(const void * packet,unsigned int * len,struct abstract_ip_hdr * hdr,bool upperlayer_only)635 static const void *ip_get_data_primitive(const void *packet, unsigned int *len,
636 struct abstract_ip_hdr *hdr, bool upperlayer_only) {
637 const struct ip *ip;
638
639 ip = (struct ip *) packet;
640 if (*len >= 20 && ip->ip_v == 4) {
641 struct sockaddr_in *sin;
642
643 hdr->version = 4;
644
645 sin = (struct sockaddr_in *) &hdr->src;
646 memset(&hdr->src, 0, sizeof(hdr->src));
647 sin->sin_family = AF_INET;
648 sin->sin_addr.s_addr = ip->ip_src.s_addr;
649
650 sin = (struct sockaddr_in *) &hdr->dst;
651 memset(&hdr->dst, 0, sizeof(hdr->dst));
652 sin->sin_family = AF_INET;
653 sin->sin_addr.s_addr = ip->ip_dst.s_addr;
654
655 hdr->proto = ip->ip_p;
656 hdr->ttl = ip->ip_ttl;
657 hdr->ipid = ntohs(ip->ip_id);
658 return ipv4_get_data(ip, len);
659 } else if (*len >= 40 && ip->ip_v == 6) {
660 const struct ip6_hdr *ip6 = (struct ip6_hdr *) ip;
661 struct sockaddr_in6 *sin6;
662
663 hdr->version = 6;
664
665 sin6 = (struct sockaddr_in6 *) &hdr->src;
666 memset(&hdr->src, 0, sizeof(hdr->src));
667 sin6->sin6_family = AF_INET6;
668 memcpy(&sin6->sin6_addr, &ip6->ip6_src, IP6_ADDR_LEN);
669
670 sin6 = (struct sockaddr_in6 *) &hdr->dst;
671 memset(&hdr->dst, 0, sizeof(hdr->dst));
672 sin6->sin6_family = AF_INET6;
673 memcpy(&sin6->sin6_addr, &ip6->ip6_dst, IP6_ADDR_LEN);
674
675 hdr->ttl = ip6->ip6_hlim;
676 hdr->ipid = ntohl(ip6->ip6_flow & IP6_FLOWLABEL_MASK);
677 return ipv6_get_data_primitive(ip6, len, &hdr->proto, upperlayer_only);
678 }
679
680 return NULL;
681 }
682
683 /* Find the beginning of the data payload in the IP packet beginning at packet.
684 Returns the beginning of the payload, updates *len to be the length of the
685 payload, and fills in hdr if successful. Otherwise returns NULL and *hdr is
686 undefined. */
ip_get_data(const void * packet,unsigned int * len,struct abstract_ip_hdr * hdr)687 const void *ip_get_data(const void *packet, unsigned int *len,
688 struct abstract_ip_hdr *hdr) {
689 return ip_get_data_primitive(packet, len, hdr, true);
690 }
691
692 /* As ip_get_data, except that it doesn't insist that the payload be a known
693 upper-layer protocol. This can matter in IPv6 where the last element of a nh
694 chain may be a protocol we don't know about. */
ip_get_data_any(const void * packet,unsigned int * len,struct abstract_ip_hdr * hdr)695 const void *ip_get_data_any(const void *packet, unsigned int *len,
696 struct abstract_ip_hdr *hdr) {
697 return ip_get_data_primitive(packet, len, hdr, false);
698 }
699
700 /* Get the upper-layer protocol from an IPv4 packet. */
ipv4_get_data(const struct ip * ip,unsigned int * len)701 const void *ipv4_get_data(const struct ip *ip, unsigned int *len)
702 {
703 unsigned int header_len;
704
705 if (*len < 20)
706 return NULL;
707 header_len = ip->ip_hl * 4;
708 if (header_len < sizeof(*ip))
709 return NULL;
710 if (header_len > *len)
711 return NULL;
712 *len -= header_len;
713
714 return (char *) ip + header_len;
715 }
716
717 /* Get the upper-layer protocol from an IPv6 packet. This skips over known
718 extension headers. The length of the upper-layer payload is stored in *len.
719 The protocol is stored in *nxt. Returns NULL in case of error. */
ipv6_get_data(const struct ip6_hdr * ip6,unsigned int * len,u8 * nxt)720 const void *ipv6_get_data(const struct ip6_hdr *ip6, unsigned int *len, u8 *nxt)
721 {
722 return ipv6_get_data_primitive(ip6, len, nxt, true);
723 }
724
725 /* Get the protocol payload from an IPv6 packet. This skips over known extension
726 headers. It differs from ipv6_get_data in that it will return a result even
727 if the final header is not a known upper-layer protocol. */
ipv6_get_data_any(const struct ip6_hdr * ip6,unsigned int * len,u8 * nxt)728 const void *ipv6_get_data_any(const struct ip6_hdr *ip6, unsigned int *len, u8 *nxt)
729 {
730 return ipv6_get_data_primitive(ip6, len, nxt, false);
731 }
732
icmp_get_data(const struct icmp_hdr * icmp,unsigned int * len)733 const void *icmp_get_data(const struct icmp_hdr *icmp, unsigned int *len)
734 {
735 unsigned int header_len;
736
737 if (icmp->icmp_type == ICMP_TIMEXCEED || icmp->icmp_type == ICMP_UNREACH)
738 header_len = 8;
739 else
740 netutil_fatal("%s passed ICMP packet with unhandled type %d", __func__, icmp->icmp_type);
741 if (header_len > *len)
742 return NULL;
743 *len -= header_len;
744
745 return (char *) icmp + header_len;
746 }
747
icmpv6_get_data(const struct icmpv6_hdr * icmpv6,unsigned int * len)748 const void *icmpv6_get_data(const struct icmpv6_hdr *icmpv6, unsigned int *len)
749 {
750 unsigned int header_len;
751
752 if (icmpv6->icmpv6_type == ICMPV6_TIMEXCEED || icmpv6->icmpv6_type == ICMPV6_UNREACH)
753 header_len = 8;
754 else
755 netutil_fatal("%s passed ICMPv6 packet with unhandled type %d", __func__, icmpv6->icmpv6_type);
756 if (header_len > *len)
757 return NULL;
758 *len -= header_len;
759
760 return (char *) icmpv6 + header_len;
761 }
762
763
764 /* Calculate the Internet checksum of some given data concatentated with the
765 IPv4 pseudo-header. See RFC 1071 and TCP/IP Illustrated sections 3.2, 11.3,
766 and 17.3. */
ipv4_pseudoheader_cksum(const struct in_addr * src,const struct in_addr * dst,u8 proto,u16 len,const void * hstart)767 unsigned short ipv4_pseudoheader_cksum(const struct in_addr *src,
768 const struct in_addr *dst, u8 proto, u16 len, const void *hstart) {
769 struct pseudo {
770 struct in_addr src;
771 struct in_addr dst;
772 u8 zero;
773 u8 proto;
774 u16 length;
775 } hdr;
776 int sum;
777
778 hdr.src = *src;
779 hdr.dst = *dst;
780 hdr.zero = 0;
781 hdr.proto = proto;
782 hdr.length = htons(len);
783
784 /* Get the ones'-complement sum of the pseudo-header. */
785 sum = ip_cksum_add(&hdr, sizeof(hdr), 0);
786 /* Add it to the sum of the packet. */
787 sum = ip_cksum_add(hstart, len, sum);
788
789 /* Fold in the carry, take the complement, and return. */
790 sum = ip_cksum_carry(sum);
791 /* RFC 768: "If the computed checksum is zero, it is transmitted as all
792 * ones (the equivalent in one's complement arithmetic). An all zero
793 * transmitted checksum value means that the transmitter generated no
794 * checksum" */
795 if (proto == IP_PROTO_UDP && sum == 0)
796 sum = 0xFFFF;
797
798 return sum;
799 }
800
801 /* Calculate the Internet checksum of some given data concatenated with the
802 IPv6 pseudo-header. See RFC 2460 section 8.1. */
ipv6_pseudoheader_cksum(const struct in6_addr * src,const struct in6_addr * dst,u8 nxt,u32 len,const void * hstart)803 u16 ipv6_pseudoheader_cksum(const struct in6_addr *src,
804 const struct in6_addr *dst, u8 nxt, u32 len, const void *hstart) {
805 struct {
806 struct in6_addr src;
807 struct in6_addr dst;
808 u32 length;
809 u8 z0, z1, z2;
810 u8 nxt;
811 } hdr;
812 int sum;
813
814 hdr.src = *src;
815 hdr.dst = *dst;
816 hdr.z0 = hdr.z1 = hdr.z2 = 0;
817 hdr.length = htonl(len);
818 hdr.nxt = nxt;
819
820 sum = ip_cksum_add(&hdr, sizeof(hdr), 0);
821 sum = ip_cksum_add(hstart, len, sum);
822 sum = ip_cksum_carry(sum);
823 /* RFC 2460: "Unlike IPv4, when UDP packets are originated by an IPv6 node,
824 the UDP checksum is not optional. That is, whenever originating a UDP
825 packet, an IPv6 node must compute a UDP checksum over the packet and the
826 pseudo-header, and, if that computation yields a result of zero, it must be
827 changed to hex FFFF for placement in the UDP header." */
828 if (nxt == IP_PROTO_UDP && sum == 0)
829 sum = 0xFFFF;
830
831 return sum;
832 }
833
sethdrinclude(int sd)834 void sethdrinclude(int sd) {
835 #ifdef IP_HDRINCL
836 int one = 1;
837 setsockopt(sd, IPPROTO_IP, IP_HDRINCL, (const char *) &one, sizeof(one));
838 #endif
839 }
840
set_ipoptions(int sd,void * opts,size_t optslen)841 void set_ipoptions(int sd, void *opts, size_t optslen) {
842 #ifdef IP_OPTIONS
843 if (sd == -1)
844 return;
845
846 setsockopt(sd, IPPROTO_IP, IP_OPTIONS, (const char *) opts, optslen);
847 #endif
848 }
849
set_ttl(int sd,int ttl)850 void set_ttl(int sd, int ttl) {
851 #ifdef IP_TTL
852 if (sd == -1)
853 return;
854
855 setsockopt(sd, IPPROTO_IP, IP_TTL, (const char *) &ttl, sizeof ttl);
856 #endif
857 }
858
859 /* Other than WIN32, what these systems have in common is that they use BPF for
860 packet capture. (Solaris 10 and earlier used DLPI and had valid selectable
861 fds.) */
862 #if defined(WIN32) || defined(MACOSX) || (defined(FREEBSD) && (__FreeBSD_version < 500000)) || defined(SOLARIS_BPF_PCAP_CAPTURE) || defined(OPENBSD)
863 /* Returns whether the system supports pcap_get_selectable_fd() properly */
pcap_selectable_fd_valid()864 int pcap_selectable_fd_valid() {
865 return 0;
866 }
867
868 /* Call this instead of pcap_get_selectable_fd directly (or your code
869 won't compile on Windows). On systems which don't seem to support
870 the pcap_get_selectable_fd() function properly, returns -1,
871 otherwise simply calls pcap_selectable_fd and returns the
872 results. If you just want to test whether the function is supported,
873 use pcap_selectable_fd_valid() instead. */
my_pcap_get_selectable_fd(pcap_t * p)874 int my_pcap_get_selectable_fd(pcap_t *p) {
875 return -1;
876 }
877 #else
pcap_selectable_fd_valid()878 int pcap_selectable_fd_valid() {
879 return 1;
880 }
my_pcap_get_selectable_fd(pcap_t * p)881 int my_pcap_get_selectable_fd(pcap_t *p) {
882 return pcap_get_selectable_fd(p);
883 }
884 #endif
885
886 /* Are we guaranteed to be able to read exactly one frame for each time the pcap
887 fd is selectable? If not, it's possible for the fd to become selectable, then
888 for pcap_dispatch to buffer two or more frames, and return only the first one
889 Because select doesn't know about pcap's buffer, the fd does not become
890 selectable again, even though another pcap_next_ex would succeed. On these
891 platforms, we must do a non-blocking read from the fd before doing a select
892 on the fd.
893
894 It is guaranteed that if pcap_selectable_fd_valid() is false, then so is the
895 return value of this function. */
pcap_selectable_fd_one_to_one()896 int pcap_selectable_fd_one_to_one() {
897 #ifdef SOLARIS
898 return 0;
899 #endif
900 return pcap_selectable_fd_valid();
901 }
902
903
904 /* returns -1 if we can't use select() on the pcap device, 0 for timeout, and
905 * >0 for success. If select() fails we bail out because it couldn't work with
906 * the file descriptor we got from my_pcap_get_selectable_fd()
907 */
pcap_select(pcap_t * p,struct timeval * timeout)908 int pcap_select(pcap_t *p, struct timeval *timeout) {
909 int ret;
910 #ifdef WIN32
911 DWORD msec_timeout = timeout->tv_sec * 1000 + timeout->tv_usec / 1000;
912 HANDLE event = pcap_getevent(p);
913 DWORD result = WaitForSingleObject(event, msec_timeout);
914
915 switch(result) {
916 case WAIT_OBJECT_0:
917 ret = 1;
918 break;
919 case WAIT_TIMEOUT:
920 ret = 0;
921 break;
922 case WAIT_FAILED:
923 ret = -1;
924 netutil_error("%s: WaitForSingleObject failed: %d", __func__, GetLastError());
925 break;
926 default:
927 ret = -1;
928 netutil_fatal("%s: WaitForSingleObject returned unknown result: %x", __func__, result);
929 break;
930 }
931
932 #else
933 int fd;
934 fd_set rfds;
935
936 if ((fd = my_pcap_get_selectable_fd(p)) == -1)
937 return -1;
938
939 FD_ZERO(&rfds);
940 FD_SET(fd, &rfds);
941
942 do {
943 errno = 0;
944 ret = select(fd + 1, &rfds, NULL, NULL, timeout);
945 if (ret == -1) {
946 if (errno == EINTR)
947 netutil_error("%s: %s", __func__, strerror(errno));
948 else
949 netutil_fatal("Your system does not support select()ing on pcap devices (%s). PLEASE REPORT THIS ALONG WITH DETAILED SYSTEM INFORMATION TO THE nmap-dev MAILING LIST!", strerror(errno));
950 }
951 } while (ret == -1);
952
953 #endif
954 return ret;
955 }
956
pcap_select(pcap_t * p,long usecs)957 int pcap_select(pcap_t *p, long usecs) {
958 struct timeval tv;
959
960 tv.tv_sec = usecs / 1000000;
961 tv.tv_usec = usecs % 1000000;
962
963 return pcap_select(p, &tv);
964 }
965
966
967 /* These two are for eth_open_cached() and eth_close_cached() */
968 static char etht_cache_device_name[64];
969 static eth_t *etht_cache_device = NULL;
970
971 /* A simple function that caches the eth_t from dnet for one device,
972 to avoid opening, closing, and re-opening it thousands of tims. If
973 you give a different device, this function will close the first
974 one. Thus this should never be used by programs that need to deal
975 with multiple devices at once. In addition, you MUST NEVER
976 eth_close() A DEVICE OBTAINED FROM THIS FUNCTION. Instead, you can
977 call eth_close_cached() to close whichever device (if any) is
978 cached. Returns NULL if it fails to open the device. */
eth_open_cached(const char * device)979 eth_t *eth_open_cached(const char *device) {
980 if (!device)
981 netutil_fatal("%s() called with NULL device name!", __func__);
982 if (!*device)
983 netutil_fatal("%s() called with empty device name!", __func__);
984
985 if (strcmp(device, etht_cache_device_name) == 0) {
986 /* Yay, we have it cached. */
987 return etht_cache_device;
988 }
989
990 if (*etht_cache_device_name) {
991 eth_close(etht_cache_device);
992 etht_cache_device_name[0] = '\0';
993 etht_cache_device = NULL;
994 }
995
996 etht_cache_device = eth_open(device);
997 if (etht_cache_device)
998 Strncpy(etht_cache_device_name, device,
999 sizeof(etht_cache_device_name));
1000
1001 return etht_cache_device;
1002 }
1003
1004 /* See the description for eth_open_cached */
eth_close_cached()1005 void eth_close_cached() {
1006 if (etht_cache_device) {
1007 eth_close(etht_cache_device);
1008 etht_cache_device = NULL;
1009 etht_cache_device_name[0] = '\0';
1010 }
1011 return;
1012 }
1013
1014 /* Takes a protocol number like IPPROTO_TCP, IPPROTO_UDP, IPPROTO_IP,
1015 * etc, and returns an ASCII representation (or the string "unknown" if
1016 * it doesn't recognize the number). If uppercase is non zero, the
1017 * returned value will be in uppercase letters, otherwise it'll be
1018 * in lowercase */
proto2ascii_case(u8 proto,int uppercase)1019 const char *proto2ascii_case(u8 proto, int uppercase) {
1020 switch (proto) {
1021
1022 case IPPROTO_TCP:
1023 return uppercase ? "TCP" : "tcp";
1024 break;
1025 case IPPROTO_UDP:
1026 return uppercase ? "UDP" : "udp";
1027 break;
1028 case IPPROTO_SCTP:
1029 return uppercase ? "SCTP" : "sctp";
1030 break;
1031 case IPPROTO_IP:
1032 return uppercase ? "IP" : "ip";
1033 break;
1034 #ifdef IPPROTO_ICMP
1035 case IPPROTO_ICMP:
1036 return uppercase ? "ICMP" : "icmp";
1037 break;
1038 #endif
1039 #ifdef IPPROTO_IPV6
1040 case IPPROTO_IPV6:
1041 return uppercase ? "IPv6" : "ipv6";
1042 break;
1043 #endif
1044 #ifdef IPPROTO_ICMPV6
1045 case IPPROTO_ICMPV6:
1046 return uppercase ? "ICMPv6" : "icmpv6";
1047 break;
1048 #endif
1049 #ifdef IPPROTO_GRE
1050 case IPPROTO_GRE: // Generic Routing Encapsulation
1051 return uppercase ? "GRE" : "gre";
1052 break;
1053 #endif
1054 #ifdef IPPROTO_ESP
1055 case IPPROTO_ESP: // Encapsulating Security Payload (IPSec)
1056 return uppercase ? "IPSec/ESP" : "ipsec/esp";
1057 break;
1058 #endif
1059 #ifdef IPPROTO_AH
1060 case IPPROTO_AH: // Authentication Header (IPSec)
1061 return uppercase ? "IPSec/AH" : "ipsec/ah";
1062 break;
1063 #endif
1064 default:
1065 return uppercase ? "UNKNOWN" : "unknown";
1066 }
1067
1068 return NULL; // Unreached
1069 }
1070
proto2ascii_lowercase(u8 proto)1071 const char *proto2ascii_lowercase(u8 proto) {
1072 return proto2ascii_case(proto, 0);
1073 }
proto2ascii_uppercase(u8 proto)1074 const char *proto2ascii_uppercase(u8 proto) {
1075 return proto2ascii_case(proto, 1);
1076 }
1077
1078 /* Get an ASCII information about a tcp option which is pointed by
1079 optp, with a length of len. The result is stored in the result
1080 buffer. The result may look like "<mss 1452,sackOK,timestamp
1081 45848914 0,nop,wscale 7>" */
tcppacketoptinfo(u8 * optp,int len,char * result,int bufsize)1082 void tcppacketoptinfo(u8 *optp, int len, char *result, int bufsize) {
1083 assert(optp);
1084 assert(result);
1085 char *p, ch;
1086 u8 *q;
1087 int opcode;
1088 u16 tmpshort;
1089 u32 tmpword1, tmpword2;
1090 unsigned int i=0;
1091
1092 p = result;
1093 *p = '\0';
1094 q = optp;
1095 ch = '<';
1096
1097 while (len > 0 && bufsize > 2) {
1098 Snprintf(p, bufsize, "%c", ch);
1099 bufsize--;
1100 p++;
1101 opcode = *q++;
1102 if (!opcode) { /* End of List */
1103
1104 Snprintf(p, bufsize, "eol");
1105 bufsize -= strlen(p);
1106 p += strlen(p);
1107
1108 len--;
1109
1110 } else if (opcode == 1) { /* No Op */
1111 Snprintf(p, bufsize, "nop");
1112 bufsize -= strlen(p);
1113 p += strlen(p);
1114
1115 len--;
1116 } else if (opcode == 2) { /* MSS */
1117 if (len < 4)
1118 break; /* MSS has 4 bytes */
1119
1120 q++;
1121 memcpy(&tmpshort, q, 2);
1122
1123 Snprintf(p, bufsize, "mss %hu", (unsigned short) ntohs(tmpshort));
1124 bufsize -= strlen(p);
1125 p += strlen(p);
1126
1127 q += 2;
1128 len -= 4;
1129 } else if (opcode == 3) { /* Window Scale */
1130 if (len < 3)
1131 break; /* Window Scale option has 3 bytes */
1132
1133 q++;
1134
1135 Snprintf(p, bufsize, "wscale %u", *q);
1136 bufsize -= strlen(p);
1137 p += strlen(p);
1138
1139 q++;
1140 len -= 3;
1141 } else if (opcode == 4) { /* SACK permitted */
1142 if (len < 2)
1143 break; /* SACK permitted option has 2 bytes */
1144
1145 Snprintf(p, bufsize, "sackOK");
1146 bufsize -= strlen(p);
1147 p += strlen(p);
1148
1149 q++;
1150 len -= 2;
1151 } else if (opcode == 5) { /* SACK */
1152 unsigned sackoptlen = *q;
1153 if ((unsigned) len < sackoptlen)
1154 break;
1155
1156 /* This would break parsing, so it's best to just give up */
1157 if (sackoptlen < 2)
1158 break;
1159
1160 q++;
1161
1162 if ((sackoptlen - 2) == 0 || ((sackoptlen - 2) % 8 != 0)) {
1163 Snprintf(p, bufsize, "malformed sack");
1164 bufsize -= strlen(p);
1165 p += strlen(p);
1166 } else {
1167 Snprintf(p, bufsize, "sack %d ", (sackoptlen - 2) / 8);
1168 bufsize -= strlen(p);
1169 p += strlen(p);
1170 for (i = 0; i < sackoptlen - 2; i += 8) {
1171 memcpy(&tmpword1, q + i, 4);
1172 memcpy(&tmpword2, q + i + 4, 4);
1173 Snprintf(p, bufsize, "{%u:%u}", tmpword1, tmpword2);
1174 bufsize -= strlen(p);
1175 p += strlen(p);
1176 }
1177 }
1178
1179 q += sackoptlen - 2;
1180 len -= sackoptlen;
1181 } else if (opcode == 8) { /* Timestamp */
1182 if (len < 10)
1183 break; /* Timestamp option has 10 bytes */
1184
1185 q++;
1186 memcpy(&tmpword1, q, 4);
1187 memcpy(&tmpword2, q + 4, 4);
1188
1189 Snprintf(p, bufsize, "timestamp %lu %lu", (unsigned long) ntohl(tmpword1),
1190 (unsigned long) ntohl(tmpword2));
1191 bufsize -= strlen(p);
1192 p += strlen(p);
1193
1194 q += 8;
1195 len -= 10;
1196 }
1197
1198 ch = ',';
1199 }
1200
1201 if (len > 0) {
1202 *result = '\0';
1203 return;
1204 }
1205
1206 Snprintf(p, bufsize, ">");
1207 }
1208
1209
1210
1211 /* A trivial function used with qsort to sort the routes by netmask and metric */
routecmp(const void * a,const void * b)1212 static int routecmp(const void *a, const void *b) {
1213 struct sys_route *r1 = (struct sys_route *) a;
1214 struct sys_route *r2 = (struct sys_route *) b;
1215 if (r1->dest.ss_family < r2->dest.ss_family)
1216 return -1;
1217 else if (r1->dest.ss_family > r2->dest.ss_family)
1218 return 1;
1219
1220 if (r1->netmask_bits < r2->netmask_bits)
1221 return 1;
1222 else if (r1->netmask_bits > r2->netmask_bits)
1223 return -1;
1224
1225 if (r1->metric < r2->metric)
1226 return -1;
1227 else if (r1->metric > r2->metric)
1228 return 1;
1229
1230 /* Compare addresses of equal elements to make the sort stable, as suggested
1231 by the Glibc manual. */
1232 if (a < b)
1233 return -1;
1234 else if (a > b)
1235 return 1;
1236 else
1237 return 0;
1238 }
1239
1240
1241
1242 /* Convert an address to a string and back again. The first parsing step
1243 eliminates magical OS-specific syntax, for example on OS X, fe80:4::X:X:X:X
1244 becomes "fe80::X:X:X:X" (the "4" in this case is another way of writing the
1245 zone ID, like "%en0"; i.e., in this case en0 is interface number 4). This
1246 must be done before e.g. comparing addresses by netmask. */
canonicalize_address(const struct sockaddr_storage * ss,struct sockaddr_storage * output)1247 static int canonicalize_address(const struct sockaddr_storage *ss,
1248 struct sockaddr_storage *output) {
1249 char canonical_ip_string[NI_MAXHOST];
1250 struct addrinfo hints;
1251 struct addrinfo *ai;
1252 int rc;
1253
1254 /* Convert address to string. */
1255 rc = getnameinfo((struct sockaddr *) ss, sizeof(*ss),
1256 canonical_ip_string, sizeof(canonical_ip_string), NULL, 0, NI_NUMERICHOST);
1257 if (rc != 0) {
1258 /* Don't care. */
1259 *output = *ss;
1260 return 0;
1261 }
1262
1263 memset(&hints, 0, sizeof(hints));
1264 hints.ai_family = ss->ss_family;
1265 hints.ai_socktype = SOCK_DGRAM;
1266 hints.ai_flags |= AI_NUMERICHOST;
1267
1268 rc = getaddrinfo(canonical_ip_string, NULL, &hints, &ai);
1269 if (rc != 0 || ai == NULL)
1270 return -1;
1271 assert(ai->ai_addrlen > 0 && ai->ai_addrlen <= (int) sizeof(*output));
1272 memcpy(output, ai->ai_addr, ai->ai_addrlen);
1273 freeaddrinfo(ai);
1274
1275 return 0;
1276 }
1277
collect_dnet_interfaces(const struct intf_entry * entry,void * arg)1278 static int collect_dnet_interfaces(const struct intf_entry *entry, void *arg) {
1279 struct dnet_collector_route_nfo *dcrn = (struct dnet_collector_route_nfo *) arg;
1280 bool primary_done;
1281 unsigned int num_aliases_done;
1282 struct sockaddr_storage tmpss;
1283 int rc;
1284
1285 primary_done = false;
1286 num_aliases_done = 0;
1287 while (!primary_done || num_aliases_done < entry->intf_alias_num) {
1288 /* Make sure we have room for the new route */
1289 if (dcrn->numifaces >= dcrn->capacity) {
1290 dcrn->capacity <<= 2;
1291 dcrn->ifaces = (struct interface_info *) safe_realloc(dcrn->ifaces,
1292 dcrn->capacity * sizeof(struct interface_info));
1293 }
1294
1295 /* The first time through the loop we add the primary interface record.
1296 After that we add the aliases one at a time. */
1297 if (!primary_done) {
1298 if ( (addr_ntos(&entry->intf_addr, (struct sockaddr *) &tmpss) == -1)
1299 #ifdef AF_LINK
1300 || (tmpss.ss_family == AF_LINK)
1301 #endif
1302 ) {
1303 dcrn->ifaces[dcrn->numifaces].addr.ss_family = 0;
1304 } else {
1305 rc = canonicalize_address(&tmpss, &dcrn->ifaces[dcrn->numifaces].addr);
1306 assert(rc == 0);
1307 }
1308 dcrn->ifaces[dcrn->numifaces].netmask_bits = entry->intf_addr.addr_bits;
1309 primary_done = true;
1310 } else if (num_aliases_done < entry->intf_alias_num) {
1311 if ( (addr_ntos(&entry->intf_alias_addrs[num_aliases_done], (struct sockaddr *) &tmpss) == -1)
1312 #ifdef AF_LINK
1313 || (tmpss.ss_family == AF_LINK)
1314 #endif
1315 ) {
1316 dcrn->ifaces[dcrn->numifaces].addr.ss_family = 0;
1317 } else {
1318 rc = canonicalize_address(&tmpss, &dcrn->ifaces[dcrn->numifaces].addr);
1319 assert(rc == 0);
1320 }
1321 dcrn->ifaces[dcrn->numifaces].netmask_bits = entry->intf_alias_addrs[num_aliases_done].addr_bits;
1322 num_aliases_done++;
1323 }
1324
1325 /* OK, address/netmask found. Let's get the name */
1326 Strncpy(dcrn->ifaces[dcrn->numifaces].devname, entry->intf_name,
1327 sizeof(dcrn->ifaces[dcrn->numifaces].devname));
1328 Strncpy(dcrn->ifaces[dcrn->numifaces].devfullname, entry->intf_name,
1329 sizeof(dcrn->ifaces[dcrn->numifaces].devfullname));
1330
1331 /* Interface type */
1332 if (entry->intf_type == INTF_TYPE_ETH && (entry->intf_flags & INTF_FLAG_NOARP) == 0) {
1333 dcrn->ifaces[dcrn->numifaces].device_type = devt_ethernet;
1334 /* Collect the MAC address since this is ethernet */
1335 memcpy(dcrn->ifaces[dcrn->numifaces].mac, &entry->intf_link_addr.addr_eth.data, 6);
1336 } else if (entry->intf_type == INTF_TYPE_LOOPBACK) {
1337 dcrn->ifaces[dcrn->numifaces].device_type = devt_loopback;
1338 } else if (entry->intf_type == INTF_TYPE_TUN) {
1339 dcrn->ifaces[dcrn->numifaces].device_type = devt_p2p;
1340 } else {
1341 dcrn->ifaces[dcrn->numifaces].device_type = devt_other;
1342 }
1343
1344 dcrn->ifaces[dcrn->numifaces].ifindex = entry->intf_index;
1345
1346 dcrn->ifaces[dcrn->numifaces].mtu = entry->intf_mtu;
1347
1348 /* Is the interface up and running? */
1349 dcrn->ifaces[dcrn->numifaces].device_up = (entry->intf_flags & INTF_FLAG_UP) ? true : false;
1350
1351 /* For the rest of the information, we must open the interface directly ... */
1352 dcrn->numifaces++;
1353 }
1354
1355 return 0;
1356 }
1357
1358 /* Get a list of interfaces using dnet and intf_loop. */
getinterfaces_dnet(int * howmany,char * errstr,size_t errstrlen)1359 static struct interface_info *getinterfaces_dnet(int *howmany, char *errstr, size_t errstrlen) {
1360 struct dnet_collector_route_nfo dcrn;
1361 intf_t *it;
1362
1363 dcrn.routes = NULL;
1364 dcrn.numroutes = 0;
1365 dcrn.numifaces = 0;
1366
1367 assert(howmany);
1368
1369 /* Initialize the interface array. */
1370 dcrn.capacity = 16;
1371 dcrn.ifaces = (struct interface_info *) safe_zalloc(sizeof(struct interface_info) * dcrn.capacity);
1372
1373 it = intf_open();
1374 if (!it){
1375 if(errstr) Snprintf(errstr, errstrlen, "%s: intf_open() failed", __func__);
1376 *howmany=-1;
1377 return NULL;
1378 }
1379 if (intf_loop(it, collect_dnet_interfaces, &dcrn) != 0){
1380 if(errstr) Snprintf(errstr, errstrlen, "%s: intf_loop() failed", __func__);
1381 *howmany=-1;
1382 return NULL;
1383 }
1384 intf_close(it);
1385
1386 *howmany = dcrn.numifaces;
1387 return dcrn.ifaces;
1388 }
1389
1390 /* Returns an allocated array of struct interface_info representing the
1391 available interfaces. The number of interfaces is returned in *howmany. This
1392 function just does caching of results; the real work is done in
1393 getinterfaces_dnet().
1394 On error, NULL is returned, howmany is set to -1 and the supplied
1395 error buffer "errstr", if not NULL, will contain an error message. */
getinterfaces(int * howmany,char * errstr,size_t errstrlen)1396 struct interface_info *getinterfaces(int *howmany, char *errstr, size_t errstrlen) {
1397 static int initialized = 0;
1398 static struct interface_info *mydevs;
1399 static int numifaces = 0;
1400
1401 if (!initialized) {
1402 mydevs = getinterfaces_dnet(&numifaces, errstr, errstrlen);
1403 initialized = 1;
1404 }
1405
1406 /* These will propagate any error produced in getinterfaces_xxxx() to
1407 * the caller. */
1408 if (howmany)
1409 *howmany = numifaces;
1410 return mydevs;
1411 }
1412
1413
1414 /* The 'dev' passed in must be at least 32 bytes long. Returns 0 on success. */
ipaddr2devname(char * dev,const struct sockaddr_storage * addr)1415 int ipaddr2devname(char *dev, const struct sockaddr_storage *addr) {
1416 struct interface_info *ifaces;
1417 int numifaces;
1418 int i;
1419
1420 ifaces = getinterfaces(&numifaces, NULL, 0);
1421
1422 if (ifaces == NULL)
1423 return -1;
1424
1425 for (i = 0; i < numifaces; i++) {
1426 if (sockaddr_storage_cmp(&ifaces[i].addr, addr) == 0) {
1427 Strncpy(dev, ifaces[i].devname, 32);
1428 return 0;
1429 }
1430 }
1431
1432 return -1;
1433 }
1434
devname2ipaddr(char * dev,struct sockaddr_storage * addr)1435 int devname2ipaddr(char *dev, struct sockaddr_storage *addr) {
1436 struct interface_info *mydevs;
1437 int numdevs;
1438 int i;
1439 mydevs = getinterfaces(&numdevs, NULL, 0);
1440
1441 if (!mydevs)
1442 return -1;
1443
1444 for (i = 0; i < numdevs; i++) {
1445 if (!strcmp(dev, mydevs[i].devfullname)) {
1446 *addr = mydevs[i].addr;
1447 return 0;
1448 }
1449 }
1450 return -1;
1451 }
1452
1453 /* Looks for an interface with the given name (iname) and address
1454 family type, and returns the corresponding interface_info if found.
1455 Will accept a match of devname or devfullname. Returns NULL if
1456 none found */
getInterfaceByName(const char * iname,int af)1457 struct interface_info *getInterfaceByName(const char *iname, int af) {
1458 struct interface_info *ifaces;
1459 int numifaces = 0;
1460 int ifnum;
1461
1462 ifaces = getinterfaces(&numifaces, NULL, 0);
1463
1464 for (ifnum = 0; ifnum < numifaces; ifnum++) {
1465 if ((strcmp(ifaces[ifnum].devfullname, iname) == 0 ||
1466 strcmp(ifaces[ifnum].devname, iname) == 0) &&
1467 ifaces[ifnum].addr.ss_family == af)
1468 return &ifaces[ifnum];
1469 }
1470
1471 return NULL;
1472 }
1473
1474
sockaddr_equal(const struct sockaddr_storage * a,const struct sockaddr_storage * b)1475 int sockaddr_equal(const struct sockaddr_storage *a,
1476 const struct sockaddr_storage *b) {
1477
1478 if (a->ss_family == AF_INET && b->ss_family == AF_INET) {
1479 struct sockaddr_in *sa, *sb;
1480
1481 sa = (struct sockaddr_in *) a;
1482 sb = (struct sockaddr_in *) b;
1483
1484 return sa->sin_addr.s_addr == sb->sin_addr.s_addr;
1485 } if (a->ss_family == AF_INET6 && b->ss_family == AF_INET6) {
1486 struct sockaddr_in6 *sa, *sb;
1487
1488 sa = (struct sockaddr_in6 *) a;
1489 sb = (struct sockaddr_in6 *) b;
1490
1491 return memcmp(sa->sin6_addr.s6_addr, sb->sin6_addr.s6_addr, sizeof(sa->sin6_addr.s6_addr)) == 0;
1492 }
1493
1494 return 0;
1495 }
1496
sockaddr_equal_netmask(const struct sockaddr_storage * a,const struct sockaddr_storage * b,u16 nbits)1497 int sockaddr_equal_netmask(const struct sockaddr_storage *a,
1498 const struct sockaddr_storage *b, u16 nbits) {
1499 unsigned char netmask[IP6_ADDR_LEN];
1500
1501 addr_btom(nbits, netmask, sizeof(netmask));
1502
1503 if (a->ss_family == AF_INET && b->ss_family == AF_INET) {
1504 struct in_addr *sa, *sb, *sn;
1505
1506 sa = &((struct sockaddr_in *) a)->sin_addr;
1507 sb = &((struct sockaddr_in *) b)->sin_addr;
1508 sn = (struct in_addr *) netmask;
1509
1510 return (sa->s_addr & sn->s_addr) == (sb->s_addr & sn->s_addr);
1511 } else if (a->ss_family == AF_INET6 && b->ss_family == AF_INET6) {
1512 struct in6_addr *sa, *sb, *sn;
1513 unsigned int i;
1514
1515 sa = &((struct sockaddr_in6 *) a)->sin6_addr;
1516 sb = &((struct sockaddr_in6 *) b)->sin6_addr;
1517 sn = (struct in6_addr *) netmask;
1518
1519 for (i = 0; i < sizeof(sa->s6_addr); i++) {
1520 if ((sa->s6_addr[i] & sn->s6_addr[i]) != (sb->s6_addr[i] & sn->s6_addr[i])) {
1521 return 0;
1522 }
1523 }
1524
1525 return 1;
1526 }
1527
1528 return 0;
1529 }
1530
sockaddr_equal_zero(const struct sockaddr_storage * s)1531 int sockaddr_equal_zero(const struct sockaddr_storage *s) {
1532 if (s->ss_family == AF_INET) {
1533 const struct sockaddr_in *sin;
1534
1535 sin = (struct sockaddr_in *) s;
1536 return sin->sin_addr.s_addr == 0;
1537 } if (s->ss_family == AF_INET6) {
1538 const struct sockaddr_in6 *sin6;
1539
1540 sin6 = (struct sockaddr_in6 *) s;
1541 return memcmp(sin6->sin6_addr.s6_addr, IP6_ADDR_UNSPEC, IP6_ADDR_LEN) == 0;
1542 }
1543
1544 return 0;
1545 }
1546
1547 /* This is a helper for getsysroutes_dnet. Once the table of routes is in
1548 place, this function assigns each to an interface and removes any routes
1549 that can't be assigned. */
sysroutes_dnet_find_interfaces(struct dnet_collector_route_nfo * dcrn)1550 static struct dnet_collector_route_nfo *sysroutes_dnet_find_interfaces(struct dnet_collector_route_nfo *dcrn)
1551 {
1552 struct interface_info *ifaces;
1553 int numifaces = 0;
1554 int i, j;
1555 int changed=0;
1556
1557 if( (ifaces=getinterfaces(&numifaces, NULL, 0))==NULL )
1558 return NULL;
1559 for (i = 0; i < dcrn->numroutes; i++) {
1560 if (dcrn->routes[i].device != NULL)
1561 continue;
1562
1563 /* First we match up routes whose gateway or destination address
1564 directly matches the address of an interface. */
1565 struct sys_route *route = &dcrn->routes[i];
1566 struct sockaddr_storage *routeaddr;
1567
1568 /* First see if the gateway was set */
1569 if (sockaddr_equal_zero(&route->gw))
1570 routeaddr = &dcrn->routes[i].dest;
1571 else
1572 routeaddr = &dcrn->routes[i].gw;
1573
1574 for (j = 0; j < numifaces; j++) {
1575 if (sockaddr_equal_netmask(&ifaces[j].addr, routeaddr, ifaces[j].netmask_bits)) {
1576 dcrn->routes[i].device = &ifaces[j];
1577 break;
1578 }
1579 }
1580 }
1581
1582 /* Find any remaining routes that don't yet have an interface, and try to
1583 match them up with the interface of another route. This handles "two-step"
1584 routes like sometimes exist with PPP, where the gateway address of the
1585 default route doesn't match an interface address, but the gateway address
1586 goes through another route that does have an interface. */
1587
1588 do {
1589 changed = 0;
1590 for (i = 0; i < dcrn->numroutes; i++) {
1591 if (dcrn->routes[i].device != NULL)
1592 continue;
1593 /* Does this route's gateway go through another route with an assigned
1594 interface? */
1595 for (j = 0; j < dcrn->numroutes; j++) {
1596 if (sockaddr_equal(&dcrn->routes[i].gw, &dcrn->routes[j].dest)
1597 && dcrn->routes[j].device != NULL) {
1598 dcrn->routes[i].device = dcrn->routes[j].device;
1599 changed = 1;
1600 }
1601 }
1602 }
1603 } while (changed);
1604
1605 /* Cull any routes that still don't have an interface. */
1606 i = 0;
1607 while (i < dcrn->numroutes) {
1608 if (dcrn->routes[i].device == NULL) {
1609 char destbuf[INET6_ADDRSTRLEN];
1610 char gwbuf[INET6_ADDRSTRLEN];
1611
1612 strncpy(destbuf, inet_ntop_ez(&dcrn->routes[i].dest, sizeof(dcrn->routes[i].dest)), sizeof(destbuf));
1613 strncpy(gwbuf, inet_ntop_ez(&dcrn->routes[i].gw, sizeof(dcrn->routes[i].gw)), sizeof(gwbuf));
1614 /*
1615 netutil_error("WARNING: Unable to find appropriate interface for system route to %s/%u gw %s",
1616 destbuf, dcrn->routes[i].netmask_bits, gwbuf);
1617 */
1618 /* Remove this entry from the table. */
1619 memmove(dcrn->routes + i, dcrn->routes + i + 1, sizeof(dcrn->routes[0]) * (dcrn->numroutes - i - 1));
1620 dcrn->numroutes--;
1621 } else {
1622 i++;
1623 }
1624 }
1625
1626 return dcrn;
1627 }
1628
1629
1630 /* This is the callback for the call to route_loop in getsysroutes_dnet. It
1631 takes a route entry and adds it into the dnet_collector_route_nfo struct. */
collect_dnet_routes(const struct route_entry * entry,void * arg)1632 static int collect_dnet_routes(const struct route_entry *entry, void *arg) {
1633 struct dnet_collector_route_nfo *dcrn = (struct dnet_collector_route_nfo *) arg;
1634
1635 /* Make sure we have room for the new route */
1636 if (dcrn->numroutes >= dcrn->capacity) {
1637 dcrn->capacity <<= 2;
1638 dcrn->routes = (struct sys_route *) safe_realloc(dcrn->routes, dcrn->capacity * sizeof(struct sys_route));
1639 }
1640
1641 /* Now for the important business */
1642 addr_ntos(&entry->route_dst, (struct sockaddr *) &dcrn->routes[dcrn->numroutes].dest);
1643 dcrn->routes[dcrn->numroutes].netmask_bits = entry->route_dst.addr_bits;
1644 addr_ntos(&entry->route_gw, (struct sockaddr *) &dcrn->routes[dcrn->numroutes].gw);
1645 dcrn->routes[dcrn->numroutes].metric = entry->metric;
1646 dcrn->routes[dcrn->numroutes].device = getInterfaceByName(entry->intf_name, dcrn->routes[dcrn->numroutes].dest.ss_family);
1647 dcrn->numroutes++;
1648
1649 return 0;
1650 }
1651
1652
1653 /* Read system routes via libdnet. */
getsysroutes_dnet(int * howmany,char * errstr,size_t errstrlen)1654 static struct sys_route *getsysroutes_dnet(int *howmany, char *errstr, size_t errstrlen) {
1655 struct dnet_collector_route_nfo dcrn;
1656
1657 dcrn.capacity = 128;
1658 dcrn.routes = (struct sys_route *) safe_zalloc(dcrn.capacity * sizeof(struct sys_route));
1659 dcrn.numroutes = 0;
1660 dcrn.ifaces = NULL;
1661 dcrn.numifaces = 0;
1662 assert(howmany);
1663 route_t *dr = route_open();
1664
1665 if (!dr){
1666 if(errstr) Snprintf(errstr, errstrlen, "%s: route_open() failed", __func__);
1667 *howmany=-1;
1668 return NULL;
1669 }
1670 if (route_loop(dr, collect_dnet_routes, &dcrn) != 0) {
1671 if(errstr) Snprintf(errstr, errstrlen, "%s: route_loop() failed", __func__);
1672 *howmany=-1;
1673 return NULL;
1674 }
1675 route_close(dr);
1676
1677 /* Now match up the routes to interfaces. */
1678 if( sysroutes_dnet_find_interfaces(&dcrn) == NULL ){
1679 if(errstr) Snprintf(errstr, errstrlen, "%s: sysroutes_dnet_find_interfaces() failed", __func__);
1680 return NULL;
1681 }
1682
1683 *howmany = dcrn.numroutes;
1684 return dcrn.routes;
1685 }
1686
1687
1688 /* Parse the system routing table, converting each route into a
1689 sys_route entry. Returns an array of sys_routes. numroutes is set
1690 to the number of routes in the array. The routing table is only
1691 read the first time this is called -- later results are cached.
1692 The returned route array is sorted by netmask with the most
1693 specific matches first.
1694 On error, NULL is returned, howmany is set to -1 and the supplied
1695 error buffer "errstr", if not NULL, will contain an error message. */
getsysroutes(int * howmany,char * errstr,size_t errstrlen)1696 struct sys_route *getsysroutes(int *howmany, char *errstr, size_t errstrlen) {
1697 static struct sys_route *routes = NULL;
1698 static int numroutes = 0;
1699 assert(howmany);
1700
1701 if (routes != NULL) {
1702 /* We have it cached. */
1703 *howmany = numroutes;
1704 return routes;
1705 }
1706
1707 routes = getsysroutes_dnet(howmany, errstr, errstrlen);
1708
1709 /* Check if we managed to get the routes and sort them if we did */
1710 if(routes==NULL){
1711 *howmany=-1;
1712 return NULL;
1713 }else{
1714 numroutes = *howmany;
1715 /* Ensure that the route array is sorted by netmask and metric */
1716 qsort(routes, numroutes, sizeof(routes[0]), routecmp);
1717 }
1718 return routes;
1719 }
1720
1721
1722 /* Tries to determine whether the supplied address corresponds to
1723 * localhost. (eg: the address is something like 127.x.x.x, the address
1724 * matches one of the local network interfaces' address, etc).
1725 * Returns 1 if the address is thought to be localhost and 0 otherwise */
islocalhost(const struct sockaddr_storage * ss)1726 int islocalhost(const struct sockaddr_storage *ss) {
1727 char dev[128];
1728 struct sockaddr_in *sin = NULL;
1729 struct sockaddr_in6 *sin6 = NULL;
1730
1731 if (ss->ss_family == AF_INET){
1732 sin = (struct sockaddr_in *) ss;
1733 /* If it is 0.0.0.0 or starts with 127 then it is probably localhost. */
1734 if ((sin->sin_addr.s_addr & htonl(0xFF000000)) == htonl(0x7F000000))
1735 return 1;
1736
1737 if (!(sin->sin_addr.s_addr))
1738 return 1;
1739 } else {
1740 sin6 = (struct sockaddr_in6 *) ss;
1741 /* If it is ::0 or ::1 then it is probably localhost. */
1742 if (memcmp(&(sin6->sin6_addr), IP6_ADDR_UNSPEC, IP6_ADDR_LEN) == 0)
1743 return 1;
1744 if (memcmp(&(sin6->sin6_addr), IP6_ADDR_LOOPBACK, IP6_ADDR_LEN) == 0)
1745 return 1;
1746 }
1747
1748 /* If it is the same addy as a local interface, then it is
1749 probably localhost */
1750 if (ipaddr2devname(dev, ss) != -1)
1751 return 1;
1752
1753 /* OK, so to a first approximation, this addy is probably not
1754 localhost */
1755 return 0;
1756 }
1757
1758
1759 /* Determines whether the supplied address corresponds to a private,
1760 * non-Internet-routable address. See RFC1918 for details.
1761 *
1762 * Also checks for link-local addressing per RFC3927.
1763 *
1764 * Returns 1 if the address is private or 0 otherwise. */
isipprivate(const struct sockaddr_storage * addr)1765 int isipprivate(const struct sockaddr_storage *addr) {
1766 const struct sockaddr_in *sin;
1767 char *ipc;
1768 unsigned char i1, i2;
1769
1770 if (!addr)
1771 return 0;
1772 if (addr->ss_family != AF_INET)
1773 return 0;
1774 sin = (struct sockaddr_in *) addr;
1775
1776 ipc = (char *) &(sin->sin_addr.s_addr);
1777 i1 = ipc[0];
1778 i2 = ipc[1];
1779
1780 /* 10.0.0.0/8 */
1781 if (i1 == 10)
1782 return 1;
1783
1784 /* 172.16.0.0/12 */
1785 if (i1 == 172 && i2 >= 16 && i2 <= 31)
1786 return 1;
1787
1788 /* 169.254.0.0/16 - RFC 3927 */
1789 if (i1 == 169 && i2 == 254)
1790 return 1;
1791
1792 /* 192.168.0.0/16 */
1793 if (i1 == 192 && i2 == 168)
1794 return 1;
1795
1796 return 0;
1797 }
1798
1799
nexthdrtoa(u8 nextheader,int acronym)1800 char *nexthdrtoa(u8 nextheader, int acronym){
1801
1802 static char buffer[129];
1803 memset(buffer, 0, 129);
1804
1805 #define HDRTOA(num, short_name, long_name) \
1806 case num: \
1807 strncpy(buffer, acronym ? short_name : long_name, 128);\
1808 break;
1809
1810 switch(nextheader){
1811 /* Generate these lines from nmap-protocols using the following perl command:
1812 perl -lne'if(/^(\S+)\s*(\d+)\s*\#?\s*(.*)/){my$l=$3||$1;print qq{HDRTOA($2, "$1", "$l")}}'
1813 */
1814 HDRTOA(0, "hopopt", "IPv6 Hop-by-Hop Option")
1815 HDRTOA(1, "icmp", "Internet Control Message")
1816 HDRTOA(2, "igmp", "Internet Group Management")
1817 HDRTOA(3, "ggp", "Gateway-to-Gateway")
1818 HDRTOA(4, "ipv4", "IP in IP (encapsulation)")
1819 HDRTOA(5, "st", "Stream")
1820 HDRTOA(6, "tcp", "Transmission Control")
1821 HDRTOA(7, "cbt", "CBT")
1822 HDRTOA(8, "egp", "Exterior Gateway Protocol")
1823 HDRTOA(9, "igp", "any private interior gateway")
1824 HDRTOA(10, "bbn-rcc-mon", "BBN RCC Monitoring")
1825 HDRTOA(11, "nvp-ii", "Network Voice Protocol")
1826 HDRTOA(12, "pup", "PARC universal packet protocol")
1827 HDRTOA(13, "argus", "ARGUS")
1828 HDRTOA(14, "emcon", "EMCON")
1829 HDRTOA(15, "xnet", "Cross Net Debugger")
1830 HDRTOA(16, "chaos", "Chaos")
1831 HDRTOA(17, "udp", "User Datagram")
1832 HDRTOA(18, "mux", "Multiplexing")
1833 HDRTOA(19, "dcn-meas", "DCN Measurement Subsystems")
1834 HDRTOA(20, "hmp", "Host Monitoring")
1835 HDRTOA(21, "prm", "Packet Radio Measurement")
1836 HDRTOA(22, "xns-idp", "XEROX NS IDP")
1837 HDRTOA(23, "trunk-1", "Trunk-1")
1838 HDRTOA(24, "trunk-2", "Trunk-2")
1839 HDRTOA(25, "leaf-1", "Leaf-1")
1840 HDRTOA(26, "leaf-2", "Leaf-2")
1841 HDRTOA(27, "rdp", "Reliable Data Protocol")
1842 HDRTOA(28, "irtp", "Internet Reliable Transaction")
1843 HDRTOA(29, "iso-tp4", "ISO Transport Protocol Class 4")
1844 HDRTOA(30, "netblt", "Bulk Data Transfer Protocol")
1845 HDRTOA(31, "mfe-nsp", "MFE Network Services Protocol")
1846 HDRTOA(32, "merit-inp", "MERIT Internodal Protocol")
1847 HDRTOA(33, "dccp", "Datagram Congestion Control Protocol")
1848 HDRTOA(34, "3pc", "Third Party Connect Protocol")
1849 HDRTOA(35, "idpr", "Inter-Domain Policy Routing Protocol")
1850 HDRTOA(36, "xtp", "XTP")
1851 HDRTOA(37, "ddp", "Datagram Delivery Protocol")
1852 HDRTOA(38, "idpr-cmtp", "IDPR Control Message Transport Proto")
1853 HDRTOA(39, "tp++", "TP+")
1854 HDRTOA(40, "il", "IL Transport Protocol")
1855 HDRTOA(41, "ipv6", "Ipv6")
1856 HDRTOA(42, "sdrp", "Source Demand Routing Protocol")
1857 HDRTOA(43, "ipv6-route", "Routing Header for IPv6")
1858 HDRTOA(44, "ipv6-frag", "Fragment Header for IPv6")
1859 HDRTOA(45, "idrp", "Inter-Domain Routing Protocol")
1860 HDRTOA(46, "rsvp", "Reservation Protocol")
1861 HDRTOA(47, "gre", "General Routing Encapsulation")
1862 HDRTOA(48, "dsp", "Dynamic Source Routing Protocol. Historically MHRP")
1863 HDRTOA(49, "bna", "BNA")
1864 HDRTOA(50, "esp", "Encap Security Payload")
1865 HDRTOA(51, "ah", "Authentication Header")
1866 HDRTOA(52, "i-nlsp", "Integrated Net Layer Security TUBA")
1867 HDRTOA(53, "swipe", "IP with Encryption")
1868 HDRTOA(54, "narp", "NBMA Address Resolution Protocol")
1869 HDRTOA(55, "mobile", "IP Mobility")
1870 HDRTOA(56, "tlsp", "Transport Layer Security Protocol using Kryptonet key management")
1871 HDRTOA(57, "skip", "SKIP")
1872 HDRTOA(58, "ipv6-icmp", "ICMP for IPv6")
1873 HDRTOA(59, "ipv6-nonxt", "No Next Header for IPv6")
1874 HDRTOA(60, "ipv6-opts", "Destination Options for IPv6")
1875 HDRTOA(61, "anyhost", "any host internal protocol")
1876 HDRTOA(62, "cftp", "CFTP")
1877 HDRTOA(63, "anylocalnet", "any local network")
1878 HDRTOA(64, "sat-expak", "SATNET and Backroom EXPAK")
1879 HDRTOA(65, "kryptolan", "Kryptolan")
1880 HDRTOA(66, "rvd", "MIT Remote Virtual Disk Protocol")
1881 HDRTOA(67, "ippc", "Internet Pluribus Packet Core")
1882 HDRTOA(68, "anydistribfs", "any distributed file system")
1883 HDRTOA(69, "sat-mon", "SATNET Monitoring")
1884 HDRTOA(70, "visa", "VISA Protocol")
1885 HDRTOA(71, "ipcv", "Internet Packet Core Utility")
1886 HDRTOA(72, "cpnx", "Computer Protocol Network Executive")
1887 HDRTOA(73, "cphb", "Computer Protocol Heart Beat")
1888 HDRTOA(74, "wsn", "Wang Span Network")
1889 HDRTOA(75, "pvp", "Packet Video Protocol")
1890 HDRTOA(76, "br-sat-mon", "Backroom SATNET Monitoring")
1891 HDRTOA(77, "sun-nd", "SUN ND PROTOCOL-Temporary")
1892 HDRTOA(78, "wb-mon", "WIDEBAND Monitoring")
1893 HDRTOA(79, "wb-expak", "WIDEBAND EXPAK")
1894 HDRTOA(80, "iso-ip", "ISO Internet Protocol")
1895 HDRTOA(81, "vmtp", "VMTP")
1896 HDRTOA(82, "secure-vmtp", "SECURE-VMTP")
1897 HDRTOA(83, "vines", "VINES")
1898 HDRTOA(84, "iptm", "Internet Protocol Traffic Manager. Historically TTP")
1899 HDRTOA(85, "nsfnet-igp", "NSFNET-IGP")
1900 HDRTOA(86, "dgp", "Dissimilar Gateway Protocol")
1901 HDRTOA(87, "tcf", "TCF")
1902 HDRTOA(88, "eigrp", "EIGRP")
1903 HDRTOA(89, "ospfigp", "OSPFIGP")
1904 HDRTOA(90, "sprite-rpc", "Sprite RPC Protocol")
1905 HDRTOA(91, "larp", "Locus Address Resolution Protocol")
1906 HDRTOA(92, "mtp", "Multicast Transport Protocol")
1907 HDRTOA(93, "ax.25", "AX.")
1908 HDRTOA(94, "ipip", "IP-within-IP Encapsulation Protocol")
1909 HDRTOA(95, "micp", "Mobile Internetworking Control Pro.")
1910 HDRTOA(96, "scc-sp", "Semaphore Communications Sec.")
1911 HDRTOA(97, "etherip", "Ethernet-within-IP Encapsulation")
1912 HDRTOA(98, "encap", "Encapsulation Header")
1913 HDRTOA(99, "anyencrypt", "any private encryption scheme")
1914 HDRTOA(100, "gmtp", "GMTP")
1915 HDRTOA(101, "ifmp", "Ipsilon Flow Management Protocol")
1916 HDRTOA(102, "pnni", "PNNI over IP")
1917 HDRTOA(103, "pim", "Protocol Independent Multicayst")
1918 HDRTOA(104, "aris", "ARIS")
1919 HDRTOA(105, "scps", "SCPS")
1920 HDRTOA(106, "qnx", "QNX")
1921 HDRTOA(107, "a/n", "Active Networks")
1922 HDRTOA(108, "ipcomp", "IP Payload Compression Protocol")
1923 HDRTOA(109, "snp", "Sitara Networks Protocol")
1924 HDRTOA(110, "compaq-peer", "Compaq Peer Protocol")
1925 HDRTOA(111, "ipx-in-ip", "IPX in IP")
1926 HDRTOA(112, "vrrp", "Virtual Router Redundancy Protocol")
1927 HDRTOA(113, "pgm", "PGM Reliable Transport Protocol")
1928 HDRTOA(114, "any0hop", "any 0-hop protocol")
1929 HDRTOA(115, "l2tp", "Layer Two Tunneling Protocol")
1930 HDRTOA(116, "ddx", "D-II Data Exchange (")
1931 HDRTOA(117, "iatp", "Interactive Agent Transfer Protocol")
1932 HDRTOA(118, "stp", "Schedule Transfer Protocol")
1933 HDRTOA(119, "srp", "SpectraLink Radio Protocol")
1934 HDRTOA(120, "uti", "UTI")
1935 HDRTOA(121, "smp", "Simple Message Protocol")
1936 HDRTOA(122, "sm", "Simple Multicast Protocol")
1937 HDRTOA(123, "ptp", "Performance Transparency Protocol")
1938 HDRTOA(124, "isis-ipv4", "ISIS over IPv4")
1939 HDRTOA(125, "fire", "fire")
1940 HDRTOA(126, "crtp", "Combat Radio Transport Protocol")
1941 HDRTOA(127, "crudp", "Combat Radio User Datagram")
1942 HDRTOA(128, "sscopmce", "sscopmce")
1943 HDRTOA(129, "iplt", "iplt")
1944 HDRTOA(130, "sps", "Secure Packet Shield")
1945 HDRTOA(131, "pipe", "Private IP Encapsulation within IP")
1946 HDRTOA(132, "sctp", "Stream Control Transmission Protocol")
1947 HDRTOA(133, "fc", "Fibre Channel")
1948 HDRTOA(134, "rsvp-e2e-ignore", "rsvp-e2e-ignore")
1949 HDRTOA(135, "mobility-hdr", "Mobility Header")
1950 HDRTOA(136, "udplite", "UDP-Lite [RFC3828]")
1951 HDRTOA(137, "mpls-in-ip", "MPLS-in-IP [RFC4023]")
1952 HDRTOA(138, "manet", "MANET Protocols [RFC5498]")
1953 HDRTOA(139, "hip", "Host Identity Protocol")
1954 HDRTOA(140, "shim6", "Shim6 Protocol [RFC5533]")
1955 HDRTOA(141, "wesp", "Wrapped Encapsulating Security Payload")
1956 HDRTOA(142, "rohc", "Robust Header Compression")
1957 HDRTOA(253, "experimental1", "Use for experimentation and testing")
1958 HDRTOA(254, "experimental2", "Use for experimentation and testing")
1959 default:
1960 strncpy(buffer, acronym ? "unknown" : "Unknown protocol", 128);\
1961 break;
1962
1963 } /* End of switch */
1964
1965
1966 return buffer;
1967
1968 } /* End of nexthdrtoa() */
1969
1970
1971 /* TODO: Needs refactoring */
STRAPP(const char * fmt,...)1972 static inline char* STRAPP(const char *fmt, ...) {
1973 static char buf[256];
1974 static int bp;
1975 int left = (int)sizeof(buf)-bp;
1976 if(!fmt){
1977 bp = 0;
1978 return(buf);
1979 }
1980 if (left <= 0)
1981 return buf;
1982 va_list ap;
1983 va_start(ap, fmt);
1984 bp += Vsnprintf (buf+bp, left, fmt, ap);
1985 va_end(ap);
1986
1987 return(buf);
1988 }
1989
1990 /* TODO: Needs refactoring */
1991 #define HEXDUMP -2
1992 #define UNKNOWN -1
1993
1994 #define BREAK() \
1995 {option_type = HEXDUMP; break;}
1996 #define CHECK(tt) \
1997 if(tt >= option_end) \
1998 {option_type = HEXDUMP; break;}
1999
2000 /* Takes binary data found in the IP Options field of an IPv4 packet
2001 * and returns a string containing an ASCII description of the options
2002 * found. The function returns a pointer to a static buffer that
2003 * subsequent calls will overwrite. On error, NULL is returned. */
format_ip_options(const u8 * ipopt,int ipoptlen)2004 char *format_ip_options(const u8* ipopt, int ipoptlen) {
2005 char ipstring[32];
2006 int option_type = UNKNOWN;// option type
2007 int option_len = 0; // option length
2008 int option_pt = 0; // option pointer
2009 int option_fl = 0; // option flag
2010 const u8 *tptr; // temp pointer
2011 u32 *tint; // temp int
2012
2013 int option_sta = 0; // option start offset
2014 int option_end = 0; // option end offset
2015 int pt = 0; // current offset
2016
2017 // clear buffer
2018 STRAPP(NULL,NULL);
2019
2020 if(!ipoptlen)
2021 return(NULL);
2022
2023 while(pt<ipoptlen){ // for every char in ipopt
2024 // read ip option header
2025 if(option_type == UNKNOWN) {
2026 option_sta = pt;
2027 option_type = ipopt[pt++];
2028 if(option_type != 0 && option_type != 1) { // should we be interested in length field?
2029 if(pt >= ipoptlen) // no more chars
2030 {option_type = HEXDUMP;pt--; option_end = 255; continue;} // no length field, hex dump to the end
2031 option_len = ipopt[pt++];
2032 // end must not be greater than length
2033 option_end = MIN(option_sta + option_len, ipoptlen);
2034 // end must not be smaller than current position
2035 option_end = MAX(option_end, option_sta+2);
2036 }
2037 }
2038 switch(option_type) {
2039 case 0: // IPOPT_END
2040 STRAPP(" EOL", NULL);
2041 option_type = UNKNOWN;
2042 break;
2043 case 1: // IPOPT_NOP
2044 STRAPP(" NOP", NULL);
2045 option_type = UNKNOWN;
2046 break;
2047 /* case 130: // IPOPT_SECURITY
2048 option_type=-1;
2049 break;*/
2050 case 131: // IPOPT_LSRR -> Loose Source and Record Route
2051 case 137: // IPOPT_SSRR -> Strict Source and Record Route
2052 case 7: // IPOPT_RR -> Record Route
2053 if(pt - option_sta == 2) {
2054 STRAPP(" %s%s{", (option_type==131)?"LS":(option_type==137)?"SS":"", "RR");
2055 // option pointer
2056 CHECK(pt);
2057 option_pt = ipopt[pt++];
2058 if(option_pt%4 != 0 || (option_sta + option_pt-1)>option_end || option_pt<4) //bad or too big pointer
2059 STRAPP(" [bad ptr=%02i]", option_pt);
2060 }
2061 if(pt - option_sta > 2) { // ip's
2062 int i, s = (option_pt)%4;
2063 // if pointer is mangled, fix it. it's max 3 bytes wrong
2064 CHECK(pt+3);
2065 for(i=0; i<s; i++)
2066 STRAPP("\\x%02x", ipopt[pt++]);
2067 option_pt -= i;
2068 // okay, now we can start printing ip's
2069 CHECK(pt+3);
2070 tptr = &ipopt[pt]; pt+=4;
2071 if(inet_ntop(AF_INET, (char *) tptr, ipstring, sizeof(ipstring)) == NULL){
2072 return NULL;
2073 }
2074 STRAPP("%c%s",(pt-3-option_sta)==option_pt?'#':' ', ipstring);
2075 if(pt == option_end)
2076 STRAPP("%s",(pt-option_sta)==(option_pt-1)?"#":""); // pointer in the end?
2077 }else BREAK();
2078 break;
2079 case 68: // IPOPT_TS -> Internet Timestamp
2080 if(pt - option_sta == 2){
2081 STRAPP(" TM{");
2082 // pointer
2083 CHECK(pt);
2084 option_pt = ipopt[pt++];
2085 // bad or too big pointer
2086 if(option_pt%4 != 1 || (option_sta + option_pt-1)>option_end || option_pt<5)
2087 STRAPP(" [bad ptr=%02i]", option_pt);
2088 // flags + overflow
2089 CHECK(pt);
2090 option_fl = ipopt[pt++];
2091 if((option_fl&0x0C) || (option_fl&0x03)==2)
2092 STRAPP(" [bad flags=\\x%01hhx]", option_fl&0x0F);
2093 STRAPP("[%i hosts not recorded]", option_fl>>4);
2094 option_fl &= 0x03;
2095 }
2096 if(pt - option_sta > 2) {// ip's
2097 int i, s = (option_pt+3)%(option_fl==0?4:8);
2098 // if pointer is mangled, fix it. it's max 3 bytes wrong
2099 CHECK(pt+(option_fl==0?3:7));
2100 for(i=0; i<s; i++)
2101 STRAPP("\\x%02x", ipopt[pt++]);
2102 option_pt-=i;
2103
2104 // print pt
2105 STRAPP("%c",(pt+1-option_sta)==option_pt?'#':' ');
2106 // okay, first grab ip.
2107 if(option_fl!=0){
2108 CHECK(pt+3);
2109 tptr = &ipopt[pt]; pt+=4;
2110 if(inet_ntop(AF_INET, (char *) tptr, ipstring, sizeof(ipstring)) == NULL){
2111 return NULL;
2112 }
2113 STRAPP("%s@", ipstring);
2114 }
2115 CHECK(pt+3);
2116 tint = (u32*)&ipopt[pt]; pt+=4;
2117 STRAPP("%lu", (unsigned long) ntohl(*tint));
2118
2119 if(pt == option_end)
2120 STRAPP("%s",(pt-option_sta)==(option_pt-1)?"#":" ");
2121 }else BREAK();
2122 break;
2123 case 136: // IPOPT_SATID -> (SANET) Stream Identifier
2124 if(pt - option_sta == 2){
2125 u16 *sh;
2126 STRAPP(" SI{",NULL);
2127 // length
2128 if(option_sta+option_len > ipoptlen || option_len!=4)
2129 STRAPP("[bad len %02i]", option_len);
2130
2131 // stream id
2132 CHECK(pt+1);
2133 sh = (u16*) &ipopt[pt]; pt+=2;
2134 option_pt = ntohs(*sh);
2135 STRAPP("id=%hu", (unsigned short) option_pt);
2136 if(pt != option_end)
2137 BREAK();
2138 }else BREAK();
2139 break;
2140 case UNKNOWN:
2141 default:
2142 // we read option_type and option_len, print them.
2143 STRAPP(" ??{\\x%02hhx\\x%02hhx", option_type, option_len);
2144 // check option_end once more:
2145 if(option_len < ipoptlen)
2146 option_end = MIN(MAX(option_sta+option_len, option_sta+2),ipoptlen);
2147 else
2148 option_end = 255;
2149 option_type = HEXDUMP;
2150 break;
2151 case HEXDUMP:
2152 assert(pt<=option_end);
2153 if(pt == option_end){
2154 STRAPP("}",NULL);
2155 option_type=-1;
2156 break;
2157 }
2158 STRAPP("\\x%02hhx", ipopt[pt++]);
2159 break;
2160 }
2161 if(pt == option_end && option_type != UNKNOWN) {
2162 STRAPP("}",NULL);
2163 option_type = UNKNOWN;
2164 }
2165 } // while
2166 if(option_type != UNKNOWN)
2167 STRAPP("}");
2168
2169 return(STRAPP("",NULL));
2170 }
2171 #undef CHECK
2172 #undef BREAK
2173 #undef UNKNOWN
2174 #undef HEXDUMP
2175
2176
2177
2178 /* Returns a buffer of ASCII information about an IP packet that may
2179 * look like "TCP 127.0.0.1:50923 > 127.0.0.1:3 S ttl=61 id=39516
2180 * iplen=40 seq=625950769" or "ICMP PING (0/1) ttl=61 id=39516 iplen=40".
2181 * Returned buffer is static so it is NOT safe to call this in
2182 * multi-threaded environments without appropriate sync protection, or
2183 * call it twice in the same sentence (eg: as two printf parameters).
2184 * Obviously, the caller should never attempt to free() the buffer. The
2185 * returned buffer is guaranteed to be NULL-terminated but no
2186 * assumptions should be made concerning its length.
2187 *
2188 * The function knows IPv4, IPv6, TCP, UDP, SCTP, ICMP, and ICMPv6.
2189 *
2190 * The output has three different levels of detail. Parameter "detail"
2191 * determines how verbose the output should be. It should take one of
2192 * the following values:
2193 *
2194 * LOW_DETAIL (0x01): Traditional output.
2195 * MEDIUM_DETAIL (0x02): More verbose than traditional.
2196 * HIGH_DETAIL (0x03): Contents of virtually every field of the
2197 * protocol headers .
2198 */
ippackethdrinfo(const u8 * packet,u32 len,int detail)2199 const char *ippackethdrinfo(const u8 *packet, u32 len, int detail) {
2200 struct abstract_ip_hdr hdr;
2201 const u8 *data;
2202 unsigned int datalen;
2203
2204 struct tcp_hdr *tcp = NULL; /* TCP header structure. */
2205 struct udp_hdr *udp = NULL; /* UDP header structure. */
2206 struct sctp_hdr *sctp = NULL; /* SCTP header structure. */
2207 static char protoinfo[1024] = ""; /* Stores final info string. */
2208 char ipinfo[512] = ""; /* Temp info about IP. */
2209 char icmpinfo[512] = ""; /* Temp info about ICMP. */
2210 char icmptype[128] = ""; /* Temp info about ICMP type & code */
2211 char icmpfields[256] = ""; /* Temp info for various ICMP fields */
2212 char fragnfo[64] = ""; /* Temp info about fragmentation. */
2213 char srchost[INET6_ADDRSTRLEN] = ""; /* Src IP in dot-decimal notation. */
2214 char dsthost[INET6_ADDRSTRLEN] = ""; /* Dst IP in dot-decimal notation. */
2215 char *p = NULL; /* Aux pointer. */
2216 int frag_off = 0; /* To compute IP fragment offset. */
2217 int more_fragments = 0; /* True if IP MF flag is set. */
2218 int dont_fragment = 0; /* True if IP DF flag is set. */
2219 int reserved_flag = 0; /* True if IP Reserved flag is set. */
2220
2221 datalen = len;
2222 data = (u8 *) ip_get_data_any(packet, &datalen, &hdr);
2223 if (data == NULL)
2224 return "BOGUS! Can't parse supposed IP packet";
2225
2226
2227 /* Ensure we end up with a valid detail number */
2228 if (detail != LOW_DETAIL && detail != MEDIUM_DETAIL && detail != HIGH_DETAIL)
2229 detail = LOW_DETAIL;
2230
2231 /* IP INFORMATION ************************************************************/
2232 if (hdr.version == 4) { /* IPv4 */
2233 const struct ip *ip;
2234 const struct sockaddr_in *sin;
2235
2236 ip = (struct ip *) packet;
2237
2238 /* Obtain IP source and destination info */
2239 sin = (struct sockaddr_in *) &hdr.src;
2240 inet_ntop(AF_INET, (void *)&sin->sin_addr.s_addr, srchost, sizeof(srchost));
2241 sin = (struct sockaddr_in *) &hdr.dst;
2242 inet_ntop(AF_INET, (void *)&sin->sin_addr.s_addr, dsthost, sizeof(dsthost));
2243
2244 /* Compute fragment offset and check if flags are set */
2245 frag_off = 8 * (ntohs(ip->ip_off) & 8191) /* 2^13 - 1 */;
2246 more_fragments = ntohs(ip->ip_off) & IP_MF;
2247 dont_fragment = ntohs(ip->ip_off) & IP_DF;
2248 reserved_flag = ntohs(ip->ip_off) & IP_RF;
2249
2250 /* Is this a fragmented packet? is it the last fragment? */
2251 if (frag_off || more_fragments) {
2252 Snprintf(fragnfo, sizeof(fragnfo), " frag offset=%d%s", frag_off, more_fragments ? "+" : "");
2253 }
2254
2255 /* Create a string with information relevant to the specified level of detail */
2256 if (detail == LOW_DETAIL) {
2257 Snprintf(ipinfo, sizeof(ipinfo), "ttl=%d id=%hu iplen=%hu%s %s%s%s",
2258 ip->ip_ttl, (unsigned short) ntohs(ip->ip_id), (unsigned short) ntohs(ip->ip_len), fragnfo,
2259 ip->ip_hl==5?"":"ipopts={",
2260 ip->ip_hl==5?"":format_ip_options((u8*) ip + sizeof(struct ip), MIN((unsigned)(ip->ip_hl-5)*4,len-sizeof(struct ip))),
2261 ip->ip_hl==5?"":"}");
2262 } else if (detail == MEDIUM_DETAIL) {
2263 Snprintf(ipinfo, sizeof(ipinfo), "ttl=%d id=%hu proto=%d csum=0x%04x iplen=%hu%s %s%s%s",
2264 ip->ip_ttl, (unsigned short) ntohs(ip->ip_id),
2265 ip->ip_p, ntohs(ip->ip_sum),
2266 (unsigned short) ntohs(ip->ip_len), fragnfo,
2267 ip->ip_hl==5?"":"ipopts={",
2268 ip->ip_hl==5?"":format_ip_options((u8*) ip + sizeof(struct ip), MIN((unsigned)(ip->ip_hl-5)*4,len-sizeof(struct ip))),
2269 ip->ip_hl==5?"":"}");
2270 } else if (detail == HIGH_DETAIL) {
2271 Snprintf(ipinfo, sizeof(ipinfo), "ver=%d ihl=%d tos=0x%02x iplen=%hu id=%hu%s%s%s%s foff=%d%s ttl=%d proto=%d csum=0x%04x%s%s%s",
2272 ip->ip_v, ip->ip_hl,
2273 ip->ip_tos, (unsigned short) ntohs(ip->ip_len),
2274 (unsigned short) ntohs(ip->ip_id),
2275 (reserved_flag||dont_fragment||more_fragments) ? " flg=" : "",
2276 (reserved_flag)? "x" : "",
2277 (dont_fragment)? "D" : "",
2278 (more_fragments)? "M": "",
2279 frag_off, (more_fragments) ? "+" : "",
2280 ip->ip_ttl, ip->ip_p,
2281 ntohs(ip->ip_sum),
2282 ip->ip_hl==5?"":" ipopts={",
2283 ip->ip_hl==5?"":format_ip_options((u8*) ip + sizeof(struct ip), MIN((unsigned)(ip->ip_hl-5)*4,len-sizeof(struct ip))),
2284 ip->ip_hl==5?"":"}");
2285 }
2286 } else { /* IPv6 */
2287 const struct ip6_hdr *ip6;
2288 const struct sockaddr_in6 *sin6;
2289
2290 ip6 = (struct ip6_hdr *) packet;
2291
2292 /* Obtain IP source and destination info */
2293 sin6 = (struct sockaddr_in6 *) &hdr.src;
2294 inet_ntop(AF_INET6, (void *)sin6->sin6_addr.s6_addr, srchost, sizeof(srchost));
2295 sin6 = (struct sockaddr_in6 *) &hdr.dst;
2296 inet_ntop(AF_INET6, (void *)sin6->sin6_addr.s6_addr, dsthost, sizeof(dsthost));
2297
2298 /* Obtain flow label and traffic class */
2299 u32 flow = ntohl(ip6->ip6_flow);
2300 u32 ip6_fl = flow & 0x000fffff;
2301 u32 ip6_tc = (flow & 0x0ff00000) >> 20;
2302
2303 /* Create a string with information relevant to the specified level of detail */
2304 if (detail == LOW_DETAIL) {
2305 Snprintf(ipinfo, sizeof(ipinfo), "hopl=%d flow=%x payloadlen=%hu",
2306 ip6->ip6_hlim, ip6_fl, (unsigned short) ntohs(ip6->ip6_plen));
2307 } else if (detail == MEDIUM_DETAIL) {
2308 Snprintf(ipinfo, sizeof(ipinfo), "hopl=%d tclass=%d flow=%x payloadlen=%hu",
2309 ip6->ip6_hlim, ip6_tc, ip6_fl, (unsigned short) ntohs(ip6->ip6_plen));
2310 } else if (detail==HIGH_DETAIL) {
2311 Snprintf(ipinfo, sizeof(ipinfo), "ver=6, tclass=%x flow=%x payloadlen=%hu nh=%s hopl=%d ",
2312 ip6_tc, ip6_fl, (unsigned short) ntohs(ip6->ip6_plen),
2313 nexthdrtoa(ip6->ip6_nxt, 1), ip6->ip6_hlim);
2314 }
2315 }
2316
2317
2318 /* TCP INFORMATION ***********************************************************/
2319 if (hdr.proto == IPPROTO_TCP) {
2320 char tflags[10];
2321 char tcpinfo[64] = "";
2322 char buf[32];
2323 char tcpoptinfo[256] = "";
2324 tcp = (struct tcp_hdr *) data;
2325
2326 /* Let's parse the TCP header. The following code is very ugly because we
2327 * have to deal with a lot of different situations. We don't want to
2328 * segfault so we have to check every length and every bound to ensure we
2329 * don't read past the packet. We cannot even trust the contents of the
2330 * received packet because, for example, an IPv4 header may state it
2331 * carries a TCP packet but may actually carry nothing at all.
2332 *
2333 * So we distinguish 4 situations. I know the first two are weird but they
2334 * were there when I modified this code so I left them there just in
2335 * case.
2336 * 1. IP datagram is very small or is a fragment where we are missing
2337 * the first part of the TCP header
2338 * 2. IP datagram is a fragment and although we are missing the first
2339 * 8 bytes of the TCP header, we have the rest of it (or some of
2340 * the rest of it)
2341 * 3. IP datagram is NOT a fragment but we don't have the full TCP
2342 * header, we are missing some bytes.
2343 * 4. IP datagram is NOT a fragment and we have at least a full 20
2344 * byte TCP header.
2345 */
2346
2347 /* CASE 1: where we don't have the first 8 bytes of the TCP header because
2348 * either the fragment belongs to somewhere past that or the IP contains
2349 * less than 8 bytes. This also includes empty IP packets that say they
2350 * contain a TCP packet. */
2351 if (frag_off > 8 || datalen < 8) {
2352 Snprintf(protoinfo, sizeof(protoinfo), "TCP %s:?? > %s:?? ?? %s (incomplete)",
2353 srchost, dsthost, ipinfo);
2354 }
2355 /* For all cases after this, datalen is necessarily >= 8 and frag_off is <= 8 */
2356
2357 /* CASE 2: where we are missing the first 8 bytes of the TCP header but we
2358 * have, at least, the next 8 bytes so we can see the ACK number, the
2359 * flags and window size. */
2360 else if (frag_off > 0) {
2361 /* Fragmentation is on 8-byte boundaries, so 8 is the only legal value here. */
2362 assert(frag_off == 8);
2363 tcp = (struct tcp_hdr *)((u8 *) tcp - frag_off); // ugly?
2364
2365 /* TCP Flags */
2366 p = tflags;
2367 /* These are basically in tcpdump order */
2368 if (tcp->th_flags & TH_SYN)
2369 *p++ = 'S';
2370 if (tcp->th_flags & TH_FIN)
2371 *p++ = 'F';
2372 if (tcp->th_flags & TH_RST)
2373 *p++ = 'R';
2374 if (tcp->th_flags & TH_PUSH)
2375 *p++ = 'P';
2376 if (tcp->th_flags & TH_ACK) {
2377 *p++ = 'A';
2378 Snprintf(tcpinfo, sizeof(tcpinfo), " ack=%lu",
2379 (unsigned long) ntohl(tcp->th_ack));
2380 }
2381 if (tcp->th_flags & TH_URG)
2382 *p++ = 'U';
2383 if (tcp->th_flags & TH_ECE)
2384 *p++ = 'E'; /* rfc 2481/3168 */
2385 if (tcp->th_flags & TH_CWR)
2386 *p++ = 'C'; /* rfc 2481/3168 */
2387 *p++ = '\0';
2388
2389 /* TCP Options */
2390 if ((u32) tcp->th_off * 4 > sizeof(struct tcp_hdr)) {
2391 if (datalen < (u32) tcp->th_off * 4 - frag_off) {
2392 Snprintf(tcpoptinfo, sizeof(tcpoptinfo), "option incomplete");
2393 } else {
2394 tcppacketoptinfo((u8*) tcp + sizeof(struct tcp_hdr),
2395 tcp->th_off*4 - sizeof(struct tcp_hdr),
2396 tcpoptinfo, sizeof(tcpoptinfo));
2397 }
2398 }
2399
2400 /* Create a string with TCP information relevant to the specified level of detail */
2401 if (detail == LOW_DETAIL) { Snprintf(protoinfo, sizeof(protoinfo), "TCP %s:?? > %s:?? %s %s %s %s",
2402 srchost, dsthost, tflags, ipinfo, tcpinfo, tcpoptinfo);
2403 } else if (detail == MEDIUM_DETAIL) {
2404 Snprintf(protoinfo, sizeof(protoinfo), "TCP %s:?? > %s:?? %s ack=%lu win=%hu %s IP [%s]",
2405 srchost, dsthost, tflags,
2406 (unsigned long) ntohl(tcp->th_ack), (unsigned short) ntohs(tcp->th_win),
2407 tcpoptinfo, ipinfo);
2408 } else if (detail == HIGH_DETAIL) {
2409 if (datalen >= 12) { /* We have at least bytes 8-20 */
2410 Snprintf(protoinfo, sizeof(protoinfo), "TCP [%s:?? > %s:?? %s seq=%lu ack=%lu off=%d res=%d win=%hu csum=0x%04X urp=%hu%s%s] IP [%s]",
2411 srchost, dsthost, tflags,
2412 (unsigned long) ntohl(tcp->th_seq),
2413 (unsigned long) ntohl(tcp->th_ack),
2414 (u8)tcp->th_off, (u8)tcp->th_x2, (unsigned short) ntohs(tcp->th_win),
2415 ntohs(tcp->th_sum), (unsigned short) ntohs(tcp->th_urp),
2416 (tcpoptinfo[0]!='\0') ? " " : "",
2417 tcpoptinfo, ipinfo);
2418 } else { /* We only have bytes 8-16 */
2419 Snprintf(protoinfo, sizeof(protoinfo), "TCP %s:?? > %s:?? %s ack=%lu win=%hu %s IP [%s]",
2420 srchost, dsthost, tflags,
2421 (unsigned long) ntohl(tcp->th_ack), (unsigned short) ntohs(tcp->th_win),
2422 tcpoptinfo, ipinfo);
2423 }
2424 }
2425 }
2426 /* For all cases after this, frag_off is necessarily 0 */
2427
2428 /* CASE 3: where the IP packet is not a fragment but for some reason, we
2429 * don't have the entire TCP header, just part of it.*/
2430 else if (datalen < 20) {
2431 /* We know we have the first 8 bytes, so what's left? */
2432 /* We only have the first 64 bits: ports and seq number */
2433 if (datalen < 12) {
2434 Snprintf(tcpinfo, sizeof(tcpinfo), "TCP %s:%hu > %s:%hu ?? seq=%lu (incomplete) %s",
2435 srchost, (unsigned short) ntohs(tcp->th_sport), dsthost,
2436 (unsigned short) ntohs(tcp->th_dport), (unsigned long) ntohl(tcp->th_seq), ipinfo);
2437 }
2438
2439 /* We only have the first 96 bits: ports, seq and ack number */
2440 else if (datalen < 16) {
2441 if (detail == LOW_DETAIL) { /* We don't print ACK in low detail */
2442 Snprintf(tcpinfo, sizeof(tcpinfo), "TCP %s:%hu > %s:%hu seq=%lu (incomplete), %s",
2443 srchost, (unsigned short) ntohs(tcp->th_sport), dsthost,
2444 (unsigned short) ntohs(tcp->th_dport), (unsigned long) ntohl(tcp->th_seq), ipinfo);
2445 } else {
2446 Snprintf(tcpinfo, sizeof(tcpinfo), "TCP [%s:%hu > %s:%hu seq=%lu ack=%lu (incomplete)] IP [%s]",
2447 srchost, (unsigned short) ntohs(tcp->th_sport), dsthost,
2448 (unsigned short) ntohs(tcp->th_dport), (unsigned long) ntohl(tcp->th_seq),
2449 (unsigned long) ntohl(tcp->th_ack), ipinfo);
2450 }
2451 }
2452
2453 /* We are missing some part of the last 32 bits (checksum and urgent pointer) */
2454 else {
2455 p = tflags;
2456 /* These are basically in tcpdump order */
2457 if (tcp->th_flags & TH_SYN)
2458 *p++ = 'S';
2459 if (tcp->th_flags & TH_FIN)
2460 *p++ = 'F';
2461 if (tcp->th_flags & TH_RST)
2462 *p++ = 'R';
2463 if (tcp->th_flags & TH_PUSH)
2464 *p++ = 'P';
2465 if (tcp->th_flags & TH_ACK) {
2466 *p++ = 'A';
2467 Snprintf(buf, sizeof(buf), " ack=%lu",
2468 (unsigned long) ntohl(tcp->th_ack));
2469 strncat(tcpinfo, buf, sizeof(tcpinfo) - strlen(tcpinfo) - 1);
2470 }
2471 if (tcp->th_flags & TH_URG)
2472 *p++ = 'U';
2473 if (tcp->th_flags & TH_ECE)
2474 *p++ = 'E'; /* rfc 2481/3168 */
2475 if (tcp->th_flags & TH_CWR)
2476 *p++ = 'C'; /* rfc 2481/3168 */
2477 *p++ = '\0';
2478
2479
2480 /* Create a string with TCP information relevant to the specified level of detail */
2481 if (detail == LOW_DETAIL) { /* We don't print ACK in low detail */
2482 Snprintf(protoinfo, sizeof(protoinfo), "TCP %s:%hu > %s:%hu %s %s seq=%lu win=%hu (incomplete)",
2483 srchost, (unsigned short) ntohs(tcp->th_sport), dsthost, (unsigned short) ntohs(tcp->th_dport),
2484 tflags, ipinfo, (unsigned long) ntohl(tcp->th_seq),
2485 (unsigned short) ntohs(tcp->th_win));
2486 } else if (detail == MEDIUM_DETAIL) {
2487 Snprintf(protoinfo, sizeof(protoinfo), "TCP [%s:%hu > %s:%hu %s seq=%lu ack=%lu win=%hu (incomplete)] IP [%s]",
2488 srchost, (unsigned short) ntohs(tcp->th_sport), dsthost, (unsigned short) ntohs(tcp->th_dport),
2489 tflags, (unsigned long) ntohl(tcp->th_seq),
2490 (unsigned long) ntohl(tcp->th_ack),
2491 (unsigned short) ntohs(tcp->th_win), ipinfo);
2492 } else if (detail == HIGH_DETAIL) {
2493 Snprintf(protoinfo, sizeof(protoinfo), "TCP [%s:%hu > %s:%hu %s seq=%lu ack=%lu off=%d res=%d win=%hu (incomplete)] IP [%s]",
2494 srchost, (unsigned short) ntohs(tcp->th_sport),
2495 dsthost, (unsigned short) ntohs(tcp->th_dport),
2496 tflags, (unsigned long) ntohl(tcp->th_seq),
2497 (unsigned long) ntohl(tcp->th_ack),
2498 (u8)tcp->th_off, (u8)tcp->th_x2, (unsigned short) ntohs(tcp->th_win),
2499 ipinfo);
2500 }
2501 }
2502 }
2503
2504 /* CASE 4: where we (finally!) have a full 20 byte TCP header so we can
2505 * safely print all fields */
2506 else { /* if (datalen >= 20) */
2507
2508 /* TCP Flags */
2509 p = tflags;
2510 /* These are basically in tcpdump order */
2511 if (tcp->th_flags & TH_SYN)
2512 *p++ = 'S';
2513 if (tcp->th_flags & TH_FIN)
2514 *p++ = 'F';
2515 if (tcp->th_flags & TH_RST)
2516 *p++ = 'R';
2517 if (tcp->th_flags & TH_PUSH)
2518 *p++ = 'P';
2519 if (tcp->th_flags & TH_ACK) {
2520 *p++ = 'A';
2521 Snprintf(buf, sizeof(buf), " ack=%lu",
2522 (unsigned long) ntohl(tcp->th_ack));
2523 strncat(tcpinfo, buf, sizeof(tcpinfo) - strlen(tcpinfo) - 1);
2524 }
2525 if (tcp->th_flags & TH_URG)
2526 *p++ = 'U';
2527 if (tcp->th_flags & TH_ECE)
2528 *p++ = 'E'; /* rfc 2481/3168 */
2529 if (tcp->th_flags & TH_CWR)
2530 *p++ = 'C'; /* rfc 2481/3168 */
2531 *p++ = '\0';
2532
2533 /* TCP Options */
2534 if ((u32) tcp->th_off * 4 > sizeof(struct tcp_hdr)) {
2535 if (datalen < (unsigned int) tcp->th_off * 4) {
2536 Snprintf(tcpoptinfo, sizeof(tcpoptinfo), "option incomplete");
2537 } else {
2538 tcppacketoptinfo((u8*) tcp + sizeof(struct tcp_hdr),
2539 tcp->th_off*4 - sizeof(struct tcp_hdr),
2540 tcpoptinfo, sizeof(tcpoptinfo));
2541 }
2542 }
2543
2544 /* Rest of header fields */
2545 if (detail == LOW_DETAIL) {
2546 Snprintf(protoinfo, sizeof(protoinfo), "TCP %s:%hu > %s:%hu %s %s seq=%lu win=%hu %s",
2547 srchost, (unsigned short) ntohs(tcp->th_sport), dsthost, (unsigned short) ntohs(tcp->th_dport),
2548 tflags, ipinfo, (unsigned long) ntohl(tcp->th_seq),
2549 (unsigned short) ntohs(tcp->th_win), tcpoptinfo);
2550 } else if (detail == MEDIUM_DETAIL) {
2551 Snprintf(protoinfo, sizeof(protoinfo), "TCP [%s:%hu > %s:%hu %s seq=%lu win=%hu csum=0x%04X%s%s] IP [%s]",
2552 srchost, (unsigned short) ntohs(tcp->th_sport), dsthost, (unsigned short) ntohs(tcp->th_dport),
2553 tflags, (unsigned long) ntohl(tcp->th_seq),
2554 (unsigned short) ntohs(tcp->th_win), (unsigned short) ntohs(tcp->th_sum),
2555 (tcpoptinfo[0]!='\0') ? " " : "",
2556 tcpoptinfo, ipinfo);
2557 } else if (detail == HIGH_DETAIL) {
2558 Snprintf(protoinfo, sizeof(protoinfo), "TCP [%s:%hu > %s:%hu %s seq=%lu ack=%lu off=%d res=%d win=%hu csum=0x%04X urp=%hu%s%s] IP [%s]",
2559 srchost, (unsigned short) ntohs(tcp->th_sport),
2560 dsthost, (unsigned short) ntohs(tcp->th_dport),
2561 tflags, (unsigned long) ntohl(tcp->th_seq),
2562 (unsigned long) ntohl(tcp->th_ack),
2563 (u8)tcp->th_off, (u8)tcp->th_x2, (unsigned short) ntohs(tcp->th_win),
2564 ntohs(tcp->th_sum), (unsigned short) ntohs(tcp->th_urp),
2565 (tcpoptinfo[0]!='\0') ? " " : "",
2566 tcpoptinfo, ipinfo);
2567 }
2568 }
2569
2570 /* UDP INFORMATION ***********************************************************/
2571 } else if (hdr.proto == IPPROTO_UDP && frag_off) {
2572 Snprintf(protoinfo, sizeof(protoinfo), "UDP %s:?? > %s:?? fragment %s (incomplete)",
2573 srchost, dsthost, ipinfo);
2574 } else if (hdr.proto == IPPROTO_UDP) {
2575 udp = (struct udp_hdr *) data;
2576 /* TODO: See if we can segfault if we receive a fragmented packet whose IP packet does not say a thing about fragmentation */
2577
2578 if (detail == LOW_DETAIL) {
2579 Snprintf(protoinfo, sizeof(protoinfo), "UDP %s:%hu > %s:%hu %s",
2580 srchost, (unsigned short) ntohs(udp->uh_sport), dsthost, (unsigned short) ntohs(udp->uh_dport),
2581 ipinfo);
2582 } else if (detail == MEDIUM_DETAIL) {
2583 Snprintf(protoinfo, sizeof(protoinfo), "UDP [%s:%hu > %s:%hu csum=0x%04X] IP [%s]",
2584 srchost, (unsigned short) ntohs(udp->uh_sport), dsthost, (unsigned short) ntohs(udp->uh_dport), ntohs(udp->uh_sum),
2585 ipinfo);
2586 } else if (detail == HIGH_DETAIL) {
2587 Snprintf(protoinfo, sizeof(protoinfo), "UDP [%s:%hu > %s:%hu len=%hu csum=0x%04X] IP [%s]",
2588 srchost, (unsigned short) ntohs(udp->uh_sport), dsthost, (unsigned short) ntohs(udp->uh_dport),
2589 (unsigned short) ntohs(udp->uh_ulen), ntohs(udp->uh_sum),
2590 ipinfo);
2591 }
2592
2593 /* SCTP INFORMATION **********************************************************/
2594 } else if (hdr.proto == IPPROTO_SCTP && frag_off) {
2595 Snprintf(protoinfo, sizeof(protoinfo), "SCTP %s:?? > %s:?? fragment %s (incomplete)",
2596 srchost, dsthost, ipinfo);
2597 } else if (hdr.proto == IPPROTO_SCTP) {
2598 sctp = (struct sctp_hdr *) data;
2599
2600 if (detail == LOW_DETAIL) {
2601 Snprintf(protoinfo, sizeof(protoinfo), "SCTP %s:%hu > %s:%hu %s",
2602 srchost, (unsigned short) ntohs(sctp->sh_sport), dsthost, (unsigned short) ntohs(sctp->sh_dport),
2603 ipinfo);
2604 } else if (detail == MEDIUM_DETAIL) {
2605 Snprintf(protoinfo, sizeof(protoinfo), "SCTP [%s:%hu > %s:%hu csum=0x%08x] IP [%s]",
2606 srchost, (unsigned short) ntohs(sctp->sh_sport), dsthost, (unsigned short) ntohs(sctp->sh_dport), ntohl(sctp->sh_sum),
2607 ipinfo);
2608 } else if (detail == HIGH_DETAIL) {
2609 Snprintf(protoinfo, sizeof(protoinfo), "SCTP [%s:%hu > %s:%hu vtag=%lu csum=0x%08x] IP [%s]",
2610 srchost, (unsigned short) ntohs(sctp->sh_sport), dsthost, (unsigned short) ntohs(sctp->sh_dport),
2611 (unsigned long) ntohl(sctp->sh_vtag), ntohl(sctp->sh_sum),
2612 ipinfo);
2613 }
2614
2615 /* ICMP INFORMATION **********************************************************/
2616 } else if (hdr.proto == IPPROTO_ICMP && frag_off) {
2617 Snprintf(protoinfo, sizeof(protoinfo), "ICMP %s > %s fragment %s (incomplete)",
2618 srchost, dsthost, ipinfo);
2619 } else if (hdr.proto == IPPROTO_ICMP) {
2620 struct ip *ip2; /* Points to the IP datagram carried by some ICMP messages */
2621 char *ip2dst; /* Dest IP in caried IP datagram */
2622 char auxbuff[128]; /* Aux buffer */
2623 struct icmp_packet{ /* Generic ICMP struct */
2624 u8 type;
2625 u8 code;
2626 u16 checksum;
2627 u8 data[128];
2628 }*icmppkt;
2629 struct ppkt { /* Beginning of ICMP Echo/Timestamp header */
2630 u8 type;
2631 u8 code;
2632 u16 checksum;
2633 u16 id;
2634 u16 seq;
2635 } *ping = NULL;
2636 struct icmp_redir{
2637 u8 type;
2638 u8 code;
2639 u16 checksum;
2640 u32 addr;
2641 } *icmpredir = NULL;
2642 struct icmp_router{
2643 u8 type;
2644 u8 code;
2645 u16 checksum;
2646 u8 addrs;
2647 u8 addrlen;
2648 u16 lifetime;
2649 } *icmprouter = NULL;
2650 struct icmp_param{
2651 u8 type;
2652 u8 code;
2653 u16 checksum;
2654 u8 pnt;
2655 u8 unused;
2656 u16 unused2;
2657 } *icmpparam = NULL;
2658 struct icmp_tstamp{
2659 u8 type;
2660 u8 code;
2661 u16 checksum;
2662 u16 id;
2663 u16 seq;
2664 u32 orig;
2665 u32 recv;
2666 u32 trans;
2667 } *icmptstamp = NULL;
2668 struct icmp_amask{
2669 u8 type;
2670 u8 code;
2671 u16 checksum;
2672 u16 id;
2673 u16 seq;
2674 u32 mask;
2675 } *icmpmask = NULL;
2676
2677 /* Compute the ICMP minimum length. */
2678 unsigned pktlen = 8;
2679
2680 /* We need the ICMP packet to be at least 8 bytes long */
2681 if (pktlen > datalen)
2682 goto icmpbad;
2683
2684 ping = (struct ppkt *) data;
2685 icmppkt = (struct icmp_packet *) data;
2686
2687 switch(icmppkt->type) {
2688 /* Echo Reply **************************/
2689 case 0:
2690 strcpy(icmptype, "Echo reply");
2691 Snprintf(icmpfields, sizeof(icmpfields), "id=%hu seq=%hu", (unsigned short) ntohs(ping->id), (unsigned short) ntohs(ping->seq));
2692 break;
2693
2694 /* Destination Unreachable *************/
2695 case 3:
2696 /* Point to the start of the original datagram */
2697 ip2 = (struct ip *) (data + 8);
2698
2699 /* Check we have a full IP datagram included in the ICMP message */
2700 pktlen += MAX( (ip2->ip_hl * 4), 20);
2701 if (pktlen > datalen) {
2702 if (datalen == 8) {
2703 Snprintf(icmptype, sizeof icmptype, "Destination unreachable%s",
2704 (detail!=LOW_DETAIL)? " (original datagram missing)" : "");
2705 } else {
2706 Snprintf(icmptype, sizeof icmptype, "Destination unreachable%s",
2707 (detail!=LOW_DETAIL)? " (part of original datagram missing)" : "");
2708 }
2709 goto icmpbad;
2710 }
2711
2712 /* Basic check to ensure we have an IPv4 datagram attached */
2713 /* TODO: We should actually check the datagram checksum to
2714 * see if it validates because just checking the version number
2715 * is not enough. On average, if we get random data 1 out of
2716 * 16 (2^4bits) times we will have value 4. */
2717 if ((ip2->ip_v != 4) || ((ip2->ip_hl * 4) < 20) || ((ip2->ip_hl * 4) > 60)) {
2718 Snprintf(icmptype, sizeof icmptype, "Destination unreachable (bogus original datagram)");
2719 goto icmpbad;
2720 } else {
2721 /* We have the original datagram + the first 8 bytes of the
2722 * transport layer header */
2723 if (pktlen + 8 < datalen) {
2724 tcp = (struct tcp_hdr *) ((char *) ip2 + (ip2->ip_hl * 4));
2725 udp = (struct udp_hdr *) ((char *) ip2 + (ip2->ip_hl * 4));
2726 sctp = (struct sctp_hdr *) ((char *) ip2 + (ip2->ip_hl * 4));
2727 }
2728 }
2729
2730 /* Determine the IP the original datagram was sent to */
2731 ip2dst = inet_ntoa(ip2->ip_dst);
2732
2733 /* Determine type of Destination unreachable from the code value */
2734 switch (icmppkt->code) {
2735 case 0:
2736 Snprintf(icmptype, sizeof icmptype, "Network %s unreachable", ip2dst);
2737 break;
2738
2739 case 1:
2740 Snprintf(icmptype, sizeof icmptype, "Host %s unreachable", ip2dst);
2741 break;
2742
2743 case 2:
2744 Snprintf(icmptype, sizeof icmptype, "Protocol %u unreachable", ip2->ip_p);
2745 break;
2746
2747 case 3:
2748 if (pktlen + 8 < datalen) {
2749 if (ip2->ip_p == IPPROTO_UDP && udp)
2750 Snprintf(icmptype, sizeof icmptype, "Port %hu unreachable", (unsigned short) ntohs(udp->uh_dport));
2751 else if (ip2->ip_p == IPPROTO_TCP && tcp)
2752 Snprintf(icmptype, sizeof icmptype, "Port %hu unreachable", (unsigned short) ntohs(tcp->th_dport));
2753 else if (ip2->ip_p == IPPROTO_SCTP && sctp)
2754 Snprintf(icmptype, sizeof icmptype, "Port %hu unreachable", (unsigned short) ntohs(sctp->sh_dport));
2755 else
2756 Snprintf(icmptype, sizeof icmptype, "Port unreachable (unknown protocol %u)", ip2->ip_p);
2757 }
2758 else
2759 strcpy(icmptype, "Port unreachable");
2760 break;
2761
2762 case 4:
2763 strcpy(icmptype, "Fragmentation required");
2764 Snprintf(icmpfields, sizeof(icmpfields), "Next-Hop-MTU=%d", icmppkt->data[2]<<8 | icmppkt->data[3]);
2765 break;
2766
2767 case 5:
2768 strcpy(icmptype, "Source route failed");
2769 break;
2770
2771 case 6:
2772 Snprintf(icmptype, sizeof icmptype, "Destination network %s unknown", ip2dst);
2773 break;
2774
2775 case 7:
2776 Snprintf(icmptype, sizeof icmptype, "Destination host %s unknown", ip2dst);
2777 break;
2778
2779 case 8:
2780 strcpy(icmptype, "Source host isolated");
2781 break;
2782
2783 case 9:
2784 Snprintf(icmptype, sizeof icmptype, "Destination network %s administratively prohibited", ip2dst);
2785 break;
2786
2787 case 10:
2788 Snprintf(icmptype, sizeof icmptype, "Destination host %s administratively prohibited", ip2dst);
2789 break;
2790
2791 case 11:
2792 Snprintf(icmptype, sizeof icmptype, "Network %s unreachable for TOS", ip2dst);
2793 break;
2794
2795 case 12:
2796 Snprintf(icmptype, sizeof icmptype, "Host %s unreachable for TOS", ip2dst);
2797 break;
2798
2799 case 13:
2800 strcpy(icmptype, "Communication administratively prohibited by filtering");
2801 break;
2802
2803 case 14:
2804 strcpy(icmptype, "Host precedence violation");
2805 break;
2806
2807 case 15:
2808 strcpy(icmptype, "Precedence cutoff in effect");
2809 break;
2810
2811 default:
2812 strcpy(icmptype, "Destination unreachable (unknown code)");
2813 break;
2814 } /* End of ICMP Code switch */
2815 break;
2816
2817
2818 /* Source Quench ***********************/
2819 case 4:
2820 strcpy(icmptype, "Source quench");
2821 break;
2822
2823 /* Redirect ****************************/
2824 case 5:
2825 if (ping->code == 0)
2826 strcpy(icmptype, "Network redirect");
2827 else if (ping->code == 1)
2828 strcpy(icmptype, "Host redirect");
2829 else
2830 strcpy(icmptype, "Redirect (unknown code)");
2831 icmpredir = (struct icmp_redir *) icmppkt;
2832 inet_ntop(AF_INET, &icmpredir->addr, auxbuff, sizeof(auxbuff));
2833 Snprintf(icmpfields, sizeof(icmpfields), "addr=%s", auxbuff);
2834 break;
2835
2836 /* Echo Request ************************/
2837 case 8:
2838 strcpy(icmptype, "Echo request");
2839 Snprintf(icmpfields, sizeof(icmpfields), "id=%hu seq=%hu", (unsigned short) ntohs(ping->id), (unsigned short) ntohs(ping->seq));
2840 break;
2841
2842 /* Router Advertisement ****************/
2843 case 9:
2844 if (icmppkt->code == 16)
2845 strcpy(icmptype, "Router advertisement (Mobile Agent Only)");
2846 else
2847 strcpy(icmptype, "Router advertisement");
2848 icmprouter = (struct icmp_router *) icmppkt;
2849 Snprintf(icmpfields, sizeof(icmpfields), "addrs=%u addrlen=%u lifetime=%hu",
2850 icmprouter->addrs,
2851 icmprouter->addrlen,
2852 (unsigned short) ntohs(icmprouter->lifetime));
2853 break;
2854
2855 /* Router Solicitation *****************/
2856 case 10:
2857 strcpy(icmptype, "Router solicitation");
2858 break;
2859
2860 /* Time Exceeded ***********************/
2861 case 11:
2862 if (icmppkt->code == 0)
2863 strcpy(icmptype, "TTL=0 during transit");
2864 else if (icmppkt->code == 1)
2865 strcpy(icmptype, "TTL=0 during reassembly");
2866 else
2867 strcpy(icmptype, "TTL exceeded (unknown code)");
2868 break;
2869
2870 /* Parameter Problem *******************/
2871 case 12:
2872 if (ping->code == 0)
2873 strcpy(icmptype, "Parameter problem (pointer indicates error)");
2874 else if (ping->code == 1)
2875 strcpy(icmptype, "Parameter problem (option missing)");
2876 else if (ping->code == 2)
2877 strcpy(icmptype, "Parameter problem (bad length)");
2878 else
2879 strcpy(icmptype, "Parameter problem (unknown code)");
2880 icmpparam = (struct icmp_param *) icmppkt;
2881 Snprintf(icmpfields, sizeof(icmpfields), "pointer=%d", icmpparam->pnt);
2882 break;
2883
2884 /* Timestamp Request/Reply *************/
2885 case 13:
2886 case 14:
2887 Snprintf(icmptype, sizeof(icmptype), "Timestamp %s", (icmppkt->type == 13)? "request" : "reply");
2888 icmptstamp = (struct icmp_tstamp *) icmppkt;
2889 Snprintf(icmpfields, sizeof(icmpfields), "id=%hu seq=%hu orig=%lu recv=%lu trans=%lu",
2890 (unsigned short) ntohs(icmptstamp->id), (unsigned short) ntohs(icmptstamp->seq),
2891 (unsigned long) ntohl(icmptstamp->orig),
2892 (unsigned long) ntohl(icmptstamp->recv),
2893 (unsigned long) ntohl(icmptstamp->trans));
2894 break;
2895
2896 /* Information Request *****************/
2897 case 15:
2898 strcpy(icmptype, "Information request");
2899 Snprintf(icmpfields, sizeof(icmpfields), "id=%hu seq=%hu", (unsigned short) ntohs(ping->id), (unsigned short) ntohs(ping->seq));
2900 break;
2901
2902 /* Information Reply *******************/
2903 case 16:
2904 strcpy(icmptype, "Information reply");
2905 Snprintf(icmpfields, sizeof(icmpfields), "id=%hu seq=%hu", (unsigned short) ntohs(ping->id), (unsigned short) ntohs(ping->seq));
2906 break;
2907
2908 /* Netmask Request/Reply ***************/
2909 case 17:
2910 case 18:
2911 Snprintf(icmptype, sizeof(icmptype), "Address mask %s", (icmppkt->type == 17)? "request" : "reply");
2912 icmpmask = (struct icmp_amask *) icmppkt;
2913 inet_ntop(AF_INET, &icmpmask->mask, auxbuff, sizeof(auxbuff));
2914 Snprintf(icmpfields, sizeof(icmpfields), "id=%u seq=%u mask=%s",
2915 (unsigned short) ntohs(ping->id), (unsigned short) ntohs(ping->seq), auxbuff);
2916 break;
2917
2918 /* Traceroute **************************/
2919 case 30:
2920 strcpy(icmptype, "Traceroute");
2921 break;
2922
2923 /* Domain Name Request *****************/
2924 case 37:
2925 strcpy(icmptype, "Domain name request");
2926 break;
2927
2928 /* Domain Name Reply *******************/
2929 case 38:
2930 strcpy(icmptype, "Domain name reply");
2931 break;
2932
2933 /* Security ****************************/
2934 case 40:
2935 strcpy(icmptype, "Security failures"); /* rfc 2521 */
2936 break;
2937
2938 default:
2939 strcpy(icmptype, "Unknown type"); break;
2940 break;
2941 } /* End of ICMP Type switch */
2942
2943 if (pktlen > datalen) {
2944 icmpbad:
2945 if (ping) {
2946 /* We still have this information */
2947 Snprintf(protoinfo, sizeof(protoinfo), "ICMP %s > %s %s (type=%d/code=%d) %s",
2948 srchost, dsthost, icmptype, ping->type, ping->code, ipinfo);
2949 } else {
2950 Snprintf(protoinfo, sizeof(protoinfo), "ICMP %s > %s [??] %s",
2951 srchost, dsthost, ipinfo);
2952 }
2953 } else {
2954 if (ping)
2955 sprintf(icmpinfo,"type=%d/code=%d", ping->type, ping->code);
2956 else
2957 strncpy(icmpinfo,"type=?/code=?", sizeof(icmpinfo));
2958
2959 Snprintf(protoinfo, sizeof(protoinfo), "ICMP [%s > %s %s (%s) %s] IP [%s]",
2960 srchost, dsthost, icmptype, icmpinfo, icmpfields, ipinfo);
2961 }
2962
2963 } else if (hdr.proto == IPPROTO_ICMPV6) {
2964 if (datalen > sizeof(struct icmpv6_hdr)) {
2965 const struct icmpv6_hdr *icmpv6;
2966
2967 icmpv6 = (struct icmpv6_hdr *) data;
2968 Snprintf(protoinfo, sizeof(protoinfo), "ICMPv6 (%d) %s > %s (type=%d/code=%d) %s",
2969 hdr.proto, srchost, dsthost,
2970 icmpv6->icmpv6_type, icmpv6->icmpv6_code, ipinfo);
2971 }
2972 else {
2973 Snprintf(protoinfo, sizeof(protoinfo), "ICMPv6 (%d) %s > %s (type=?/code=?) %s",
2974 hdr.proto, srchost, dsthost, ipinfo);
2975 }
2976 } else {
2977 /* UNKNOWN PROTOCOL **********************************************************/
2978 const char *hdrstr;
2979
2980 hdrstr = nexthdrtoa(hdr.proto, 1);
2981 if (hdrstr == NULL || *hdrstr == '\0') {
2982 Snprintf(protoinfo, sizeof(protoinfo), "Unknown protocol (%d) %s > %s: %s",
2983 hdr.proto, srchost, dsthost, ipinfo);
2984 } else {
2985 Snprintf(protoinfo, sizeof(protoinfo), "%s (%d) %s > %s: %s",
2986 hdrstr, hdr.proto, srchost, dsthost, ipinfo);
2987 }
2988 }
2989
2990 return protoinfo;
2991 }
2992
2993
2994 #ifdef HAVE_LINUX_RTNETLINK_H
2995 /* Fill in a sockaddr_storage given an address family and raw address. */
set_sockaddr(struct sockaddr_storage * ss,int af,void * data)2996 static int set_sockaddr(struct sockaddr_storage *ss, int af, void *data) {
2997 struct sockaddr_in *sin;
2998 struct sockaddr_in6 *sin6;
2999
3000 ss->ss_family = af;
3001 if (af == AF_INET) {
3002 sin = (struct sockaddr_in *) ss;
3003 memcpy(&sin->sin_addr.s_addr, data, IP_ADDR_LEN);
3004 } else if (af == AF_INET6) {
3005 sin6 = (struct sockaddr_in6 *) ss;
3006 memcpy(sin6->sin6_addr.s6_addr, data, IP6_ADDR_LEN);
3007 } else {
3008 return -1;
3009 }
3010
3011 return 0;
3012 }
3013
3014 /* Add rtattrs to a netlink message specifying a source or destination address.
3015 rta_type must be RTA_SRC or RTA_DST. This function adds either 1 or 2
3016 rtattrs: it always adds either an RTA_SRC or RTA_DST, depending on rta_type.
3017 If ifindex is not 0, it is the index of the interface to use. The function
3018 adds either RTA_OIF if rta_type is RTA_DST, and either of ifindex and
3019 sin6_scope_id is nonzero. */
add_rtattr_addr(struct nlmsghdr * nlmsg,struct rtattr ** rtattr,unsigned int * len,unsigned char rta_type,const struct sockaddr_storage * ss,int ifindex)3020 static void add_rtattr_addr(struct nlmsghdr *nlmsg,
3021 struct rtattr **rtattr, unsigned int *len,
3022 unsigned char rta_type,
3023 const struct sockaddr_storage *ss,
3024 int ifindex) {
3025 struct rtmsg *rtmsg;
3026 const void *addr;
3027 size_t addrlen;
3028
3029 assert(rta_type == RTA_SRC || rta_type == RTA_DST);
3030
3031 if (rta_type == RTA_SRC) {
3032 /* Ignore the interface specification if we are setting an RTA_SRC attribute
3033 (it may still get set by the scope_id below). */
3034 ifindex = 0;
3035 }
3036
3037 if (ss->ss_family == AF_INET) {
3038 addr = &((struct sockaddr_in *) ss)->sin_addr.s_addr;
3039 addrlen = IP_ADDR_LEN;
3040 } else if (ss->ss_family == AF_INET6) {
3041 const struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *) ss;
3042
3043 addr = sin6->sin6_addr.s6_addr;
3044 addrlen = IP6_ADDR_LEN;
3045 if (ifindex == 0)
3046 ifindex = sin6->sin6_scope_id;
3047 } else {
3048 netutil_fatal("%s: unknown address family %d", __func__, ss->ss_family);
3049 }
3050
3051 rtmsg = (struct rtmsg *) (nlmsg + 1);
3052 if (rta_type == RTA_SRC)
3053 rtmsg->rtm_src_len = addrlen * 8;
3054 else
3055 rtmsg->rtm_dst_len = addrlen * 8;
3056
3057 /* Add an rtattr for the address. */
3058 (*rtattr)->rta_type = rta_type;
3059 (*rtattr)->rta_len = RTA_LENGTH(addrlen);
3060 assert(RTA_OK(*rtattr, *len));
3061 memcpy(RTA_DATA(*rtattr), addr, addrlen);
3062 nlmsg->nlmsg_len = NLMSG_ALIGN(nlmsg->nlmsg_len) + (*rtattr)->rta_len;
3063 *rtattr = RTA_NEXT(*rtattr, *len);
3064
3065 /* Specific interface (sin6_scope_id) requested? */
3066 if (ifindex > 0) {
3067 /* Add an rtattr for the interface. */
3068 if (rta_type == RTA_SRC)
3069 (*rtattr)->rta_type = RTA_IIF;
3070 else
3071 (*rtattr)->rta_type = RTA_OIF;
3072 (*rtattr)->rta_len = RTA_LENGTH(sizeof(uint32_t));
3073 assert(RTA_OK(*rtattr, *len));
3074 *(uint32_t *) RTA_DATA(*rtattr) = ifindex;
3075 nlmsg->nlmsg_len = NLMSG_ALIGN(nlmsg->nlmsg_len) + (*rtattr)->rta_len;
3076 *rtattr = RTA_NEXT(*rtattr, *len);
3077 }
3078 }
3079
3080 /* Does route_dst using the Linux-specific rtnetlink interface. See rtnetlink(3)
3081 and rtnetlink(7). */
route_dst_netlink(const struct sockaddr_storage * dst,struct route_nfo * rnfo,const char * device,const struct sockaddr_storage * spoofss)3082 static int route_dst_netlink(const struct sockaddr_storage *dst,
3083 struct route_nfo *rnfo, const char *device,
3084 const struct sockaddr_storage *spoofss) {
3085 struct sockaddr_nl snl;
3086 struct msghdr msg;
3087 struct iovec iov;
3088 struct nlmsghdr *nlmsg;
3089 struct rtmsg *rtmsg;
3090 struct rtattr *rtattr;
3091 int intf_index;
3092 unsigned char buf[512];
3093 unsigned int len;
3094 int fd, rc;
3095
3096 fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_ROUTE);
3097 if (fd == -1)
3098 netutil_fatal("%s: cannot create AF_NETLINK socket: %s", __func__, strerror(errno));
3099
3100 memset(&snl, 0, sizeof(snl));
3101 snl.nl_family = AF_NETLINK;
3102
3103 rc = bind(fd, (struct sockaddr *) &snl, sizeof(snl));
3104 if (rc == -1)
3105 netutil_fatal("%s: cannot bind AF_NETLINK socket: %s", __func__, strerror(errno));
3106
3107 struct interface_info *ii;
3108 ii = NULL;
3109 intf_index = 0;
3110 if (device != NULL && device[0] != '\0') {
3111 ii = getInterfaceByName(device, dst->ss_family);
3112 if (ii == NULL)
3113 netutil_fatal("Could not find interface %s which was specified by -e", device);
3114 intf_index = ii->ifindex;
3115 }
3116
3117 memset(buf, 0, sizeof(buf));
3118
3119 nlmsg = (struct nlmsghdr *) buf;
3120
3121 nlmsg->nlmsg_len = NLMSG_LENGTH(sizeof(*rtmsg));
3122 assert(nlmsg->nlmsg_len <= sizeof(buf));
3123 nlmsg->nlmsg_flags = NLM_F_REQUEST;
3124 nlmsg->nlmsg_type = RTM_GETROUTE;
3125
3126 rtmsg = (struct rtmsg *) (nlmsg + 1);
3127 rtmsg->rtm_family = dst->ss_family;
3128
3129 rtattr = RTM_RTA(rtmsg);
3130 len = sizeof(buf) - ((unsigned char *) RTM_RTA(rtmsg) - buf);
3131
3132 /* Add rtattrs for destination address and interface. */
3133 add_rtattr_addr(nlmsg, &rtattr, &len, RTA_DST, dst, intf_index);
3134 if (spoofss != NULL) {
3135 /* Add rtattrs for source address and interface. */
3136 add_rtattr_addr(nlmsg, &rtattr, &len, RTA_SRC, spoofss, intf_index);
3137 }
3138
3139 iov.iov_base = nlmsg;
3140 iov.iov_len = nlmsg->nlmsg_len;
3141
3142 memset(&msg, 0, sizeof(msg));
3143 msg.msg_name = &snl;
3144 msg.msg_namelen = sizeof(snl);
3145 msg.msg_iov = &iov;
3146 msg.msg_iovlen = 1;
3147
3148 rc = sendmsg(fd, &msg, 0);
3149 if (rc == -1)
3150 netutil_fatal("%s: cannot sendmsg: %s", __func__, strerror(errno));
3151
3152 iov.iov_base = buf;
3153 iov.iov_len = sizeof(buf);
3154
3155 len = recvmsg(fd, &msg, 0);
3156 if (len <= 0)
3157 netutil_fatal("%s: cannot recvmsg: %s", __func__, strerror(errno));
3158
3159 close(fd);
3160
3161 if (nlmsg->nlmsg_len < sizeof(*nlmsg) || (unsigned int) len < NLMSG_LENGTH(sizeof(*nlmsg)))
3162 netutil_fatal("%s: wrong size reply in recvmsg", __func__);
3163 len -= NLMSG_LENGTH(sizeof(*nlmsg));
3164
3165 /* See rtnetlink(7). Anything matching this route is actually unroutable. */
3166 if (rtmsg->rtm_type == RTN_UNREACHABLE)
3167 return 0;
3168
3169 /* Default values to be possibly overridden. */
3170 rnfo->direct_connect = 1;
3171 rnfo->nexthop.ss_family = AF_UNSPEC;
3172 rnfo->srcaddr.ss_family = AF_UNSPEC;
3173 if (spoofss != NULL)
3174 rnfo->srcaddr = *spoofss;
3175
3176 for (rtattr = RTM_RTA(rtmsg); RTA_OK(rtattr, len); rtattr = RTA_NEXT(rtattr, len)) {
3177 if (rtattr->rta_type == RTA_GATEWAY) {
3178 rc = set_sockaddr(&rnfo->nexthop, dst->ss_family, RTA_DATA(rtattr));
3179 assert(rc != -1);
3180 /* Don't consider it directly connected if nexthop != dst. */
3181 if (!sockaddr_storage_equal(dst, &rnfo->nexthop))
3182 rnfo->direct_connect = 0;
3183 } else if (rtattr->rta_type == RTA_OIF && ii == NULL) {
3184 char namebuf[IFNAMSIZ];
3185 char *p;
3186 int intf_index;
3187
3188 intf_index = *(int *) RTA_DATA(rtattr);
3189 p = if_indextoname(intf_index, namebuf);
3190 assert(p != NULL);
3191 ii = getInterfaceByName(namebuf, dst->ss_family);
3192 if (ii == NULL)
3193 ii = getInterfaceByName(namebuf, AF_UNSPEC);
3194 if (ii == NULL)
3195 netutil_fatal("%s: can't find interface \"%s\"", __func__, namebuf);
3196 } else if (rtattr->rta_type == RTA_PREFSRC && rnfo->srcaddr.ss_family == AF_UNSPEC) {
3197 rc = set_sockaddr(&rnfo->srcaddr, dst->ss_family, RTA_DATA(rtattr));
3198 assert(rc != -1);
3199 }
3200 }
3201
3202 if (ii != NULL) {
3203 rnfo->ii = *ii;
3204 return 1;
3205 } else {
3206 return 0;
3207 }
3208 }
3209
3210 #else
3211
find_loopback_iface(struct interface_info * ifaces,int numifaces)3212 static struct interface_info *find_loopback_iface(struct interface_info *ifaces,
3213 int numifaces) {
3214 int i;
3215
3216 for (i = 0; i < numifaces; i++) {
3217 if (ifaces[i].device_type == devt_loopback)
3218 return &ifaces[i];
3219 }
3220
3221 return NULL;
3222 }
3223
3224 /* Get the source address for routing to dst by creating a socket and asking the
3225 operating system for the local address. */
get_srcaddr(const struct sockaddr_storage * dst,struct sockaddr_storage * src)3226 static int get_srcaddr(const struct sockaddr_storage *dst,
3227 struct sockaddr_storage *src)
3228 {
3229 static const unsigned short DUMMY_PORT = 1234;
3230 struct sockaddr_storage dst_dummy;
3231 size_t dst_dummy_len;
3232 socklen_t len;
3233 int fd, rc;
3234
3235 fd = socket(dst->ss_family, SOCK_DGRAM, 0);
3236 if (fd == -1)
3237 netutil_fatal("%s: can't create socket: %s", __func__, socket_strerror(socket_errno()));
3238
3239 dst_dummy = *dst;
3240 if (dst_dummy.ss_family == AF_INET) {
3241 struct sockaddr_in *sin = (struct sockaddr_in *) &dst_dummy;
3242 sin->sin_port = htons(DUMMY_PORT);
3243 dst_dummy_len = sizeof(*sin);
3244 } else if (dst_dummy.ss_family == AF_INET6) {
3245 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *) &dst_dummy;
3246 sin6->sin6_port = htons(DUMMY_PORT);
3247 dst_dummy_len = sizeof(*sin6);
3248 } else {
3249 goto bail;
3250 }
3251
3252 rc = connect(fd, (struct sockaddr *) &dst_dummy, dst_dummy_len);
3253 if (rc == -1) {
3254 netutil_error("%s: can't connect socket: %s", __func__, socket_strerror(socket_errno()));
3255 if (dst->ss_family == AF_INET6) {
3256 struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *) &dst_dummy;
3257 if (sin6->sin6_scope_id == 0)
3258 netutil_error("Do you need an IPv6 zone ID suffix (e.g. %%eth0 or %%1)?");
3259 }
3260 goto bail;
3261 }
3262
3263 len = sizeof(*src);
3264 rc = getsockname(fd, (struct sockaddr *) src, &len);
3265 if (rc == -1)
3266 netutil_fatal("%s: can't getsockname: %s", __func__, socket_strerror(socket_errno()));
3267
3268 close(fd);
3269 return 0;
3270
3271 bail:
3272 close(fd);
3273 return -1;
3274 }
3275
lookup_ifindex(unsigned int index,int af,char * namebuf,size_t len)3276 static char *lookup_ifindex(unsigned int index, int af, char *namebuf, size_t len) {
3277 intf_t *it;
3278 struct intf_entry entry;
3279 int rc;
3280
3281 it = intf_open();
3282 assert(it != NULL);
3283 entry.intf_len = sizeof(entry);
3284 rc = intf_get_index(it, &entry, af, index);
3285 intf_close(it);
3286 if (rc == -1)
3287 return NULL;
3288
3289 Strncpy(namebuf, entry.intf_name, len);
3290 return namebuf;
3291 }
3292
route_dst_generic(const struct sockaddr_storage * dst,struct route_nfo * rnfo,const char * device,const struct sockaddr_storage * spoofss)3293 static int route_dst_generic(const struct sockaddr_storage *dst,
3294 struct route_nfo *rnfo, const char *device,
3295 const struct sockaddr_storage *spoofss) {
3296 struct interface_info *ifaces;
3297 struct interface_info *iface;
3298 int numifaces = 0;
3299 struct sys_route *routes;
3300 int numroutes = 0;
3301 int i;
3302 char namebuf[32];
3303 char errstr[256];
3304 errstr[0]='\0';
3305
3306 if (!dst)
3307 netutil_fatal("%s passed a NULL dst address", __func__);
3308
3309 if(spoofss!=NULL){
3310 /* Throughout the rest of this function we only change rnfo->srcaddr if the source isn't spoofed */
3311 memcpy(&rnfo->srcaddr, spoofss, sizeof(rnfo->srcaddr));
3312 /* The device corresponding to this spoofed address should already have been set elsewhere. */
3313 assert(device!=NULL && device[0]!='\0');
3314 }
3315
3316 if (device == NULL || device[0] == '\0') {
3317 /* Check if there is an interface scope on the address which we must use. */
3318 if (dst->ss_family == AF_INET6) {
3319 const struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *) dst;
3320 if (sin6->sin6_scope_id > 0) {
3321 device = lookup_ifindex(sin6->sin6_scope_id, sin6->sin6_family, namebuf, sizeof(namebuf));
3322 if (device == NULL) {
3323 netutil_error("Could not find interface with index %u", (unsigned int) sin6->sin6_scope_id);
3324 return 0;
3325 }
3326 }
3327 }
3328 }
3329
3330 if (device!=NULL && device[0]!='\0'){
3331 iface = getInterfaceByName(device, dst->ss_family);
3332 if (!iface)
3333 netutil_fatal("Could not find interface %s", device);
3334 } else {
3335 iface = NULL;
3336 }
3337
3338 if((routes=getsysroutes(&numroutes, errstr, sizeof(errstr)))==NULL)
3339 netutil_fatal("%s: Failed to obtain system routes: %s", __func__, errstr);
3340 if((ifaces=getinterfaces(&numifaces, errstr, sizeof(errstr)))==NULL)
3341 netutil_fatal("%s: Failed to obtain system interfaces: %s", __func__, errstr);
3342
3343 /* First check if dst is one of the localhost's own addresses. We need to use
3344 a localhost device for these. */
3345 for (i = 0; i < numifaces; i++) {
3346 struct interface_info *loopback;
3347
3348 if (!sockaddr_equal(dst, &ifaces[i].addr))
3349 continue;
3350
3351 if (ifaces[i].device_type == devt_loopback)
3352 loopback = &ifaces[i];
3353 else
3354 loopback = find_loopback_iface(ifaces, numifaces);
3355 if (loopback == NULL)
3356 /* Hmmm ... no localhost -- move on to the routing table. */
3357 break;
3358
3359 if (iface != NULL && strcmp(loopback->devname, iface->devname) != 0)
3360 continue;
3361
3362 if (iface == NULL && !loopback->device_up)
3363 continue;
3364
3365 rnfo->ii = *loopback;
3366 rnfo->direct_connect = 1;
3367 /* But the source address we want to use is the target address. */
3368 if (!spoofss) {
3369 if (get_srcaddr(dst, &rnfo->srcaddr) == -1)
3370 rnfo->srcaddr = rnfo->ii.addr;
3371 }
3372
3373 return 1;
3374 }
3375
3376 /* Go through the routing table and take the first match. getsysroutes sorts
3377 so more-specific routes come first. */
3378 for (i = 0; i < numroutes; i++) {
3379 if (!sockaddr_equal_netmask(dst, &routes[i].dest, routes[i].netmask_bits))
3380 continue;
3381 /* Ignore routes that aren't on the device we specified. */
3382 if (iface != NULL && strcmp(routes[i].device->devname, iface->devname) != 0)
3383 continue;
3384
3385 if (iface == NULL && !routes[i].device->device_up)
3386 continue;
3387
3388 rnfo->ii = *routes[i].device;
3389 /* At this point we don't whether this route is direct or indirect ("G" flag
3390 in netstat). We guess that a route is direct when the gateway address is
3391 0.0.0.0 or ::, when it exactly matches the interface address, or when it
3392 exactly matches the destination address. */
3393 rnfo->direct_connect = (sockaddr_equal_zero(&routes[i].gw) ||
3394 sockaddr_equal(&routes[i].gw, &routes[i].device->addr) ||
3395 sockaddr_equal(&routes[i].gw, dst));
3396 if (!spoofss) {
3397 if (get_srcaddr(dst, &rnfo->srcaddr) == -1)
3398 rnfo->srcaddr = rnfo->ii.addr;
3399 }
3400 rnfo->nexthop = routes[i].gw;
3401
3402 return 1;
3403 }
3404
3405 /* No match on routes. Try interfaces directly. */
3406 for (i = 0; i < numifaces; i++) {
3407 if (!sockaddr_equal_netmask(dst, &ifaces[i].addr, ifaces[i].netmask_bits))
3408 continue;
3409 if (iface != NULL && strcmp(ifaces[i].devname, iface->devname) != 0)
3410 continue;
3411
3412 if (iface == NULL && !ifaces[i].device_up)
3413 continue;
3414
3415 rnfo->ii = ifaces[i];
3416 rnfo->direct_connect = 1;
3417 if (!spoofss) {
3418 if (get_srcaddr(dst, &rnfo->srcaddr) == -1)
3419 rnfo->srcaddr = rnfo->ii.addr;
3420 }
3421
3422 return 1;
3423 }
3424
3425 return 0;
3426 }
3427 #endif
3428
3429 /* Takes a destination address (dst) and tries to determine the
3430 * source address and interface necessary to route to this address.
3431 * If no route is found, 0 is returned and "rnfo" is undefined. If
3432 * a route is found, 1 is returned and "rnfo" is filled in with all
3433 * of the routing details. If the source address needs to be spoofed,
3434 * it should be passed through "spoofss" (otherwise NULL should be
3435 * specified), along with a suitable network device (parameter "device").
3436 * Even if spoofss is NULL, if user specified a network device with -e,
3437 * it should still be passed. Note that it's OK to pass either NULL or
3438 * an empty string as the "device", as long as spoofss==NULL. */
route_dst(const struct sockaddr_storage * dst,struct route_nfo * rnfo,const char * device,const struct sockaddr_storage * spoofss)3439 int route_dst(const struct sockaddr_storage *dst, struct route_nfo *rnfo,
3440 const char *device, const struct sockaddr_storage *spoofss) {
3441 #ifdef HAVE_LINUX_RTNETLINK_H
3442 return route_dst_netlink(dst, rnfo, device, spoofss);
3443 #else
3444 return route_dst_generic(dst, rnfo, device, spoofss);
3445 #endif
3446 }
3447
3448 /* Wrapper for system function sendto(), which retries a few times when
3449 * the call fails. It also prints informational messages about the
3450 * errors encountered. It returns the number of bytes sent or -1 in
3451 * case of error. */
Sendto(const char * functionname,int sd,const unsigned char * packet,int len,unsigned int flags,struct sockaddr * to,int tolen)3452 int Sendto(const char *functionname, int sd,
3453 const unsigned char *packet, int len, unsigned int flags,
3454 struct sockaddr *to, int tolen) {
3455
3456 int res;
3457 int retries = 0;
3458 int sleeptime = 0;
3459 static int numerrors = 0;
3460
3461 do {
3462 if ((res = sendto(sd, (const char *) packet, len, flags, to, tolen)) == -1) {
3463 int err = socket_errno();
3464
3465 numerrors++;
3466 if(numerrors <= 10) {
3467 netutil_error("sendto in %s: sendto(%d, packet, %d, 0, %s, %d) => %s",
3468 functionname, sd, len, inet_ntop_ez((struct sockaddr_storage *) to, sizeof(struct sockaddr_storage)), tolen,
3469 strerror(err));
3470 netutil_error("Offending packet: %s", ippackethdrinfo(packet, len, LOW_DETAIL));
3471 if (numerrors == 10) {
3472 netutil_error("Omitting future %s error messages now that %d have been shown. Use -d2 if you really want to see them.", __func__, numerrors);
3473 }
3474 }
3475 #if WIN32
3476 return -1;
3477 #else
3478 if (retries > 2)
3479 return -1;
3480 /* For these enumerated errors, we sleep and try again. */
3481 if (!(err == ENOBUFS || err == ENOMEM))
3482 return -1;
3483 sleeptime = 15 * (1 << (2 * retries));
3484 netutil_error("Sleeping %d seconds then retrying", sleeptime);
3485 fflush(stderr);
3486 sleep(sleeptime);
3487 #endif
3488 }
3489 retries++;
3490 } while (res == -1);
3491
3492 return res;
3493 }
3494
3495
3496
3497 /* Send an IP packet over an ethernet handle. */
send_ip_packet_eth(const struct eth_nfo * eth,const u8 * packet,unsigned int packetlen)3498 int send_ip_packet_eth(const struct eth_nfo *eth, const u8 *packet, unsigned int packetlen) {
3499 eth_t *ethsd;
3500 u8 *eth_frame;
3501 int res;
3502
3503 eth_frame = (u8 *) safe_malloc(14 + packetlen);
3504 memcpy(eth_frame + 14, packet, packetlen);
3505 eth_pack_hdr(eth_frame, eth->dstmac, eth->srcmac, ETH_TYPE_IP);
3506 if (!eth->ethsd) {
3507 ethsd = eth_open_cached(eth->devname);
3508 if (!ethsd)
3509 netutil_fatal("%s: Failed to open ethernet device (%s)", __func__, eth->devname);
3510 } else {
3511 ethsd = eth->ethsd;
3512 }
3513 res = eth_send(ethsd, eth_frame, 14 + packetlen);
3514 /* No need to close ethsd due to caching */
3515 free(eth_frame);
3516
3517 return res;
3518 }
3519
3520
3521 /* Send an IP packet over a raw socket. */
send_ip_packet_sd(int sd,const struct sockaddr_in * dst,const u8 * packet,unsigned int packetlen)3522 int send_ip_packet_sd(int sd, const struct sockaddr_in *dst,
3523 const u8 *packet, unsigned int packetlen) {
3524 struct sockaddr_in sock;
3525 struct ip *ip = (struct ip *) packet;
3526 struct tcp_hdr *tcp;
3527 struct udp_hdr *udp;
3528 int res;
3529
3530 assert(sd >= 0);
3531 sock = *dst;
3532
3533 /* It is bogus that I need the address and port info when sending a RAW IP
3534 packet, but it doesn't seem to work w/o them */
3535 if (packetlen >= 20) {
3536 if (ip->ip_p == IPPROTO_TCP
3537 && packetlen >= (unsigned int) ip->ip_hl * 4 + 20) {
3538 tcp = (struct tcp_hdr *) ((u8 *) ip + ip->ip_hl * 4);
3539 sock.sin_port = tcp->th_dport;
3540 } else if (ip->ip_p == IPPROTO_UDP
3541 && packetlen >= (unsigned int) ip->ip_hl * 4 + 8) {
3542 udp = (struct udp_hdr *) ((u8 *) ip + ip->ip_hl * 4);
3543 sock.sin_port = udp->uh_dport;
3544 }
3545 }
3546
3547 /* Equally bogus is that the IP total len and IP fragment offset
3548 fields need to be in host byte order on certain BSD variants. I
3549 must deal with it here rather than when building the packet,
3550 because they should be in NBO when I'm sending over raw
3551 ethernet */
3552 #if (defined(FREEBSD) && (__FreeBSD_version < 1100030)) || BSDI || NETBSD || DEC || MACOSX
3553 ip->ip_len = ntohs(ip->ip_len);
3554 ip->ip_off = ntohs(ip->ip_off);
3555 #endif
3556
3557 res = Sendto("send_ip_packet_sd", sd, packet, packetlen, 0,
3558 (struct sockaddr *) &sock,
3559 (int) sizeof(struct sockaddr_in));
3560
3561 /* Undo the byte order switching. */
3562 #if (defined(FREEBSD) && (__FreeBSD_version < 1100030)) || BSDI || NETBSD || DEC || MACOSX
3563 ip->ip_len = htons(ip->ip_len);
3564 ip->ip_off = htons(ip->ip_off);
3565 #endif
3566
3567 return res;
3568 }
3569
3570
3571
3572 /* Sends the supplied pre-built IPv4 packet. The packet is sent through
3573 * the raw socket "sd" if "eth" is NULL. Otherwise, it gets sent at raw
3574 * ethernet level. */
send_ip_packet_eth_or_sd(int sd,const struct eth_nfo * eth,const struct sockaddr_in * dst,const u8 * packet,unsigned int packetlen)3575 int send_ip_packet_eth_or_sd(int sd, const struct eth_nfo *eth,
3576 const struct sockaddr_in *dst,
3577 const u8 *packet, unsigned int packetlen) {
3578 if(eth)
3579 return send_ip_packet_eth(eth, packet, packetlen);
3580 else
3581 return send_ip_packet_sd(sd, dst, packet, packetlen);
3582 }
3583
3584
3585
3586 /* Create and send all fragments of a pre-built IPv4 packet
3587 * Minimal MTU for IPv4 is 68 and maximal IPv4 header size is 60
3588 * which gives us a right to cut TCP header after 8th byte
3589 * (shouldn't we inflate the header to 60 bytes too?) */
send_frag_ip_packet(int sd,const struct eth_nfo * eth,const struct sockaddr_in * dst,const u8 * packet,unsigned int packetlen,u32 mtu)3590 int send_frag_ip_packet(int sd, const struct eth_nfo *eth,
3591 const struct sockaddr_in *dst,
3592 const u8 *packet, unsigned int packetlen, u32 mtu) {
3593 struct ip *ip = (struct ip *) packet;
3594 int headerlen = ip->ip_hl * 4; // better than sizeof(struct ip)
3595 u32 datalen = packetlen - headerlen;
3596 int fdatalen = 0, res = 0;
3597 int fragment=0;
3598
3599 assert(headerlen <= (int) packetlen);
3600 assert(headerlen >= 20 && headerlen <= 60); // sanity check (RFC791)
3601 assert(mtu > 0 && mtu % 8 == 0); // otherwise, we couldn't set Fragment offset (ip->ip_off) correctly
3602
3603 if (datalen <= mtu) {
3604 netutil_error("Warning: fragmentation (mtu=%lu) requested but the payload is too small already (%lu)", (unsigned long)mtu, (unsigned long)datalen);
3605 return send_ip_packet_eth_or_sd(sd, eth, dst, packet, packetlen);
3606 }
3607
3608 u8 *fpacket = (u8 *) safe_malloc(headerlen + mtu);
3609 memcpy(fpacket, packet, headerlen + mtu);
3610 ip = (struct ip *) fpacket;
3611
3612 // create fragments and send them
3613 for (fragment = 1; fragment * mtu < datalen + mtu; fragment++) {
3614 fdatalen = (fragment * mtu <= datalen ? mtu : datalen % mtu);
3615 ip->ip_len = htons(headerlen + fdatalen);
3616 ip->ip_off = htons((fragment - 1) * mtu / 8);
3617 if ((fragment - 1) * mtu + fdatalen < datalen)
3618 ip->ip_off |= htons(IP_MF);
3619 #if HAVE_IP_IP_SUM
3620 ip->ip_sum = 0;
3621 ip->ip_sum = in_cksum((unsigned short *) ip, headerlen);
3622 #endif
3623 if (fragment > 1) // copy data payload
3624 memcpy(fpacket + headerlen,
3625 packet + headerlen + (fragment - 1) * mtu, fdatalen);
3626 res = send_ip_packet_eth_or_sd(sd, eth, dst, fpacket, ntohs(ip->ip_len));
3627 if (res == -1)
3628 break;
3629 }
3630 free(fpacket);
3631 return res;
3632 }
3633
3634 /* There are three ways to send a raw IPv6 packet.
3635
3636 send_ipv6_eth works when the device is Ethernet. (Unfortunately IPv6-in-IPv4
3637 tunnels are not.) We can control all header fields and extension headers.
3638
3639 send_ipv6_ipproto_raw must be used when IPPROTO_RAW sockets include the IP
3640 header, like IP_HDRINCL for IPv4. This is non-standard but is the case on
3641 Linux. (On other platforms, IPPROTO_RAW has no special meaning and just
3642 stands for protocol 255.) We can control all header fields and extension
3643 headers. This method uses only one raw socket for all sends.
3644
3645 send_ipv6_ip must be used when IPPROTO_RAW sockets do not include the IP
3646 header. Through standard function calls we can control all header fields
3647 except for the flow label. This method needs one raw socket for every
3648 protocol. (More precisely, one socket per distinct Next Header value.)
3649 */
3650
3651 /* Send an IPv6 packet over an Ethernet handle. */
send_ipv6_eth(const struct eth_nfo * eth,const u8 * packet,unsigned int packetlen)3652 static int send_ipv6_eth(const struct eth_nfo *eth, const u8 *packet, unsigned int packetlen) {
3653 eth_t *ethsd;
3654 struct eth_hdr *eth_frame;
3655 u8 *copy;
3656 int res;
3657
3658 copy = (u8 *) safe_malloc(packetlen + sizeof(*eth_frame));
3659 memcpy(copy + sizeof(*eth_frame), packet, packetlen);
3660 eth_frame = (struct eth_hdr *) copy;
3661 eth_pack_hdr(eth_frame, eth->dstmac, eth->srcmac, ETH_TYPE_IPV6);
3662 if (!eth->ethsd) {
3663 ethsd = eth_open_cached(eth->devname);
3664 if (!ethsd)
3665 netutil_fatal("%s: Failed to open ethernet device (%s)", __func__, eth->devname);
3666 } else {
3667 ethsd = eth->ethsd;
3668 }
3669 res = eth_send(ethsd, eth_frame, sizeof(*eth_frame) + packetlen);
3670 /* No need to close ethsd due to caching */
3671 free(eth_frame);
3672
3673 return res;
3674 }
3675
3676 #if HAVE_IPV6_IPPROTO_RAW
3677
3678 /* Send an IPv6 packet over a raw socket, on platforms where IPPROTO_RAW implies
3679 IP_HDRINCL-like behavior. */
send_ipv6_ipproto_raw(const struct sockaddr_in6 * dst,const unsigned char * packet,unsigned int packetlen)3680 static int send_ipv6_ipproto_raw(const struct sockaddr_in6 *dst,
3681 const unsigned char *packet, unsigned int packetlen) {
3682 int sd, n;
3683
3684 sd = -1;
3685 n = -1;
3686
3687 sd = socket(AF_INET6, SOCK_RAW, IPPROTO_RAW);
3688 if (sd == -1) {
3689 perror("socket");
3690 goto bail;
3691 }
3692
3693 n = Sendto(__func__, sd, packet, packetlen, 0, (struct sockaddr *) dst, sizeof(*dst));
3694
3695 bail:
3696 if (sd != -1)
3697 close(sd);
3698
3699 return n;
3700 }
3701
3702 #elif !WIN32
3703
3704 /* Add an ancillary cmsghdr data block to the list of blocks in a msghdr.
3705 The list is stored in msg->msg_control, which is dynamically allocated
3706 and reallocated as needed. It must be freed after this function returns.
3707 msg->msg_controllen is also modified by this function. Returns -1 in case of
3708 error or 0 otherwise. */
add_ancillary(struct msghdr * msg,int level,int type,const void * data,size_t len)3709 static int add_ancillary(struct msghdr *msg, int level, int type,
3710 const void *data, size_t len)
3711 {
3712 struct cmsghdr *cm;
3713 void *p;
3714
3715 p = realloc(msg->msg_control, msg->msg_controllen + CMSG_SPACE(len));
3716 if (p == NULL)
3717 return -1;
3718 msg->msg_control = p;
3719
3720 cm = (struct cmsghdr *) ((char *) msg->msg_control + msg->msg_controllen);
3721 msg->msg_controllen += CMSG_SPACE(len);
3722
3723 cm->cmsg_len = CMSG_LEN(len);
3724 cm->cmsg_level = level;
3725 cm->cmsg_type = type;
3726
3727 memcpy(CMSG_DATA(cm), data, len);
3728
3729 return 0;
3730 }
3731
exthdr_type_to_cmsg_type(uint8_t type)3732 static int exthdr_type_to_cmsg_type(uint8_t type) {
3733 switch (type) {
3734 /* These are the only extension headers we can set directly through a
3735 msghdr. */
3736 case 0:
3737 return IPV6_HOPOPTS;
3738 case 43:
3739 return IPV6_RTHDR;
3740 case 60:
3741 return IPV6_DSTOPTS;
3742 default:
3743 return -1;
3744 }
3745 }
3746
add_exthdr_ancillary(struct msghdr * msg,const unsigned char * p,size_t len,unsigned char * proto)3747 static const unsigned char *add_exthdr_ancillary(struct msghdr *msg,
3748 const unsigned char *p, size_t len, unsigned char *proto) {
3749 unsigned char nxt;
3750 size_t extlen;
3751 int cmsg_type;
3752
3753 cmsg_type = exthdr_type_to_cmsg_type(*proto);
3754 if (cmsg_type == -1)
3755 return NULL;
3756
3757 if (len < 2)
3758 return NULL;
3759 nxt = *p;
3760 extlen = (*(p + 1) + 1) * 8;
3761 if (len < extlen)
3762 return NULL;
3763 if (add_ancillary(msg, IPPROTO_IPV6, cmsg_type, p, extlen) == -1)
3764 return NULL;
3765
3766 *proto = nxt;
3767
3768 return p + extlen;
3769 }
3770
3771 /* Send an IPv6 packet over a raw socket. This function can control all header
3772 fields except the flow label (and the payload length can only be controlled
3773 indirectly through the length of the payload).
3774
3775 For most extension header types, we initialize the socket with the given
3776 protocol, which causes the Next Header field to match when the packet is set.
3777 This allows stuffing arbitrary data into extension headers. However, for a
3778 few well-known headers (like Destination and Routing options), this fails
3779 with EPROTOTYPE because there are specialized functions to add these headers
3780 using the IPv6 socket API. These do not offer as much control because they
3781 are controlled by the OS, and may be reordered, for example. */
send_ipv6_ip(const struct sockaddr_in6 * dst,const unsigned char * packet,size_t packetlen)3782 static int send_ipv6_ip(const struct sockaddr_in6 *dst,
3783 const unsigned char *packet, size_t packetlen) {
3784 struct msghdr msg;
3785 struct iovec iov;
3786
3787 const unsigned char *end;
3788 struct ip6_hdr *hdr;
3789 unsigned char nxt;
3790 #ifdef IPV6_TCLASS
3791 int tclass;
3792 #endif
3793 int hoplimit;
3794
3795 int sd;
3796 int n;
3797
3798 sd = -1;
3799 n = -1;
3800
3801 /* Set up sendmsg data structure. iov is filled in below. */
3802 msg.msg_name = (void *) dst;
3803 msg.msg_namelen = sizeof(*dst);
3804 msg.msg_iov = &iov;
3805 msg.msg_iovlen = 1;
3806 msg.msg_control = NULL;
3807 msg.msg_controllen = 0;
3808 msg.msg_flags = 0;
3809
3810 if (packetlen < sizeof(*hdr))
3811 return -1;
3812 hdr = (struct ip6_hdr *) packet;
3813
3814 /* This can also be set with setsockopt(IPPROTO_IPV6, IPV6_TCLASS). */
3815 #ifdef IPV6_TCLASS
3816 tclass = ntohl(hdr->ip6_flow & IP6_FLOWINFO_MASK) >> 20;
3817 if (add_ancillary(&msg, IPPROTO_IPV6,
3818 IPV6_TCLASS, &tclass, sizeof(tclass)) == -1) {
3819 goto bail;
3820 }
3821 #endif
3822 /* This can also be set with setsockopt(IPPROTO_IPV6, IPV6_UNICAST_HOPS). */
3823 hoplimit = hdr->ip6_hlim;
3824 if (add_ancillary(&msg, IPPROTO_IPV6,
3825 IPV6_HOPLIMIT, &hoplimit, sizeof(hoplimit)) == -1) {
3826 goto bail;
3827 }
3828 /* The Next Header field is set when the socket is created. The payload
3829 length is set in the call to sendmsg. There's no way to set the flow
3830 label. */
3831
3832 /* We must loop until we find a nh value acceptable to the operating system
3833 (one that can be passed as the third parameter to socket). In my tests on
3834 OS X, you get EPROTOTYPE "Protocol wrong type for socket" for
3835 43 routing
3836 44 fragment
3837 50 ESP
3838 51 AH
3839 60 DSTOPT
3840 108 IPcomp
3841 Some of these we are able to handle with ancillary data. When that's
3842 possible, we skip over the header, add the ancillary data, and try again
3843 with the next header. */
3844 end = packet + packetlen;
3845 packet += sizeof(*hdr);
3846 nxt = hdr->ip6_nxt;
3847 for (;;) {
3848 errno = 0;
3849 sd = socket(AF_INET6, SOCK_RAW, nxt);
3850 if (!(sd == -1 && errno == EPROTOTYPE))
3851 break;
3852 packet = add_exthdr_ancillary(&msg, packet, end - packet, &nxt);
3853 if (packet == NULL) {
3854 netutil_error("Can't add extension header %u as ancillary data", nxt);
3855 goto bail;
3856 }
3857 }
3858 if (sd == -1) {
3859 perror("socket");
3860 goto bail;
3861 }
3862
3863 assert(packet <= end);
3864 iov.iov_base = (unsigned char *) packet;
3865 iov.iov_len = end - packet;
3866
3867 n = sendmsg(sd, &msg, 0);
3868 if (n == -1)
3869 perror("sendmsg");
3870
3871 bail:
3872 free(msg.msg_control);
3873 if (sd != -1)
3874 close(sd);
3875
3876 return n;
3877 }
3878
3879 #endif
3880
3881 /* For now, the sd argument is ignored. */
send_ipv6_packet_eth_or_sd(int sd,const struct eth_nfo * eth,const struct sockaddr_in6 * dst,const u8 * packet,unsigned int packetlen)3882 int send_ipv6_packet_eth_or_sd(int sd, const struct eth_nfo *eth,
3883 const struct sockaddr_in6 *dst, const u8 *packet, unsigned int packetlen) {
3884 if (eth != NULL) {
3885 return send_ipv6_eth(eth, packet, packetlen);
3886 } else {
3887 #if HAVE_IPV6_IPPROTO_RAW
3888 return send_ipv6_ipproto_raw(dst, packet, packetlen);
3889 #elif !WIN32
3890 return send_ipv6_ip(dst, packet, packetlen);
3891 #endif
3892 }
3893
3894 return -1;
3895 }
3896
3897
3898
3899 #ifdef WIN32
3900 /* Convert a dnet interface name into the long pcap style. This also caches the
3901 data to speed things up. Fills out pcapdev (up to pcapdevlen) and returns
3902 true if it finds anything. Otherwise returns false. This is only necessary
3903 on Windows. */
DnetName2PcapName(const char * dnetdev,char * pcapdev,int pcapdevlen)3904 int DnetName2PcapName(const char *dnetdev, char *pcapdev, int pcapdevlen) {
3905 static struct NameCorrelationCache {
3906 char dnetd[64];
3907 char pcapd[128];
3908 } *NCC = NULL;
3909 static int NCCsz = 0;
3910 static int NCCcapacity = 0;
3911 static struct NameNotFoundCache {
3912 char dnetd[64];
3913 } *NNFC = NULL;
3914 static int NNFCsz = 0;
3915 static int NNFCcapacity = 0;
3916 int i;
3917 char tmpdev[128];
3918
3919 // Init the cache if not done yet
3920 if (!NCC) {
3921 NCCcapacity = 5;
3922 NCC =
3923 (struct NameCorrelationCache *) safe_zalloc(NCCcapacity *
3924 sizeof(*NCC));
3925 NCCsz = 0;
3926 }
3927 if (!NNFC) {
3928 NNFCcapacity = 5;
3929 NNFC =
3930 (struct NameNotFoundCache *) safe_zalloc(NNFCcapacity *
3931 sizeof(*NNFC));
3932 NNFCsz = 0;
3933 }
3934 // First check if the name is already in the cache
3935 for (i = 0; i < NCCsz; i++) {
3936 if (strcmp(NCC[i].dnetd, dnetdev) == 0) {
3937 Strncpy(pcapdev, NCC[i].pcapd, pcapdevlen);
3938 return 1;
3939 }
3940 }
3941 // Check if the name is already in the name not found cache
3942 for (i = 0; i < NNFCsz; i++) {
3943 if (strcmp(NNFC[i].dnetd, dnetdev) == 0) {
3944 return 0;
3945 }
3946 }
3947 // OK, so it isn't in the cache. Let's ask dnet for it.
3948 /* Converts a dnet interface name (ifname) to its pcap equivalent, which is stored in
3949 pcapdev (up to a length of pcapdevlen). Returns 1 and fills in pcapdev if successful. */
3950 if (eth_get_pcap_devname(dnetdev, tmpdev, sizeof(tmpdev)) != 0) {
3951 // We've got it. Let's add it to the not found cache
3952 if (NNFCsz >= NNFCcapacity) {
3953 NNFCcapacity <<= 2;
3954 NNFC =
3955 (struct NameNotFoundCache *) safe_realloc(NNFC,
3956 NNFCcapacity *
3957 sizeof(*NNFC));
3958 }
3959 Strncpy(NNFC[NNFCsz].dnetd, dnetdev, sizeof(NNFC[0].dnetd));
3960 NNFCsz++;
3961 return 0;
3962 }
3963
3964 // We've got it. Let's add it to the cache
3965 if (NCCsz >= NCCcapacity) {
3966 NCCcapacity <<= 2;
3967 NCC =
3968 (struct NameCorrelationCache *) safe_realloc(NCC,
3969 NCCcapacity *
3970 sizeof(*NCC));
3971 }
3972 Strncpy(NCC[NCCsz].dnetd, dnetdev, sizeof(NCC[0].dnetd));
3973 Strncpy(NCC[NCCsz].pcapd, tmpdev, sizeof(NCC[0].pcapd));
3974 NCCsz++;
3975 Strncpy(pcapdev, tmpdev, pcapdevlen);
3976 return 1;
3977 }
3978 #endif
3979
3980
3981 /* This function is used to obtain a packet capture handle to look at
3982 * packets on the network. It is actually a wrapper for libpcap's
3983 * pcap_open_live() that takes care of compatibility issues and error
3984 * checking. The function attempts to open the device up to three times.
3985 * If the call does not succeed the third time, NULL is returned. */
my_pcap_open_live(const char * device,int snaplen,int promisc,int to_ms)3986 pcap_t *my_pcap_open_live(const char *device, int snaplen, int promisc, int to_ms){
3987 char err0r[PCAP_ERRBUF_SIZE];
3988 pcap_t *pt;
3989 char pcapdev[128];
3990 int failed = 0;
3991
3992 assert(device != NULL);
3993
3994 #ifdef WIN32
3995 /* Nmap normally uses device names obtained through dnet for interfaces, but
3996 Pcap has its own naming system. So the conversion is done here */
3997 if (!DnetName2PcapName(device, pcapdev, sizeof(pcapdev))) {
3998 /* Oh crap -- couldn't find the corresponding dev apparently. Let's just go
3999 with what we have then ... */
4000 Strncpy(pcapdev, device, sizeof(pcapdev));
4001 }
4002 #else
4003 Strncpy(pcapdev, device, sizeof(pcapdev));
4004 #endif
4005
4006 #ifdef __amigaos__
4007 // Amiga doesn't have pcap_create
4008 // TODO: Does Nmap still work on Amiga?
4009 pt = pcap_open_live(pcapdev, snaplen, promisc, to_ms, err0r);
4010 if (!pt) {
4011 netutil_error("pcap_open_live(%s, %d, %d, %d) FAILED. Reported error: %s.", pcapdev, snaplen, promisc, to_ms, err0r);
4012 return NULL;
4013 }
4014 #else
4015 pt = pcap_create(pcapdev, err0r);
4016 if (!pt) {
4017 netutil_error("pcap_create(%s) FAILED: %s.", pcapdev, err0r);
4018 return NULL;
4019 }
4020
4021 #define MY_PCAP_SET(func, p_t, val) do {\
4022 failed = func(p_t, val);\
4023 if (failed) {\
4024 netutil_error(#func "(%d) FAILED: %d.", val, failed);\
4025 pcap_close(p_t);\
4026 return NULL;\
4027 }\
4028 } while(0);
4029
4030 MY_PCAP_SET(pcap_set_snaplen, pt, snaplen);
4031 MY_PCAP_SET(pcap_set_promisc, pt, promisc);
4032 MY_PCAP_SET(pcap_set_timeout, pt, to_ms);
4033 #ifdef HAVE_PCAP_SET_IMMEDIATE_MODE
4034 MY_PCAP_SET(pcap_set_immediate_mode, pt, 1);
4035 #endif
4036
4037 failed = pcap_activate(pt);
4038 if (failed < 0) {
4039 // PCAP error
4040 netutil_error("pcap_activate(%s) FAILED: %s.", pcapdev, pcap_geterr(pt));
4041 pcap_close(pt);
4042 return NULL;
4043 }
4044 else if (failed > 0) {
4045 // PCAP warning, report but assume it'll still work
4046 netutil_error("pcap_activate(%s) WARNING: %s.", pcapdev, pcap_geterr(pt));
4047 }
4048 #endif /* not __amigaos__ */
4049
4050 #ifdef WIN32
4051 /* We want any responses back ASAP */
4052 /* This is unnecessary with Npcap since libpcap calls PacketSetMinToCopy(0)
4053 * based on immediate mode. Have not determined if it is needed for WinPcap
4054 * or not, but it's not hurting anything. */
4055 pcap_setmintocopy(pt, 0);
4056 /* Npcap sets kernel buffer size to 1MB, but user buffer size to 256KB.
4057 * Memory is pretty cheap these days, so lets match the kernel buffer size
4058 * for better performance. */
4059 pcap_setuserbuffer(pt, 1000000);
4060 #endif
4061
4062 return pt;
4063 }
4064
4065
4066 /* Set a pcap filter */
set_pcap_filter(const char * device,pcap_t * pd,const char * bpf,...)4067 void set_pcap_filter(const char *device, pcap_t *pd, const char *bpf, ...) {
4068 va_list ap;
4069 int size;
4070 char buf[3072];
4071 struct bpf_program fcode;
4072
4073 va_start(ap, bpf);
4074 size = Vsnprintf(buf, sizeof(buf), bpf, ap);
4075 va_end(ap);
4076 if (size >= (int) sizeof(buf))
4077 netutil_fatal("%s called with too-large filter arg\n", __func__);
4078
4079 if (pcap_compile(pd, &fcode, buf, 1, PCAP_NETMASK_UNKNOWN) < 0)
4080 netutil_fatal("Error compiling our pcap filter: %s", pcap_geterr(pd));
4081 if (pcap_setfilter(pd, &fcode) < 0)
4082 netutil_fatal("Failed to set the pcap filter: %s\n", pcap_geterr(pd));
4083 pcap_freecode(&fcode);
4084 }
4085
4086
4087 /* Return the data offset for the given datalink. This function understands the
4088 datalink types DLT_EN10MB and DLT_LINUX_SLL. Returns -1 on error. */
datalink_offset(int datalink)4089 int datalink_offset(int datalink)
4090 {
4091 int offset = -1;
4092 /* NOTE: IF A NEW OFFSET EVER EXCEEDS THE CURRENT MAX (24), ADJUST
4093 MAX_LINK_HEADERSZ in libnetutil/netutil.h */
4094 switch (datalink) {
4095 case DLT_EN10MB:
4096 offset = ETH_HDR_LEN;
4097 break;
4098 case DLT_IEEE802:
4099 offset = 22;
4100 break;
4101 #ifdef __amigaos__
4102 case DLT_MIAMI:
4103 offset = 16;
4104 break;
4105 #endif
4106 #ifdef DLT_LOOP
4107 case DLT_LOOP:
4108 #endif
4109 case DLT_NULL:
4110 offset = 4;
4111 break;
4112 case DLT_SLIP:
4113 #ifdef DLT_SLIP_BSDOS
4114 case DLT_SLIP_BSDOS:
4115 #endif
4116 #if (FREEBSD || OPENBSD || NETBSD || BSDI || MACOSX)
4117 offset = 16;
4118 #else
4119 offset = 24; /* Anyone use this??? */
4120 #endif
4121 break;
4122 case DLT_PPP:
4123 #ifdef DLT_PPP_BSDOS
4124 case DLT_PPP_BSDOS:
4125 #endif
4126 #ifdef DLT_PPP_SERIAL
4127 case DLT_PPP_SERIAL:
4128 #endif
4129 #ifdef DLT_PPP_ETHER
4130 case DLT_PPP_ETHER:
4131 #endif
4132 #if (FREEBSD || OPENBSD || NETBSD || BSDI || MACOSX)
4133 offset = 4;
4134 #else
4135 #ifdef SOLARIS
4136 offset = 8;
4137 #else
4138 offset = 24; /* Anyone use this? */
4139 #endif /* ifdef solaris */
4140 #endif /* if freebsd || openbsd || netbsd || bsdi */
4141 break;
4142 case DLT_RAW:
4143 offset = 0;
4144 break;
4145 case DLT_FDDI:
4146 offset = 21;
4147 break;
4148 #ifdef DLT_ENC
4149 case DLT_ENC:
4150 offset = 12;
4151 break;
4152 #endif /* DLT_ENC */
4153 #ifdef DLT_LINUX_SLL
4154 case DLT_LINUX_SLL:
4155 offset = 16;
4156 break;
4157 #endif
4158 #ifdef DLT_IPNET
4159 case DLT_IPNET:
4160 offset = 24;
4161 break;
4162 #endif
4163 default:
4164 offset = -1;
4165 break;
4166 }
4167 return offset;
4168 }
4169
4170 /* Common subroutine for reading ARP and NS responses. Input parameters are pd,
4171 to_usec, and accept_callback. If a received frame passes accept_callback,
4172 then the output parameters p, head, rcvdtime, datalink, and offset are filled
4173 in, and the function returns 1. If no frame passes before the timeout, then
4174 the function returns 0 and the output parameters are undefined. */
read_reply_pcap(pcap_t * pd,long to_usec,bool (* accept_callback)(const unsigned char *,const struct pcap_pkthdr *,int,size_t),const unsigned char ** p,struct pcap_pkthdr ** head,struct timeval * rcvdtime,int * datalink,size_t * offset)4175 int read_reply_pcap(pcap_t *pd, long to_usec,
4176 bool (*accept_callback)(const unsigned char *, const struct pcap_pkthdr *, int, size_t),
4177 const unsigned char **p, struct pcap_pkthdr **head, struct timeval *rcvdtime,
4178 int *datalink, size_t *offset)
4179 {
4180 static int warning = 0;
4181 int timedout = 0;
4182 int badcounter = 0;
4183 struct timeval tv_start, tv_end;
4184 int ioffset;
4185
4186 if (!pd)
4187 netutil_fatal("NULL packet device passed to %s", __func__);
4188
4189 if (to_usec < 0) {
4190 if (!warning) {
4191 warning = 1;
4192 netutil_error("WARNING: Negative timeout value (%lu) passed to %s() -- using 0", to_usec, __func__);
4193 }
4194 to_usec = 0;
4195 }
4196
4197 /* New packet capture device, need to recompute offset */
4198 if ((*datalink = pcap_datalink(pd)) < 0)
4199 netutil_fatal("Cannot obtain datalink information: %s", pcap_geterr(pd));
4200 ioffset = datalink_offset(*datalink);
4201 if (ioffset < 0)
4202 netutil_fatal("datalink_offset failed for type %d (DLT_EN10MB = %d, DLT_LINUX_SLL = %d)", *datalink, DLT_EN10MB, DLT_LINUX_SLL);
4203 *offset = (unsigned int) ioffset;
4204
4205 if (to_usec > 0) {
4206 gettimeofday(&tv_start, NULL);
4207 }
4208
4209 do {
4210
4211 *p = NULL;
4212 int pcap_status = 0;
4213 /* It may be that protecting this with !pcap_selectable_fd_one_to_one is not
4214 necessary, that it is always safe to do a nonblocking read in this way on
4215 all platforms. But I have only tested it on Solaris. */
4216 if (!pcap_selectable_fd_one_to_one()) {
4217 int rc, nonblock;
4218
4219 nonblock = pcap_getnonblock(pd, NULL);
4220 assert(nonblock == 0);
4221 rc = pcap_setnonblock(pd, 1, NULL);
4222 assert(rc == 0);
4223 pcap_status = pcap_next_ex(pd, head, p);
4224 rc = pcap_setnonblock(pd, nonblock, NULL);
4225 assert(rc == 0);
4226 }
4227
4228 if (pcap_status == PCAP_ERROR) {
4229 // TODO: Gracefully end the scan.
4230 netutil_fatal("Error from pcap_next_ex: %s\n", pcap_geterr(pd));
4231 }
4232
4233 if (pcap_status == 0 || *p == NULL) {
4234 /* Nonblocking pcap_next_ex didn't get anything. */
4235 if (pcap_select(pd, to_usec) == 0)
4236 timedout = 1;
4237 else
4238 pcap_status = pcap_next_ex(pd, head, p);
4239 }
4240
4241 if (pcap_status == PCAP_ERROR) {
4242 // TODO: Gracefully end the scan.
4243 netutil_fatal("Error from pcap_next_ex: %s\n", pcap_geterr(pd));
4244 }
4245
4246 if (pcap_status == 1 && *p != NULL && accept_callback(*p, *head, *datalink, *offset)) {
4247 break;
4248 } else if (pcap_status == 0 || *p == NULL) {
4249 /* Should we timeout? */
4250 if (to_usec == 0) {
4251 timedout = 1;
4252 } else if (to_usec > 0) {
4253 gettimeofday(&tv_end, NULL);
4254 if (TIMEVAL_SUBTRACT(tv_end, tv_start) >= to_usec) {
4255 timedout = 1;
4256 }
4257 }
4258 } else {
4259 /* We'll be a bit patient if we're getting actual packets back, but
4260 not indefinitely so */
4261 if (badcounter++ > 50)
4262 timedout = 1;
4263 }
4264 } while (!timedout);
4265
4266 if (timedout)
4267 return 0;
4268
4269 if (rcvdtime) {
4270 // TODO: come up with a better way to synchronize pcap with gettimeofday.
4271 // Npcap and WinPcap both suffer from clock drift relative to gettimeofday().
4272 // We hope to fix this with better time sources for Npcap ( http://issues.nmap.org/1407 )
4273 // and for Nmap ( http://issues.nmap.org/180 )
4274 // For now, we use gettimeofday() for Windows in this case.
4275 // Sometimes the time from the pcap header is a
4276 // COUPLE SECONDS before the gettimeofday() results :(.
4277 #if defined(WIN32) || defined(__amigaos__)
4278 gettimeofday(&tv_end, NULL);
4279 *rcvdtime = tv_end;
4280 #else
4281 rcvdtime->tv_sec = (*head)->ts.tv_sec;
4282 rcvdtime->tv_usec = (*head)->ts.tv_usec;
4283 assert((*head)->ts.tv_sec);
4284 #endif
4285 }
4286
4287 return 1;
4288 }
4289
accept_arp(const unsigned char * p,const struct pcap_pkthdr * head,int datalink,size_t offset)4290 static bool accept_arp(const unsigned char *p, const struct pcap_pkthdr *head,
4291 int datalink, size_t offset)
4292 {
4293 if (head->caplen < offset + 28)
4294 return false;
4295
4296 /* hw type eth (0x0001), prot ip (0x0800),
4297 hw size (0x06), prot size (0x04) */
4298 if (memcmp(p + offset, "\x00\x01\x08\x00\x06\x04\x00\x02", 8) != 0)
4299 return false;
4300
4301 if (datalink == DLT_EN10MB) {
4302 return ntohs(*((u16 *) (p + 12))) == ETH_TYPE_ARP;
4303 } else if (datalink == DLT_LINUX_SLL) {
4304 return ntohs(*((u16 *) (p + 2))) == ARPHRD_ETHER && /* sll_hatype */
4305 ntohs(*((u16 *) (p + 4))) == 6 && /* sll_halen */
4306 ntohs(*((u16 *) (p + 14))) == ETH_TYPE_ARP; /* sll_protocol */
4307 } else {
4308 return false;
4309 }
4310 }
4311
4312 /* Attempts to read one IPv4/Ethernet ARP reply packet from the pcap
4313 descriptor pd. If it receives one, fills in sendermac (must pass
4314 in 6 bytes), senderIP, and rcvdtime (can be NULL if you don't care)
4315 and returns 1. If it times out and reads no arp requests, returns
4316 0. to_usec is the timeout period in microseconds. Use 0 to avoid
4317 blocking to the extent possible. Returns -1 or exits if there is
4318 an error. The last parameter is a pointer to a callback function
4319 that can be used for packet tracing. This is intended to be used
4320 by Nmap only. Any other calling this should pass NULL instead. */
read_arp_reply_pcap(pcap_t * pd,u8 * sendermac,struct in_addr * senderIP,long to_usec,struct timeval * rcvdtime,void (* trace_callback)(int,const u8 *,u32,struct timeval *))4321 int read_arp_reply_pcap(pcap_t *pd, u8 *sendermac,
4322 struct in_addr *senderIP, long to_usec,
4323 struct timeval *rcvdtime,
4324 void (*trace_callback)(int, const u8 *, u32, struct timeval *)) {
4325 const unsigned char *p;
4326 struct pcap_pkthdr *head;
4327 int datalink;
4328 size_t offset;
4329 int rc;
4330
4331 rc = read_reply_pcap(pd, to_usec, accept_arp, &p, &head, rcvdtime, &datalink, &offset);
4332 if (rc == 0)
4333 return 0;
4334
4335 memcpy(sendermac, p + offset + 8, 6);
4336 /* I think alignment should allow this ... */
4337 memcpy(&senderIP->s_addr, p + offset + 14, 4);
4338
4339 if (trace_callback != NULL) {
4340 /* TODO: First parameter "2" is a hardcoded value for Nmap's PacketTrace::RECV. */
4341 trace_callback(2, (u8 *) p + offset, ARP_HDR_LEN + ARP_ETHIP_LEN, rcvdtime);
4342 }
4343
4344 return 1;
4345 }
4346
accept_ns(const unsigned char * p,const struct pcap_pkthdr * head,int datalink,size_t offset)4347 static bool accept_ns(const unsigned char *p, const struct pcap_pkthdr *head,
4348 int datalink, size_t offset)
4349 {
4350 struct icmpv6_hdr *icmp6_header;
4351
4352 if (head->caplen < offset + IP6_HDR_LEN + ICMPV6_HDR_LEN)
4353 return false;
4354
4355 icmp6_header = (struct icmpv6_hdr *)(p + offset + IP6_HDR_LEN);
4356 return icmp6_header->icmpv6_type == ICMPV6_NEIGHBOR_ADVERTISEMENT &&
4357 icmp6_header->icmpv6_code == 0;
4358 }
4359
4360 /* Attempts to read one IPv6/Ethernet Neighbor Solicitation reply packet from the pcap
4361 descriptor pd. If it receives one, fills in sendermac (must pass
4362 in 6 bytes), senderIP, and rcvdtime (can be NULL if you don't care)
4363 and returns 1. If it times out and reads no Neighbor Advertisement, returns
4364 0. to_usec is the timeout period in microseconds. Use 0 to avoid
4365 blocking to the extent possible. Returns -1 or exits if there is
4366 an error. The last parameter is a pointer to a callback function
4367 that can be used for packet tracing. This is intended to be used
4368 by Nmap only. Any other calling this should pass NULL instead. */
read_ns_reply_pcap(pcap_t * pd,u8 * sendermac,struct sockaddr_in6 * senderIP,long to_usec,struct timeval * rcvdtime,bool * has_mac,void (* trace_callback)(int,const u8 *,u32,struct timeval *))4369 int read_ns_reply_pcap(pcap_t *pd, u8 *sendermac,
4370 struct sockaddr_in6 *senderIP, long to_usec,
4371 struct timeval *rcvdtime, bool *has_mac,
4372 void (*trace_callback)(int, const u8 *, u32, struct timeval *)) {
4373 const unsigned char *p;
4374 struct pcap_pkthdr *head;
4375 int datalink;
4376 size_t offset;
4377 int rc;
4378 struct icmpv6_msg_nd *na;
4379
4380 rc = read_reply_pcap(pd, to_usec, accept_ns, &p, &head, rcvdtime, &datalink, &offset);
4381 if (rc == 0)
4382 return 0;
4383
4384 na = (struct icmpv6_msg_nd *)(p + offset + IP6_HDR_LEN + ICMPV6_HDR_LEN);
4385 if (head->caplen >= ((unsigned char *)na - p) + sizeof(struct icmpv6_msg_nd) &&
4386 na->icmpv6_option_type == 2 &&
4387 na->icmpv6_option_length == 1) {
4388 *has_mac = true;
4389 memcpy(sendermac, &na->icmpv6_mac, 6);
4390 }
4391 else {
4392 *has_mac = false;
4393 }
4394 senderIP->sin6_family = AF_INET6;
4395 memcpy(&senderIP->sin6_addr.s6_addr, &na->icmpv6_target, 16);
4396
4397 if (trace_callback != NULL) {
4398 /* TODO: First parameter "2" is a hardcoded value for Nmap's PacketTrace::RECV. */
4399 trace_callback(2, (u8 *) p + offset, IP6_HDR_LEN + ICMPV6_HDR_LEN + 4 + 16 + 8, rcvdtime);
4400 }
4401
4402 return 1;
4403 }
4404
4405
4406 /* Issues an Neighbor Solicitation for the MAC of targetss (which will be placed
4407 in targetmac if obtained) from the source IP (srcip) and source mac
4408 (srcmac) given. "The request is ussued using device dev to the
4409 multicast MAC address. The transmission is attempted up to 3
4410 times. If none of these elicit a response, false will be returned.
4411 If the mac is determined, true is returned. The last parameter is
4412 a pointer to a callback function that can be used for packet tracing.
4413 This is intended to be used by Nmap only. Any other calling this
4414 should pass NULL instead. */
doND(const char * dev,const u8 * srcmac,const struct sockaddr_storage * srcip,const struct sockaddr_storage * targetip,u8 * targetmac,void (* traceND_callback)(int,const u8 *,u32,struct timeval *))4415 bool doND(const char *dev, const u8 *srcmac,
4416 const struct sockaddr_storage *srcip,
4417 const struct sockaddr_storage *targetip,
4418 u8 *targetmac,
4419 void (*traceND_callback)(int, const u8 *, u32 , struct timeval *)
4420 ) {
4421 /* timeouts in microseconds ... the first ones are retransmit times, while
4422 the final one is when we give up */
4423 int timeouts[] = { 100000, 400000, 800000 };
4424 int max_sends = 3;
4425 int num_sends = 0; // How many we have sent so far
4426 eth_t *ethsd;
4427 u8 frame[ETH_HDR_LEN + IP6_HDR_LEN + ICMPV6_HDR_LEN + 4 + 16 + 8];
4428 struct timeval start, now, rcvdtime;
4429 int timeleft;
4430 int listenrounds;
4431 int rc;
4432 bool has_mac;
4433 pcap_t *pd;
4434 struct sockaddr_storage rcvdIP;
4435 rcvdIP.ss_family = AF_INET6;
4436 bool foundit = false;
4437 char filterstr[256];
4438 struct sockaddr_in6 *target_sin6, *src_sin6;
4439 struct sockaddr_in6 ns_dst_ip6;
4440
4441 if (targetip->ss_family != AF_INET6 || srcip->ss_family != AF_INET6)
4442 netutil_fatal("%s can only handle IPv6 addresses", __func__);
4443
4444 target_sin6 = (struct sockaddr_in6 *) targetip;
4445 src_sin6 = (struct sockaddr_in6 *) srcip;
4446
4447 unsigned char ns_dst_mac[6] = {0x33, 0x33, 0xff};
4448 ns_dst_mac[3] = target_sin6->sin6_addr.s6_addr[13];
4449 ns_dst_mac[4] = target_sin6->sin6_addr.s6_addr[14];
4450 ns_dst_mac[5] = target_sin6->sin6_addr.s6_addr[15];
4451
4452 ns_dst_ip6 = *target_sin6;
4453 unsigned char multicast_prefix[13] = {0};
4454 multicast_prefix[0] = 0xff;
4455 multicast_prefix[1] = 0x02;
4456 multicast_prefix[11] = 0x1;
4457 multicast_prefix[12] = 0xff;
4458 memcpy(ns_dst_ip6.sin6_addr.s6_addr, multicast_prefix, sizeof(multicast_prefix));
4459
4460 /* Start listening */
4461 if((pd=my_pcap_open_live(dev, 100, 1, 25))==NULL)
4462 netutil_fatal("my_pcap_open_live(%s, 50, 1, 25) failed three times.", dev);
4463 /* Libpcap: IPv6 upper-layer protocol is not supported by proto[x] */
4464 /* Grab the ICMPv6 type using ip6[X:Y] syntax. This works only if there are no
4465 extension headers (top-level nh is IPPROTO_ICMPV6). */
4466 Snprintf(filterstr, 256, "ether dst %02X%02X%02X%02X%02X%02X and icmp6 and ip6[6:1] = %u and ip6[40:1] = %u",
4467 srcmac[0], srcmac[1], srcmac[2], srcmac[3], srcmac[4], srcmac[5],
4468 IPPROTO_ICMPV6, ICMPV6_NEIGHBOR_ADVERTISEMENT);
4469 set_pcap_filter(dev, pd, filterstr);
4470
4471 /* Prepare probe and sending stuff */
4472 ethsd = eth_open_cached(dev);
4473 if (!ethsd)
4474 netutil_fatal("%s: failed to open device %s", __func__, dev);
4475 eth_pack_hdr(frame, *ns_dst_mac, *srcmac, ETH_TYPE_IPV6);
4476 ip6_pack_hdr(frame + ETH_HDR_LEN, 0, 0, 32, 0x3a, 255, *src_sin6->sin6_addr.s6_addr, *ns_dst_ip6.sin6_addr.s6_addr);
4477 icmpv6_pack_hdr_ns_mac(frame + ETH_HDR_LEN + IP6_HDR_LEN, target_sin6->sin6_addr.s6_addr, *srcmac);
4478 ip6_checksum(frame + ETH_HDR_LEN, IP6_HDR_LEN + ICMPV6_HDR_LEN + 4 + 16 + 8);
4479
4480 gettimeofday(&start, NULL);
4481 gettimeofday(&now, NULL);
4482
4483 while (!foundit && num_sends < max_sends) {
4484 /* Send the sucker */
4485 rc = eth_send(ethsd, frame, sizeof(frame));
4486 if (rc != sizeof(frame)) {
4487 netutil_error("WARNING: %s: eth_send of Neighbor Solicitation packet returned %u rather than expected %d bytes", __func__, rc, (int) sizeof(frame));
4488 }
4489 if(traceND_callback!=NULL){
4490 /* TODO: First parameter "1" is a hardcoded value for Nmap's PacketTrace::SENT*/
4491 traceND_callback(1, (u8 *) frame + ETH_HDR_LEN, IP6_HDR_LEN + ICMPV6_HDR_LEN + 4 + 16 + 8, &now);
4492 }
4493 num_sends++;
4494
4495 listenrounds = 0;
4496 while (!foundit) {
4497 gettimeofday(&now, NULL);
4498 timeleft = timeouts[num_sends - 1] - TIMEVAL_SUBTRACT(now, start);
4499 if (timeleft < 0) {
4500 if (listenrounds > 0)
4501 break;
4502 else
4503 timeleft = 25000;
4504 }
4505 listenrounds++;
4506 /* Now listen until we reach our next timeout or get an answer */
4507 rc = read_ns_reply_pcap(pd, targetmac, (struct sockaddr_in6 *) &rcvdIP, timeleft,
4508 &rcvdtime, &has_mac, traceND_callback);
4509 if (rc == -1)
4510 netutil_fatal("%s: Received -1 response from read_ns_reply_pcap", __func__);
4511 if (rc == 1) {
4512 /* Yay, I got one! But is it the right one? */
4513 if (sockaddr_storage_cmp(&rcvdIP,targetip) != 0)
4514 continue; /* D'oh! */
4515 foundit = true; /* WOOHOO! */
4516 }
4517 }
4518 }
4519
4520 /* OK - let's close up shop ... */
4521 pcap_close(pd);
4522 /* No need to close ethsd due to caching */
4523 return foundit;
4524 }
4525
4526 /* Issues an ARP request for the MAC of targetss (which will be placed
4527 in targetmac if obtained) from the source IP (srcip) and source mac
4528 (srcmac) given. "The request is ussued using device dev to the
4529 broadcast MAC address. The transmission is attempted up to 3
4530 times. If none of these elicit a response, false will be returned.
4531 If the mac is determined, true is returned. The last parameter is
4532 a pointer to a callback function that can be used for packet tracing.
4533 This is intended to be used by Nmap only. Any other calling this
4534 should pass NULL instead. */
doArp(const char * dev,const u8 * srcmac,const struct sockaddr_storage * srcip,const struct sockaddr_storage * targetip,u8 * targetmac,void (* traceArp_callback)(int,const u8 *,u32,struct timeval *))4535 bool doArp(const char *dev, const u8 *srcmac,
4536 const struct sockaddr_storage *srcip,
4537 const struct sockaddr_storage *targetip,
4538 u8 *targetmac,
4539 void (*traceArp_callback)(int, const u8 *, u32 , struct timeval *)
4540 ) {
4541 /* timeouts in microseconds ... the first ones are retransmit times, while
4542 the final one is when we give up */
4543 int timeouts[] = { 100000, 400000, 800000 };
4544 int max_sends = 3;
4545 int num_sends = 0; // How many we have sent so far
4546 eth_t *ethsd;
4547 u8 frame[ETH_HDR_LEN + ARP_HDR_LEN + ARP_ETHIP_LEN];
4548 const struct sockaddr_in *targetsin = (struct sockaddr_in *) targetip;
4549 const struct sockaddr_in *srcsin = (struct sockaddr_in *) srcip;
4550 struct timeval start, now, rcvdtime;
4551 int timeleft;
4552 int listenrounds;
4553 int rc;
4554 pcap_t *pd;
4555 struct in_addr rcvdIP;
4556 bool foundit = false;
4557 char filterstr[256];
4558
4559 if (targetsin->sin_family != AF_INET || srcsin->sin_family != AF_INET)
4560 netutil_fatal("%s can only handle IPv4 addresses", __func__);
4561
4562 /* Start listening */
4563 if((pd=my_pcap_open_live(dev, 50, 1, 25))==NULL)
4564 netutil_fatal("my_pcap_open_live(%s, 50, 1, 25) failed three times.", dev);
4565 Snprintf(filterstr, 256, "arp and arp[18:4] = 0x%02X%02X%02X%02X and arp[22:2] = 0x%02X%02X",
4566 srcmac[0], srcmac[1], srcmac[2], srcmac[3], srcmac[4], srcmac[5]);
4567 set_pcap_filter(dev, pd, filterstr);
4568
4569 /* Prepare probe and sending stuff */
4570 ethsd = eth_open_cached(dev);
4571 if (!ethsd)
4572 netutil_fatal("%s: failed to open device %s", __func__, dev);
4573 eth_pack_hdr(frame, ETH_ADDR_BROADCAST, *srcmac, ETH_TYPE_ARP);
4574 arp_pack_hdr_ethip(frame + ETH_HDR_LEN, ARP_OP_REQUEST, *srcmac,
4575 srcsin->sin_addr, ETH_ADDR_BROADCAST,
4576 targetsin->sin_addr);
4577 gettimeofday(&start, NULL);
4578 gettimeofday(&now, NULL);
4579
4580 while (!foundit && num_sends < max_sends) {
4581 /* Send the sucker */
4582 rc = eth_send(ethsd, frame, sizeof(frame));
4583 if (rc != sizeof(frame)) {
4584 netutil_error("WARNING: %s: eth_send of ARP packet returned %u rather than expected %d bytes", __func__, rc, (int) sizeof(frame));
4585 }
4586 if(traceArp_callback!=NULL){
4587 /* TODO: First parameter "1" is a hardcoded value for Nmap's PacketTrace::SENT*/
4588 traceArp_callback(1, (u8 *) frame + ETH_HDR_LEN, ARP_HDR_LEN + ARP_ETHIP_LEN, &now);
4589 }
4590 num_sends++;
4591
4592 listenrounds = 0;
4593 while (!foundit) {
4594 gettimeofday(&now, NULL);
4595 timeleft = timeouts[num_sends - 1] - TIMEVAL_SUBTRACT(now, start);
4596 if (timeleft < 0) {
4597 if (listenrounds > 0)
4598 break;
4599 else
4600 timeleft = 25000;
4601 }
4602 listenrounds++;
4603 /* Now listen until we reach our next timeout or get an answer */
4604 rc = read_arp_reply_pcap(pd, targetmac, &rcvdIP, timeleft,
4605 &rcvdtime, traceArp_callback);
4606 if (rc == -1)
4607 netutil_fatal("%s: Received -1 response from readarp_reply_pcap", __func__);
4608 if (rc == 1) {
4609 /* Yay, I got one! But is it the right one? */
4610 if (rcvdIP.s_addr != targetsin->sin_addr.s_addr)
4611 continue; /* D'oh! */
4612 foundit = true; /* WOOHOO! */
4613 }
4614 }
4615 }
4616
4617 /* OK - let's close up shop ... */
4618 pcap_close(pd);
4619 /* No need to close ethsd due to caching */
4620 return foundit;
4621 }
4622
4623
4624
is_host_separator(int c)4625 static inline bool is_host_separator(int c) {
4626 return c == ' ' || c == '\r' || c == '\n' || c == '\t' || c == '\0';
4627 }
4628
4629 /* Read a single host specification from a file, as for -iL and --excludefile.
4630 It returns the length of the string read; an overflow is indicated when the
4631 return value is >= n. Returns 0 if there was no specification to be read. The
4632 buffer is always null-terminated. */
read_host_from_file(FILE * fp,char * buf,size_t n)4633 size_t read_host_from_file(FILE *fp, char *buf, size_t n)
4634 {
4635 int ch;
4636 size_t i;
4637
4638 i = 0;
4639 ch = getc(fp);
4640 while (is_host_separator(ch) || ch == '#') {
4641 if (ch == '#') {
4642 /* Skip comments to the end of the line. */
4643 while ((ch = getc(fp)) != EOF && ch != '\n')
4644 ;
4645 } else {
4646 ch = getc(fp);
4647 }
4648 }
4649 while (ch != EOF && !(is_host_separator(ch) || ch == '#')) {
4650 if (i < n)
4651 buf[i] = ch;
4652 i++;
4653 ch = getc(fp);
4654 }
4655 if (ch != EOF)
4656 ungetc(ch, fp);
4657 if (i < n)
4658 buf[i] = '\0';
4659 else if (n > 0)
4660 /* Null-terminate even though it was too long. */
4661 buf[n - 1] = '\0';
4662
4663 return i;
4664 }
4665
4666
4667 /* Return next target host specification from the supplied stream.
4668 * if parameter "random" is set to true, then the function will
4669 * return a random, non-reserved, IP address in decimal-dot notation */
grab_next_host_spec(FILE * inputfd,bool random,int argc,const char ** argv)4670 const char *grab_next_host_spec(FILE *inputfd, bool random, int argc, const char **argv) {
4671 static char host_spec[1024];
4672 struct in_addr ip;
4673 size_t n;
4674
4675 if (random) {
4676 do {
4677 ip.s_addr = get_random_unique_u32();
4678 } while (ip_is_reserved(&ip));
4679 Strncpy(host_spec, inet_ntoa(ip), sizeof(host_spec));
4680 } else if (!inputfd) {
4681 return( (optind < argc)? argv[optind++] : NULL);
4682 } else {
4683 n = read_host_from_file(inputfd, host_spec, sizeof(host_spec));
4684 if (n == 0)
4685 return NULL;
4686 else if (n >= sizeof(host_spec))
4687 netutil_fatal("One of the host specifications from your input file is too long (>= %u chars)", (unsigned int) sizeof(host_spec));
4688 }
4689 return host_spec;
4690 }
4691
4692
4693
4694 /** Tries to increase the open file descriptor limit for this process.
4695 * @param "desired" is the number of desired max open descriptors. Pass a
4696 * negative value to set the maximum allowed.
4697 * @return the number of max open descriptors that could be set, or 0 in case
4698 * of failure.
4699 * @warning if "desired" is less than the current limit, no action is
4700 * performed. This function may only be used to increase the limit, not to
4701 * decrease it. */
set_max_open_descriptors(int desired_max)4702 int set_max_open_descriptors(int desired_max) {
4703 #ifndef WIN32
4704 struct rlimit r;
4705 int maxfds=-1;
4706 int flag=0;
4707
4708 #if (defined(RLIMIT_OFILE) || defined(RLIMIT_NOFILE))
4709
4710 #ifdef RLIMIT_NOFILE
4711 flag=RLIMIT_NOFILE; /* Linux */
4712 #else
4713 flag=RLIMIT_OFILE; /* BSD */
4714 #endif
4715
4716 if (!getrlimit(flag, &r)) {
4717 /* If current limit is less than the desired, try to increase it */
4718 if(r.rlim_cur < (rlim_t)desired_max){
4719 if(desired_max<0){
4720 r.rlim_cur=r.rlim_max; /* Set maximum */
4721 }else{
4722 r.rlim_cur = MIN( (int)r.rlim_max, desired_max );
4723 }
4724 if (setrlimit(flag, &r))
4725 ; // netutil_debug("setrlimit(%d, %p) failed", flag, r);
4726 if (!getrlimit(flag, &r)) {
4727 maxfds = r.rlim_cur;
4728 return maxfds;
4729 }else {
4730 return 0;
4731 }
4732 }
4733 }
4734
4735 #endif /* (defined(RLIMIT_OFILE) || defined(RLIMIT_NOFILE)) */
4736 #endif /* !WIN32 */
4737 return 0;
4738 }
4739
4740
4741 /** Returns the open file descriptor limit for this process.
4742 * @return the number of max open descriptors or 0 in case of failure. */
get_max_open_descriptors()4743 int get_max_open_descriptors() {
4744 #ifndef WIN32
4745 struct rlimit r;
4746 int flag=0;
4747
4748 #if (defined(RLIMIT_OFILE) || defined(RLIMIT_NOFILE))
4749
4750 #ifdef RLIMIT_NOFILE
4751 flag=RLIMIT_NOFILE; /* Linux */
4752 #else
4753 flag=RLIMIT_OFILE; /* BSD */
4754 #endif
4755
4756 if (!getrlimit(flag, &r)) {
4757 return (int)r.rlim_cur;
4758 }
4759
4760 #endif /* (defined(RLIMIT_OFILE) || defined(RLIMIT_NOFILE)) */
4761 #endif /* !WIN32 */
4762 return 0;
4763 }
4764
4765
4766 /* Maximize the open file descriptor limit for this process go up to the
4767 max allowed */
max_sd()4768 int max_sd() {
4769 return set_max_open_descriptors(-1);
4770 }
4771