1 /* 2 * Routine to disable IP-level socket options. This code was taken from 4.4BSD 3 * rlogind and kernel source, but all mistakes in it are my fault. 4 * 5 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. 6 * 7 * $FreeBSD: src/contrib/tcp_wrappers/fix_options.c,v 1.2 2000/02/03 10:26:57 shin Exp $ 8 */ 9 10 #include <sys/types.h> 11 #include <sys/param.h> 12 #ifdef INET6 13 #include <sys/socket.h> 14 #endif 15 #include <netinet/in.h> 16 #include <netinet/in_systm.h> 17 #include <netinet/ip.h> 18 #include <netdb.h> 19 #include <stdio.h> 20 #include <syslog.h> 21 22 #ifndef IPOPT_OPTVAL 23 #define IPOPT_OPTVAL 0 24 #define IPOPT_OLEN 1 25 #endif 26 27 #include "tcpd.h" 28 29 #define BUFFER_SIZE 512 /* Was: BUFSIZ */ 30 31 /* fix_options - get rid of IP-level socket options */ 32 33 void 34 fix_options(request) 35 struct request_info *request; 36 { 37 #ifdef IP_OPTIONS 38 unsigned char optbuf[BUFFER_SIZE / 3], *cp; 39 char lbuf[BUFFER_SIZE], *lp; 40 int optsize = sizeof(optbuf), ipproto; 41 struct protoent *ip; 42 int fd = request->fd; 43 unsigned int opt; 44 int optlen; 45 struct in_addr dummy; 46 #ifdef INET6 47 struct sockaddr_storage ss; 48 int sslen; 49 50 /* 51 * check if this is AF_INET socket 52 * XXX IPv6 support? 53 */ 54 sslen = sizeof(ss); 55 if (getsockname(fd, (struct sockaddr *)&ss, &sslen) < 0) { 56 syslog(LOG_ERR, "getpeername: %m"); 57 clean_exit(request); 58 } 59 if (ss.ss_family != AF_INET) 60 return; 61 #endif 62 63 if ((ip = getprotobyname("ip")) != 0) 64 ipproto = ip->p_proto; 65 else 66 ipproto = IPPROTO_IP; 67 68 if (getsockopt(fd, ipproto, IP_OPTIONS, (char *) optbuf, &optsize) == 0 69 && optsize != 0) { 70 71 /* 72 * Horror! 4.[34] BSD getsockopt() prepends the first-hop destination 73 * address to the result IP options list when source routing options 74 * are present (see <netinet/ip_var.h>), but produces no output for 75 * other IP options. Solaris 2.x getsockopt() does produce output for 76 * non-routing IP options, and uses the same format as BSD even when 77 * the space for the destination address is unused. The code below 78 * does the right thing with 4.[34]BSD derivatives and Solaris 2, but 79 * may occasionally miss source routing options on incompatible 80 * systems such as Linux. Their choice. 81 * 82 * Look for source routing options. Drop the connection when one is 83 * found. Just wiping the IP options is insufficient: we would still 84 * help the attacker by providing a real TCP sequence number, and the 85 * attacker would still be able to send packets (blind spoofing). I 86 * discussed this attack with Niels Provos, half a year before the 87 * attack was described in open mailing lists. 88 * 89 * It would be cleaner to just return a yes/no reply and let the caller 90 * decide how to deal with it. Resident servers should not terminate. 91 * However I am not prepared to make changes to internal interfaces 92 * on short notice. 93 */ 94 #define ADDR_LEN sizeof(dummy.s_addr) 95 96 for (cp = optbuf + ADDR_LEN; cp < optbuf + optsize; cp += optlen) { 97 opt = cp[IPOPT_OPTVAL]; 98 if (opt == IPOPT_LSRR || opt == IPOPT_SSRR) { 99 syslog(LOG_WARNING, 100 "refused connect from %s with IP source routing options", 101 eval_client(request)); 102 shutdown(fd, 2); 103 return; 104 } 105 if (opt == IPOPT_EOL) 106 break; 107 if (opt == IPOPT_NOP) { 108 optlen = 1; 109 } else { 110 optlen = cp[IPOPT_OLEN]; 111 if (optlen <= 0) /* Do not loop! */ 112 break; 113 } 114 } 115 lp = lbuf; 116 for (cp = optbuf; optsize > 0; cp++, optsize--, lp += 3) 117 sprintf(lp, " %2.2x", *cp); 118 syslog(LOG_NOTICE, 119 "connect from %s with IP options (ignored):%s", 120 eval_client(request), lbuf); 121 if (setsockopt(fd, ipproto, IP_OPTIONS, (char *) 0, optsize) != 0) { 122 syslog(LOG_ERR, "setsockopt IP_OPTIONS NULL: %m"); 123 shutdown(fd, 2); 124 } 125 } 126 #endif 127 } 128