1 /*- 2 * Copyright (c) 2001 Charles Mott <cm@linktel.net> 3 * All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 14 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND 15 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 17 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 18 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 19 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 20 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 21 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 22 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 23 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 24 * SUCH DAMAGE. 25 * 26 * $FreeBSD: src/lib/libalias/alias_irc.c,v 1.5.2.5 2001/11/03 11:34:33 brian Exp $ 27 * $DragonFly: src/lib/libalias/alias_irc.c,v 1.3 2004/08/20 00:08:17 joerg Exp $ 28 */ 29 30 /* Alias_irc.c intercepts packages contain IRC CTCP commands, and 31 changes DCC commands to export a port on the aliasing host instead 32 of an aliased host. 33 34 For this routine to work, the DCC command must fit entirely into a 35 single TCP packet. This will usually happen, but is not 36 guaranteed. 37 38 The interception is likely to change the length of the packet. 39 The handling of this is copied more-or-less verbatim from 40 ftp_alias.c 41 42 Initial version: Eivind Eklund <perhaps@yes.no> (ee) 97-01-29 43 44 Version 2.1: May, 1997 (cjm) 45 Very minor changes to conform with 46 local/global/function naming conventions 47 withing the packet alising module. 48 */ 49 50 /* Includes */ 51 #include <sys/param.h> 52 #include <ctype.h> 53 #include <stdio.h> 54 #include <string.h> 55 #include <netinet/in_systm.h> 56 #include <netinet/in.h> 57 #include <netinet/ip.h> 58 #include <netinet/tcp.h> 59 #include <limits.h> 60 61 #include "alias_local.h" 62 63 /* Local defines */ 64 #define DBprintf(a) 65 66 67 void 68 AliasHandleIrcOut(struct ip *pip, /* IP packet to examine */ 69 struct alias_link *link, /* Which link are we on? */ 70 int maxsize /* Maximum size of IP packet including headers */ 71 ) 72 { 73 int hlen, tlen, dlen; 74 struct in_addr true_addr; 75 u_short true_port; 76 char *sptr; 77 struct tcphdr *tc; 78 int i; /* Iterator through the source */ 79 80 /* Calculate data length of TCP packet */ 81 tc = (struct tcphdr *) ((char *) pip + (pip->ip_hl << 2)); 82 hlen = (pip->ip_hl + tc->th_off) << 2; 83 tlen = ntohs(pip->ip_len); 84 dlen = tlen - hlen; 85 86 /* Return if data length is too short - assume an entire PRIVMSG in each packet. */ 87 if (dlen<sizeof(":A!a@n.n PRIVMSG A :aDCC 1 1a")-1) 88 return; 89 90 /* Place string pointer at beginning of data */ 91 sptr = (char *) pip; 92 sptr += hlen; 93 maxsize -= hlen; /* We're interested in maximum size of data, not packet */ 94 95 /* Search for a CTCP command [Note 1] */ 96 for( i=0; i<dlen; i++ ) { 97 if(sptr[i]=='\001') 98 goto lFOUND_CTCP; 99 } 100 return; /* No CTCP commands in */ 101 /* Handle CTCP commands - the buffer may have to be copied */ 102 lFOUND_CTCP: 103 { 104 char newpacket[65536]; /* Estimate of maximum packet size :) */ 105 int copyat = i; /* Same */ 106 int iCopy = 0; /* How much data have we written to copy-back string? */ 107 unsigned long org_addr; /* Original IP address */ 108 unsigned short org_port; /* Original source port address */ 109 lCTCP_START: 110 if( i >= dlen || iCopy >= sizeof(newpacket) ) 111 goto lPACKET_DONE; 112 newpacket[iCopy++] = sptr[i++]; /* Copy the CTCP start character */ 113 /* Start of a CTCP */ 114 if( i+4 >= dlen ) /* Too short for DCC */ 115 goto lBAD_CTCP; 116 if( sptr[i+0] != 'D' ) 117 goto lBAD_CTCP; 118 if( sptr[i+1] != 'C' ) 119 goto lBAD_CTCP; 120 if( sptr[i+2] != 'C' ) 121 goto lBAD_CTCP; 122 if( sptr[i+3] != ' ' ) 123 goto lBAD_CTCP; 124 /* We have a DCC command - handle it! */ 125 i+= 4; /* Skip "DCC " */ 126 if( iCopy+4 > sizeof(newpacket) ) 127 goto lPACKET_DONE; 128 newpacket[iCopy++] = 'D'; 129 newpacket[iCopy++] = 'C'; 130 newpacket[iCopy++] = 'C'; 131 newpacket[iCopy++] = ' '; 132 133 DBprintf(("Found DCC\n")); 134 /* Skip any extra spaces (should not occur according to 135 protocol, but DCC breaks CTCP protocol anyway */ 136 while(sptr[i] == ' ') { 137 if( ++i >= dlen) { 138 DBprintf(("DCC packet terminated in just spaces\n")); 139 goto lPACKET_DONE; 140 } 141 } 142 143 DBprintf(("Transferring command...\n")); 144 while(sptr[i] != ' ') { 145 newpacket[iCopy++] = sptr[i]; 146 if( ++i >= dlen || iCopy >= sizeof(newpacket) ) { 147 DBprintf(("DCC packet terminated during command\n")); 148 goto lPACKET_DONE; 149 } 150 } 151 /* Copy _one_ space */ 152 if( i+1 < dlen && iCopy < sizeof(newpacket) ) 153 newpacket[iCopy++] = sptr[i++]; 154 155 DBprintf(("Done command - removing spaces\n")); 156 /* Skip any extra spaces (should not occur according to 157 protocol, but DCC breaks CTCP protocol anyway */ 158 while(sptr[i] == ' ') { 159 if( ++i >= dlen ) { 160 DBprintf(("DCC packet terminated in just spaces (post-command)\n")); 161 goto lPACKET_DONE; 162 } 163 } 164 165 DBprintf(("Transferring filename...\n")); 166 while(sptr[i] != ' ') { 167 newpacket[iCopy++] = sptr[i]; 168 if( ++i >= dlen || iCopy >= sizeof(newpacket) ) { 169 DBprintf(("DCC packet terminated during filename\n")); 170 goto lPACKET_DONE; 171 } 172 } 173 /* Copy _one_ space */ 174 if( i+1 < dlen && iCopy < sizeof(newpacket) ) 175 newpacket[iCopy++] = sptr[i++]; 176 177 DBprintf(("Done filename - removing spaces\n")); 178 /* Skip any extra spaces (should not occur according to 179 protocol, but DCC breaks CTCP protocol anyway */ 180 while(sptr[i] == ' ') { 181 if( ++i >= dlen ) { 182 DBprintf(("DCC packet terminated in just spaces (post-filename)\n")); 183 goto lPACKET_DONE; 184 } 185 } 186 187 DBprintf(("Fetching IP address\n")); 188 /* Fetch IP address */ 189 org_addr = 0; 190 while(i<dlen && isdigit(sptr[i])) { 191 if( org_addr > ULONG_MAX/10UL ) { /* Terminate on overflow */ 192 DBprintf(("DCC Address overflow (org_addr == 0x%08lx, next char %c\n", org_addr, sptr[i])); 193 goto lBAD_CTCP; 194 } 195 org_addr *= 10; 196 org_addr += sptr[i++]-'0'; 197 } 198 DBprintf(("Skipping space\n")); 199 if( i+1 >= dlen || sptr[i] != ' ' ) { 200 DBprintf(("Overflow (%d >= %d) or bad character (%02x) terminating IP address\n", i+1, dlen, sptr[i])); 201 goto lBAD_CTCP; 202 } 203 /* Skip any extra spaces (should not occur according to 204 protocol, but DCC breaks CTCP protocol anyway, so we might 205 as well play it safe */ 206 while(sptr[i] == ' ') { 207 if( ++i >= dlen ) { 208 DBprintf(("Packet failure - space overflow.\n")); 209 goto lPACKET_DONE; 210 } 211 } 212 DBprintf(("Fetching port number\n")); 213 /* Fetch source port */ 214 org_port = 0; 215 while(i<dlen && isdigit(sptr[i])) { 216 if( org_port > 6554 ) { /* Terminate on overflow (65536/10 rounded up*/ 217 DBprintf(("DCC: port number overflow\n")); 218 goto lBAD_CTCP; 219 } 220 org_port *= 10; 221 org_port += sptr[i++]-'0'; 222 } 223 /* Skip illegal addresses (or early termination) */ 224 if( i >= dlen || (sptr[i] != '\001' && sptr[i] != ' ') ) { 225 DBprintf(("Bad port termination\n")); 226 goto lBAD_CTCP; 227 } 228 DBprintf(("Got IP %lu and port %u\n", org_addr, (unsigned)org_port)); 229 230 /* We've got the address and port - now alias it */ 231 { 232 struct alias_link *dcc_link; 233 struct in_addr destaddr; 234 235 236 true_port = htons(org_port); 237 true_addr.s_addr = htonl(org_addr); 238 destaddr.s_addr = 0; 239 240 /* Sanity/Security checking */ 241 if (!org_addr || !org_port || 242 pip->ip_src.s_addr != true_addr.s_addr || 243 org_port < IPPORT_RESERVED) 244 goto lBAD_CTCP; 245 246 /* Steal the FTP_DATA_PORT - it doesn't really matter, and this 247 would probably allow it through at least _some_ 248 firewalls. */ 249 dcc_link = FindUdpTcpOut(true_addr, destaddr, 250 true_port, 0, 251 IPPROTO_TCP, 1); 252 DBprintf(("Got a DCC link\n")); 253 if ( dcc_link ) { 254 struct in_addr alias_address; /* Address from aliasing */ 255 u_short alias_port; /* Port given by aliasing */ 256 257 #ifndef NO_FW_PUNCH 258 /* Generate firewall hole as appropriate */ 259 PunchFWHole(dcc_link); 260 #endif 261 262 alias_address = GetAliasAddress(link); 263 iCopy += snprintf(&newpacket[iCopy], 264 sizeof(newpacket)-iCopy, 265 "%lu ", (u_long)htonl(alias_address.s_addr)); 266 if( iCopy >= sizeof(newpacket) ) { /* Truncated/fit exactly - bad news */ 267 DBprintf(("DCC constructed packet overflow.\n")); 268 goto lBAD_CTCP; 269 } 270 alias_port = GetAliasPort(dcc_link); 271 iCopy += snprintf(&newpacket[iCopy], 272 sizeof(newpacket)-iCopy, 273 "%u", htons(alias_port) ); 274 /* Done - truncated cases will be taken care of by lBAD_CTCP */ 275 DBprintf(("Aliased IP %lu and port %u\n", alias_address.s_addr, (unsigned)alias_port)); 276 } 277 } 278 /* An uninteresting CTCP - state entered right after '\001' has 279 been pushed. Also used to copy the rest of a DCC, after IP 280 address and port has been handled */ 281 lBAD_CTCP: 282 for(; i<dlen && iCopy<sizeof(newpacket); i++,iCopy++) { 283 newpacket[iCopy] = sptr[i]; /* Copy CTCP unchanged */ 284 if(sptr[i] == '\001') { 285 goto lNORMAL_TEXT; 286 } 287 } 288 goto lPACKET_DONE; 289 /* Normal text */ 290 lNORMAL_TEXT: 291 for(; i<dlen && iCopy<sizeof(newpacket); i++,iCopy++) { 292 newpacket[iCopy] = sptr[i]; /* Copy CTCP unchanged */ 293 if(sptr[i] == '\001') { 294 goto lCTCP_START; 295 } 296 } 297 /* Handle the end of a packet */ 298 lPACKET_DONE: 299 iCopy = iCopy > maxsize-copyat ? maxsize-copyat : iCopy; 300 memcpy(sptr+copyat, newpacket, iCopy); 301 302 /* Save information regarding modified seq and ack numbers */ 303 { 304 int delta; 305 306 SetAckModified(link); 307 delta = GetDeltaSeqOut(pip, link); 308 AddSeq(pip, link, delta+copyat+iCopy-dlen); 309 } 310 311 /* Revise IP header */ 312 { 313 u_short new_len; 314 315 new_len = htons(hlen + iCopy + copyat); 316 DifferentialChecksum(&pip->ip_sum, 317 &new_len, 318 &pip->ip_len, 319 1); 320 pip->ip_len = new_len; 321 } 322 323 /* Compute TCP checksum for revised packet */ 324 tc->th_sum = 0; 325 tc->th_sum = TcpChecksum(pip); 326 return; 327 } 328 } 329 330 /* Notes: 331 [Note 1] 332 The initial search will most often fail; it could be replaced with a 32-bit specific search. 333 Such a search would be done for 32-bit unsigned value V: 334 V ^= 0x01010101; (Search is for null bytes) 335 if( ((V-0x01010101)^V) & 0x80808080 ) { 336 (found a null bytes which was a 01 byte) 337 } 338 To assert that the processor is 32-bits, do 339 extern int ircdccar[32]; (32 bits) 340 extern int ircdccar[CHAR_BIT*sizeof(unsigned int)]; 341 which will generate a type-error on all but 32-bit machines. 342 343 [Note 2] This routine really ought to be replaced with one that 344 creates a transparent proxy on the aliasing host, to allow arbitary 345 changes in the TCP stream. This should not be too difficult given 346 this base; I (ee) will try to do this some time later. 347 */ 348