1 /* 2 * Copyright (c) 1983, 1988, 1993 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 3. Neither the name of the University nor the names of its contributors 14 * may be used to endorse or promote products derived from this software 15 * without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 * @(#)input.c 8.1 (Berkeley) 6/5/93 30 * $FreeBSD: src/sbin/routed/input.c,v 1.7.2.1 2001/08/01 09:01:45 obrien Exp $ 31 */ 32 33 #include "defs.h" 34 35 static void input(struct sockaddr_in *, struct interface *, struct interface *, 36 struct rip *, int); 37 static void input_route(naddr, naddr, struct rt_spare *, struct netinfo *); 38 static int ck_passwd(struct interface *, struct rip *, void *, 39 naddr, struct msg_limit *); 40 41 42 /* process RIP input 43 */ 44 void 45 read_rip(int sock, 46 struct interface *sifp) 47 { 48 struct sockaddr_in from; 49 struct interface *aifp; 50 int cc; 51 socklen_t fromlen; 52 #ifdef USE_PASSIFNAME 53 static struct msg_limit bad_name; 54 struct { 55 char ifname[IFNAMSIZ]; 56 union pkt_buf pbuf; 57 } inbuf; 58 #else 59 struct { 60 union pkt_buf pbuf; 61 } inbuf; 62 #endif 63 64 65 for (;;) { 66 fromlen = sizeof(from); 67 cc = recvfrom(sock, &inbuf, sizeof(inbuf), 0, 68 (struct sockaddr*)&from, &fromlen); 69 if (cc <= 0) { 70 if (cc < 0 && errno != EWOULDBLOCK) 71 LOGERR("recvfrom(rip)"); 72 break; 73 } 74 if (fromlen != sizeof(struct sockaddr_in)) 75 logbad(1,"impossible recvfrom(rip) fromlen=%d", 76 fromlen); 77 78 /* aifp is the "authenticated" interface via which the packet 79 * arrived. In fact, it is only the interface on which 80 * the packet should have arrived based on is source 81 * address. 82 * sifp is interface associated with the socket through which 83 * the packet was received. 84 */ 85 #ifdef USE_PASSIFNAME 86 if ((cc -= sizeof(inbuf.ifname)) < 0) 87 logbad(0,"missing USE_PASSIFNAME; only %d bytes", 88 cc+sizeof(inbuf.ifname)); 89 90 /* check the remote interfaces first */ 91 for (aifp = remote_if; aifp; aifp = aifp->int_rlink) { 92 if (aifp->int_addr == from.sin_addr.s_addr) 93 break; 94 } 95 if (aifp == NULL) { 96 aifp = ifwithname(inbuf.ifname, 0); 97 if (aifp == NULL) { 98 msglim(&bad_name, from.sin_addr.s_addr, 99 "impossible interface name %.*s", 100 IFNAMSIZ, inbuf.ifname); 101 } else if (((aifp->int_if_flags & IFF_POINTOPOINT) 102 && aifp->int_dstaddr!=from.sin_addr.s_addr) 103 || (!(aifp->int_if_flags & IFF_POINTOPOINT) 104 && !on_net(from.sin_addr.s_addr, 105 aifp->int_net, 106 aifp->int_mask))) { 107 /* If it came via the wrong interface, do not 108 * trust it. 109 */ 110 aifp = NULL; 111 } 112 } 113 #else 114 aifp = iflookup(from.sin_addr.s_addr); 115 #endif 116 if (sifp == NULL) 117 sifp = aifp; 118 119 input(&from, sifp, aifp, &inbuf.pbuf.rip, cc); 120 } 121 } 122 123 124 /* Process a RIP packet 125 */ 126 static void 127 input(struct sockaddr_in *from, /* received from this IP address */ 128 struct interface *sifp, /* interface of incoming socket */ 129 struct interface *aifp, /* "authenticated" interface */ 130 struct rip *rip, 131 int cc) 132 { 133 # define FROM_NADDR from->sin_addr.s_addr 134 static struct msg_limit use_auth, bad_len, bad_mask; 135 static struct msg_limit unk_router, bad_router, bad_nhop; 136 137 struct rt_entry *rt; 138 struct rt_spare new; 139 struct netinfo *n, *lim; 140 struct interface *ifp1; 141 naddr gate, mask, v1_mask, dst, ddst_h = 0; 142 struct auth *ap; 143 struct tgate *tg = NULL; 144 struct tgate_net *tn; 145 int i, j; 146 147 /* Notice when we hear from a remote gateway 148 */ 149 if (aifp != NULL 150 && (aifp->int_state & IS_REMOTE)) 151 aifp->int_act_time = now.tv_sec; 152 153 trace_rip("Recv", "from", from, sifp, rip, cc); 154 155 if (rip->rip_vers == 0) { 156 msglim(&bad_router, FROM_NADDR, 157 "RIP version 0, cmd %d, packet received from %s", 158 rip->rip_cmd, naddr_ntoa(FROM_NADDR)); 159 return; 160 } else if (rip->rip_vers > RIPv2) { 161 rip->rip_vers = RIPv2; 162 } 163 if (cc > (int)OVER_MAXPACKETSIZE) { 164 msglim(&bad_router, FROM_NADDR, 165 "packet at least %d bytes too long received from %s", 166 cc-MAXPACKETSIZE, naddr_ntoa(FROM_NADDR)); 167 return; 168 } 169 170 n = rip->rip_nets; 171 lim = (struct netinfo *)((char*)rip + cc); 172 173 /* Notice authentication. 174 * As required by section 4.2 in RFC 1723, discard authenticated 175 * RIPv2 messages, but only if configured for that silliness. 176 * 177 * RIPv2 authentication is lame. Why authenticate queries? 178 * Why should a RIPv2 implementation with authentication disabled 179 * not be able to listen to RIPv2 packets with authentication, while 180 * RIPv1 systems will listen? Crazy! 181 */ 182 if (!auth_ok 183 && rip->rip_vers == RIPv2 184 && n < lim && n->n_family == RIP_AF_AUTH) { 185 msglim(&use_auth, FROM_NADDR, 186 "RIPv2 message with authentication from %s discarded", 187 naddr_ntoa(FROM_NADDR)); 188 return; 189 } 190 191 switch (rip->rip_cmd) { 192 case RIPCMD_REQUEST: 193 /* For mere requests, be a little sloppy about the source 194 */ 195 if (aifp == NULL) 196 aifp = sifp; 197 198 /* Are we talking to ourself or a remote gateway? 199 */ 200 ifp1 = ifwithaddr(FROM_NADDR, 0, 1); 201 if (ifp1) { 202 if (ifp1->int_state & IS_REMOTE) { 203 /* remote gateway */ 204 aifp = ifp1; 205 if (check_remote(aifp)) { 206 aifp->int_act_time = now.tv_sec; 207 if_ok(aifp, "remote "); 208 } 209 } else if (from->sin_port == htons(RIP_PORT)) { 210 trace_pkt(" discard our own RIP request"); 211 return; 212 } 213 } 214 215 /* did the request come from a router? 216 */ 217 if (from->sin_port == htons(RIP_PORT)) { 218 /* yes, ignore the request if RIP is off so that 219 * the router does not depend on us. 220 */ 221 if (rip_sock < 0 222 || (aifp != NULL 223 && IS_RIP_OUT_OFF(aifp->int_state))) { 224 trace_pkt(" discard request while RIP off"); 225 return; 226 } 227 } 228 229 /* According to RFC 1723, we should ignore unauthenticated 230 * queries. That is too silly to bother with. Sheesh! 231 * Are forwarding tables supposed to be secret, when 232 * a bad guy can infer them with test traffic? When RIP 233 * is still the most common router-discovery protocol 234 * and so hosts need to send queries that will be answered? 235 * What about `rtquery`? 236 * Maybe on firewalls you'd care, but not enough to 237 * give up the diagnostic facilities of remote probing. 238 */ 239 240 if (n >= lim) { 241 msglim(&bad_len, FROM_NADDR, "empty request from %s", 242 naddr_ntoa(FROM_NADDR)); 243 return; 244 } 245 if (cc%sizeof(*n) != sizeof(struct rip)%sizeof(*n)) { 246 msglim(&bad_len, FROM_NADDR, 247 "request of bad length (%d) from %s", 248 cc, naddr_ntoa(FROM_NADDR)); 249 } 250 251 if (rip->rip_vers == RIPv2 252 && (aifp == NULL || (aifp->int_state & IS_NO_RIPV1_OUT))) { 253 v12buf.buf->rip_vers = RIPv2; 254 /* If we have a secret but it is a cleartext secret, 255 * do not disclose our secret unless the other guy 256 * already knows it. 257 */ 258 ap = find_auth(aifp); 259 if (ap != NULL && ap->type == RIP_AUTH_PW 260 && n->n_family == RIP_AF_AUTH 261 && !ck_passwd(aifp,rip,lim,FROM_NADDR,&use_auth)) 262 ap = NULL; 263 } else { 264 v12buf.buf->rip_vers = RIPv1; 265 ap = NULL; 266 } 267 clr_ws_buf(&v12buf, ap); 268 269 do { 270 n->n_metric = ntohl(n->n_metric); 271 272 /* A single entry with family RIP_AF_UNSPEC and 273 * metric HOPCNT_INFINITY means "all routes". 274 * We respond to routers only if we are acting 275 * as a supplier, or to anyone other than a router 276 * (i.e. a query). 277 */ 278 if (n->n_family == RIP_AF_UNSPEC 279 && n->n_metric == HOPCNT_INFINITY) { 280 /* Answer a query from a utility program 281 * with all we know. 282 */ 283 if (aifp == NULL) { 284 trace_pkt("ignore remote query"); 285 return; 286 } 287 if (from->sin_port != htons(RIP_PORT)) { 288 supply(from, aifp, OUT_QUERY, 0, 289 rip->rip_vers, ap != NULL); 290 return; 291 } 292 293 /* A router trying to prime its tables. 294 * Filter the answer in the about same way 295 * broadcasts are filtered. 296 * 297 * Only answer a router if we are a supplier 298 * to keep an unwary host that is just starting 299 * from picking us as a router. 300 */ 301 if (aifp == NULL) { 302 trace_pkt("ignore distant router"); 303 return; 304 } 305 if (!supplier 306 || IS_RIP_OFF(aifp->int_state)) { 307 trace_pkt("ignore; not supplying"); 308 return; 309 } 310 311 /* Do not answer a RIPv1 router if 312 * we are sending RIPv2. But do offer 313 * poor man's router discovery. 314 */ 315 if ((aifp->int_state & IS_NO_RIPV1_OUT) 316 && rip->rip_vers == RIPv1) { 317 if (!(aifp->int_state & IS_PM_RDISC)) { 318 trace_pkt("ignore; sending RIPv2"); 319 return; 320 } 321 322 v12buf.n->n_family = RIP_AF_INET; 323 v12buf.n->n_dst = RIP_DEFAULT; 324 i = aifp->int_d_metric; 325 if (NULL != (rt = rtget(RIP_DEFAULT, 0))) 326 i = MIN(i, (rt->rt_metric 327 +aifp->int_metric+1)); 328 v12buf.n->n_metric = htonl(i); 329 v12buf.n++; 330 break; 331 } 332 333 /* Respond with RIPv1 instead of RIPv2 if 334 * that is what we are broadcasting on the 335 * interface to keep the remote router from 336 * getting the wrong initial idea of the 337 * routes we send. 338 */ 339 supply(from, aifp, OUT_UNICAST, 0, 340 (aifp->int_state & IS_NO_RIPV1_OUT) 341 ? RIPv2 : RIPv1, 342 ap != NULL); 343 return; 344 } 345 346 /* Ignore authentication */ 347 if (n->n_family == RIP_AF_AUTH) 348 continue; 349 350 if (n->n_family != RIP_AF_INET) { 351 msglim(&bad_router, FROM_NADDR, 352 "request from %s for unsupported" 353 " (af %d) %s", 354 naddr_ntoa(FROM_NADDR), 355 ntohs(n->n_family), 356 naddr_ntoa(n->n_dst)); 357 return; 358 } 359 360 /* We are being asked about a specific destination. 361 */ 362 dst = n->n_dst; 363 if (!check_dst(dst)) { 364 msglim(&bad_router, FROM_NADDR, 365 "bad queried destination %s from %s", 366 naddr_ntoa(dst), 367 naddr_ntoa(FROM_NADDR)); 368 return; 369 } 370 371 /* decide what mask was intended */ 372 if (rip->rip_vers == RIPv1 373 || 0 == (mask = ntohl(n->n_mask)) 374 || 0 != (ntohl(dst) & ~mask)) 375 mask = ripv1_mask_host(dst, aifp); 376 377 /* try to find the answer */ 378 rt = rtget(dst, mask); 379 if (!rt && dst != RIP_DEFAULT) 380 rt = rtfind(n->n_dst); 381 382 if (v12buf.buf->rip_vers != RIPv1) 383 v12buf.n->n_mask = mask; 384 if (rt == NULL) { 385 /* we do not have the answer */ 386 v12buf.n->n_metric = HOPCNT_INFINITY; 387 } else { 388 /* we have the answer, so compute the 389 * right metric and next hop. 390 */ 391 v12buf.n->n_family = RIP_AF_INET; 392 v12buf.n->n_dst = dst; 393 v12buf.n->n_metric = (rt->rt_metric+1 394 + ((aifp!=NULL) 395 ? aifp->int_metric 396 : 1)); 397 if (v12buf.n->n_metric > HOPCNT_INFINITY) 398 v12buf.n->n_metric = HOPCNT_INFINITY; 399 if (v12buf.buf->rip_vers != RIPv1) { 400 v12buf.n->n_tag = rt->rt_tag; 401 v12buf.n->n_mask = mask; 402 if (aifp != NULL 403 && on_net(rt->rt_gate, 404 aifp->int_net, 405 aifp->int_mask) 406 && rt->rt_gate != aifp->int_addr) 407 v12buf.n->n_nhop = rt->rt_gate; 408 } 409 } 410 v12buf.n->n_metric = htonl(v12buf.n->n_metric); 411 412 /* Stop paying attention if we fill the output buffer. 413 */ 414 if (++v12buf.n >= v12buf.lim) 415 break; 416 } while (++n < lim); 417 418 /* Send the answer about specific routes. 419 */ 420 if (ap != NULL && ap->type == RIP_AUTH_MD5) 421 end_md5_auth(&v12buf, ap); 422 423 if (from->sin_port != htons(RIP_PORT)) { 424 /* query */ 425 output(OUT_QUERY, from, aifp, 426 v12buf.buf, 427 ((char *)v12buf.n - (char*)v12buf.buf)); 428 } else if (supplier) { 429 output(OUT_UNICAST, from, aifp, 430 v12buf.buf, 431 ((char *)v12buf.n - (char*)v12buf.buf)); 432 } else { 433 /* Only answer a router if we are a supplier 434 * to keep an unwary host that is just starting 435 * from picking us an a router. 436 */ 437 ; 438 } 439 return; 440 441 case RIPCMD_TRACEON: 442 case RIPCMD_TRACEOFF: 443 /* Notice that trace messages are turned off for all possible 444 * abuse if _PATH_TRACE is undefined in pathnames.h. 445 * Notice also that because of the way the trace file is 446 * handled in trace.c, no abuse is plausible even if 447 * _PATH_TRACE_ is defined. 448 * 449 * First verify message came from a privileged port. */ 450 if (ntohs(from->sin_port) > IPPORT_RESERVED) { 451 msglog("trace command from untrusted port on %s", 452 naddr_ntoa(FROM_NADDR)); 453 return; 454 } 455 if (aifp == NULL) { 456 msglog("trace command from unknown router %s", 457 naddr_ntoa(FROM_NADDR)); 458 return; 459 } 460 if (rip->rip_cmd == RIPCMD_TRACEON) { 461 rip->rip_tracefile[cc-4] = '\0'; 462 set_tracefile((char*)rip->rip_tracefile, 463 "trace command: %s\n", 0); 464 } else { 465 trace_off("tracing turned off by %s", 466 naddr_ntoa(FROM_NADDR)); 467 } 468 return; 469 470 case RIPCMD_RESPONSE: 471 if (cc%sizeof(*n) != sizeof(struct rip)%sizeof(*n)) { 472 msglim(&bad_len, FROM_NADDR, 473 "response of bad length (%d) from %s", 474 cc, naddr_ntoa(FROM_NADDR)); 475 } 476 477 /* verify message came from a router */ 478 if (from->sin_port != ntohs(RIP_PORT)) { 479 msglim(&bad_router, FROM_NADDR, 480 " discard RIP response from unknown port" 481 " %d on host %s", ntohs(from->sin_port), 482 naddr_ntoa(FROM_NADDR)); 483 return; 484 } 485 486 if (rip_sock < 0) { 487 trace_pkt(" discard response while RIP off"); 488 return; 489 } 490 491 /* Are we talking to ourself or a remote gateway? 492 */ 493 ifp1 = ifwithaddr(FROM_NADDR, 0, 1); 494 if (ifp1) { 495 if (ifp1->int_state & IS_REMOTE) { 496 /* remote gateway */ 497 aifp = ifp1; 498 if (check_remote(aifp)) { 499 aifp->int_act_time = now.tv_sec; 500 if_ok(aifp, "remote "); 501 } 502 } else { 503 trace_pkt(" discard our own RIP response"); 504 return; 505 } 506 } 507 508 /* Accept routing packets from routers directly connected 509 * via broadcast or point-to-point networks, and from 510 * those listed in /etc/gateways. 511 */ 512 if (aifp == NULL) { 513 msglim(&unk_router, FROM_NADDR, 514 " discard response from %s" 515 " via unexpected interface", 516 naddr_ntoa(FROM_NADDR)); 517 return; 518 } 519 if (IS_RIP_IN_OFF(aifp->int_state)) { 520 trace_pkt(" discard RIPv%d response" 521 " via disabled interface %s", 522 rip->rip_vers, aifp->int_name); 523 return; 524 } 525 526 if (n >= lim) { 527 msglim(&bad_len, FROM_NADDR, "empty response from %s", 528 naddr_ntoa(FROM_NADDR)); 529 return; 530 } 531 532 if (((aifp->int_state & IS_NO_RIPV1_IN) 533 && rip->rip_vers == RIPv1) 534 || ((aifp->int_state & IS_NO_RIPV2_IN) 535 && rip->rip_vers != RIPv1)) { 536 trace_pkt(" discard RIPv%d response", 537 rip->rip_vers); 538 return; 539 } 540 541 /* Ignore routes via dead interface. 542 */ 543 if (aifp->int_state & IS_BROKE) { 544 trace_pkt("discard response via broken interface %s", 545 aifp->int_name); 546 return; 547 } 548 549 /* If the interface cares, ignore bad routers. 550 * Trace but do not log this problem, because where it 551 * happens, it happens frequently. 552 */ 553 if (aifp->int_state & IS_DISTRUST) { 554 tg = tgates; 555 while (tg->tgate_addr != FROM_NADDR) { 556 tg = tg->tgate_next; 557 if (tg == NULL) { 558 trace_pkt(" discard RIP response" 559 " from untrusted router %s", 560 naddr_ntoa(FROM_NADDR)); 561 return; 562 } 563 } 564 } 565 566 /* Authenticate the packet if we have a secret. 567 * If we do not have any secrets, ignore the error in 568 * RFC 1723 and accept it regardless. 569 */ 570 if (aifp->int_auth[0].type != RIP_AUTH_NONE 571 && rip->rip_vers != RIPv1 572 && !ck_passwd(aifp,rip,lim,FROM_NADDR,&use_auth)) 573 return; 574 575 do { 576 if (n->n_family == RIP_AF_AUTH) 577 continue; 578 579 n->n_metric = ntohl(n->n_metric); 580 dst = n->n_dst; 581 if (n->n_family != RIP_AF_INET 582 && (n->n_family != RIP_AF_UNSPEC 583 || dst != RIP_DEFAULT)) { 584 msglim(&bad_router, FROM_NADDR, 585 "route from %s to unsupported" 586 " address family=%d destination=%s", 587 naddr_ntoa(FROM_NADDR), 588 n->n_family, 589 naddr_ntoa(dst)); 590 continue; 591 } 592 if (!check_dst(dst)) { 593 msglim(&bad_router, FROM_NADDR, 594 "bad destination %s from %s", 595 naddr_ntoa(dst), 596 naddr_ntoa(FROM_NADDR)); 597 return; 598 } 599 if (n->n_metric == 0 600 || n->n_metric > HOPCNT_INFINITY) { 601 msglim(&bad_router, FROM_NADDR, 602 "bad metric %d from %s" 603 " for destination %s", 604 n->n_metric, 605 naddr_ntoa(FROM_NADDR), 606 naddr_ntoa(dst)); 607 return; 608 } 609 610 /* Notice the next-hop. 611 */ 612 gate = FROM_NADDR; 613 if (n->n_nhop != 0) { 614 if (rip->rip_vers == RIPv1) { 615 n->n_nhop = 0; 616 } else { 617 /* Use it only if it is valid. */ 618 if (on_net(n->n_nhop, 619 aifp->int_net, aifp->int_mask) 620 && check_dst(n->n_nhop)) { 621 gate = n->n_nhop; 622 } else { 623 msglim(&bad_nhop, FROM_NADDR, 624 "router %s to %s" 625 " has bad next hop %s", 626 naddr_ntoa(FROM_NADDR), 627 naddr_ntoa(dst), 628 naddr_ntoa(n->n_nhop)); 629 n->n_nhop = 0; 630 } 631 } 632 } 633 634 if (rip->rip_vers == RIPv1 635 || 0 == (mask = ntohl(n->n_mask))) { 636 mask = ripv1_mask_host(dst,aifp); 637 } else if ((ntohl(dst) & ~mask) != 0) { 638 msglim(&bad_mask, FROM_NADDR, 639 "router %s sent bad netmask" 640 " %#lx with %s", 641 naddr_ntoa(FROM_NADDR), 642 (u_long)mask, 643 naddr_ntoa(dst)); 644 continue; 645 } 646 if (rip->rip_vers == RIPv1) 647 n->n_tag = 0; 648 649 /* Adjust metric according to incoming interface.. 650 */ 651 n->n_metric += aifp->int_metric; 652 if (n->n_metric > HOPCNT_INFINITY) 653 n->n_metric = HOPCNT_INFINITY; 654 655 /* Should we trust this route from this router? */ 656 if (tg && (tn = tg->tgate_nets)->mask != 0) { 657 for (i = 0; i < MAX_TGATE_NETS; i++, tn++) { 658 if (on_net(dst, tn->net, tn->mask) 659 && tn->mask <= mask) 660 break; 661 } 662 if (i >= MAX_TGATE_NETS || tn->mask == 0) { 663 trace_pkt(" ignored unauthorized %s", 664 addrname(dst,mask,0)); 665 continue; 666 } 667 } 668 669 /* Recognize and ignore a default route we faked 670 * which is being sent back to us by a machine with 671 * broken split-horizon. 672 * Be a little more paranoid than that, and reject 673 * default routes with the same metric we advertised. 674 */ 675 if (aifp->int_d_metric != 0 676 && dst == RIP_DEFAULT 677 && (int)n->n_metric >= aifp->int_d_metric) 678 continue; 679 680 /* We can receive aggregated RIPv2 routes that must 681 * be broken down before they are transmitted by 682 * RIPv1 via an interface on a subnet. 683 * We might also receive the same routes aggregated 684 * via other RIPv2 interfaces. 685 * This could cause duplicate routes to be sent on 686 * the RIPv1 interfaces. "Longest matching variable 687 * length netmasks" lets RIPv2 listeners understand, 688 * but breaking down the aggregated routes for RIPv1 689 * listeners can produce duplicate routes. 690 * 691 * Breaking down aggregated routes here bloats 692 * the daemon table, but does not hurt the kernel 693 * table, since routes are always aggregated for 694 * the kernel. 695 * 696 * Notice that this does not break down network 697 * routes corresponding to subnets. This is part 698 * of the defense against RS_NET_SYN. 699 */ 700 if (have_ripv1_out 701 && (((rt = rtget(dst,mask)) == NULL 702 || !(rt->rt_state & RS_NET_SYN))) 703 && (v1_mask = ripv1_mask_net(dst,0)) > mask) { 704 ddst_h = v1_mask & -v1_mask; 705 i = (v1_mask & ~mask)/ddst_h; 706 if (i >= 511) { 707 /* Punt if we would have to generate 708 * an unreasonable number of routes. 709 */ 710 if (TRACECONTENTS) 711 trace_misc("accept %s-->%s as 1" 712 " instead of %d routes", 713 addrname(dst,mask,0), 714 naddr_ntoa(FROM_NADDR), 715 i+1); 716 i = 0; 717 } else { 718 mask = v1_mask; 719 } 720 } else { 721 i = 0; 722 } 723 724 new.rts_gate = gate; 725 new.rts_router = FROM_NADDR; 726 new.rts_metric = n->n_metric; 727 new.rts_tag = n->n_tag; 728 new.rts_time = now.tv_sec; 729 new.rts_ifp = aifp; 730 new.rts_de_ag = i; 731 j = 0; 732 for (;;) { 733 input_route(dst, mask, &new, n); 734 if (++j > i) 735 break; 736 dst = htonl(ntohl(dst) + ddst_h); 737 } 738 } while (++n < lim); 739 break; 740 } 741 #undef FROM_NADDR 742 } 743 744 745 /* Process a single input route. 746 */ 747 static void 748 input_route(naddr dst, /* network order */ 749 naddr mask, 750 struct rt_spare *new, 751 struct netinfo *n) 752 { 753 int i; 754 struct rt_entry *rt; 755 struct rt_spare *rts, *rts0; 756 struct interface *ifp1; 757 758 759 /* See if the other guy is telling us to send our packets to him. 760 * Sometimes network routes arrive over a point-to-point link for 761 * the network containing the address(es) of the link. 762 * 763 * If our interface is broken, switch to using the other guy. 764 */ 765 ifp1 = ifwithaddr(dst, 1, 1); 766 if (ifp1 != NULL 767 && (!(ifp1->int_state & IS_BROKE) 768 || (ifp1->int_state & IS_PASSIVE))) 769 return; 770 771 /* Look for the route in our table. 772 */ 773 rt = rtget(dst, mask); 774 775 /* Consider adding the route if we do not already have it. 776 */ 777 if (rt == NULL) { 778 /* Ignore unknown routes being poisoned. 779 */ 780 if (new->rts_metric == HOPCNT_INFINITY) 781 return; 782 783 /* Ignore the route if it points to us */ 784 if (n->n_nhop != 0 785 && 0 != ifwithaddr(n->n_nhop, 1, 0)) 786 return; 787 788 /* If something has not gone crazy and tried to fill 789 * our memory, accept the new route. 790 */ 791 if (total_routes < MAX_ROUTES) 792 rtadd(dst, mask, 0, new); 793 return; 794 } 795 796 /* We already know about the route. Consider this update. 797 * 798 * If (rt->rt_state & RS_NET_SYN), then this route 799 * is the same as a network route we have inferred 800 * for subnets we know, in order to tell RIPv1 routers 801 * about the subnets. 802 * 803 * It is impossible to tell if the route is coming 804 * from a distant RIPv2 router with the standard 805 * netmask because that router knows about the entire 806 * network, or if it is a round-about echo of a 807 * synthetic, RIPv1 network route of our own. 808 * The worst is that both kinds of routes might be 809 * received, and the bad one might have the smaller 810 * metric. Partly solve this problem by never 811 * aggregating into such a route. Also keep it 812 * around as long as the interface exists. 813 */ 814 815 rts0 = rt->rt_spares; 816 for (rts = rts0, i = NUM_SPARES; i != 0; i--, rts++) { 817 if (rts->rts_router == new->rts_router) 818 break; 819 /* Note the worst slot to reuse, 820 * other than the current slot. 821 */ 822 if (rts0 == rt->rt_spares 823 || BETTER_LINK(rt, rts0, rts)) 824 rts0 = rts; 825 } 826 if (i != 0) { 827 /* Found a route from the router already in the table. 828 */ 829 830 /* If the new route is a route broken down from an 831 * aggregated route, and if the previous route is either 832 * not a broken down route or was broken down from a finer 833 * netmask, and if the previous route is current, 834 * then forget this one. 835 */ 836 if (new->rts_de_ag > rts->rts_de_ag 837 && now_stale <= rts->rts_time) 838 return; 839 840 /* Keep poisoned routes around only long enough to pass 841 * the poison on. Use a new timestamp for good routes. 842 */ 843 if (rts->rts_metric == HOPCNT_INFINITY 844 && new->rts_metric == HOPCNT_INFINITY) 845 new->rts_time = rts->rts_time; 846 847 /* If this is an update for the router we currently prefer, 848 * then note it. 849 */ 850 if (i == NUM_SPARES) { 851 rtchange(rt, rt->rt_state, new, 0); 852 /* If the route got worse, check for something better. 853 */ 854 if (new->rts_metric > rts->rts_metric) 855 rtswitch(rt, 0); 856 return; 857 } 858 859 /* This is an update for a spare route. 860 * Finished if the route is unchanged. 861 */ 862 if (rts->rts_gate == new->rts_gate 863 && rts->rts_metric == new->rts_metric 864 && rts->rts_tag == new->rts_tag) { 865 trace_upslot(rt, rts, new); 866 *rts = *new; 867 return; 868 } 869 /* Forget it if it has gone bad. 870 */ 871 if (new->rts_metric == HOPCNT_INFINITY) { 872 rts_delete(rt, rts); 873 return; 874 } 875 876 } else { 877 /* The update is for a route we know about, 878 * but not from a familiar router. 879 * 880 * Ignore the route if it points to us. 881 */ 882 if (n->n_nhop != 0 883 && 0 != ifwithaddr(n->n_nhop, 1, 0)) 884 return; 885 886 /* the loop above set rts0=worst spare */ 887 rts = rts0; 888 889 /* Save the route as a spare only if it has 890 * a better metric than our worst spare. 891 * This also ignores poisoned routes (those 892 * received with metric HOPCNT_INFINITY). 893 */ 894 if (new->rts_metric >= rts->rts_metric) 895 return; 896 } 897 898 trace_upslot(rt, rts, new); 899 *rts = *new; 900 901 /* try to switch to a better route */ 902 rtswitch(rt, rts); 903 } 904 905 906 static int /* 0 if bad */ 907 ck_passwd(struct interface *aifp, 908 struct rip *rip, 909 void *lim, 910 naddr from, 911 struct msg_limit *use_authp) 912 { 913 # define NA (rip->rip_auths) 914 struct netauth *na2; 915 struct auth *ap; 916 MD5_CTX md5_ctx; 917 u_char hash[RIP_AUTH_PW_LEN]; 918 int i, len; 919 920 921 if ((void *)NA >= lim || NA->a_family != RIP_AF_AUTH) { 922 msglim(use_authp, from, "missing password from %s", 923 naddr_ntoa(from)); 924 return 0; 925 } 926 927 /* accept any current (+/- 24 hours) password 928 */ 929 for (ap = aifp->int_auth, i = 0; i < MAX_AUTH_KEYS; i++, ap++) { 930 if (ap->type != NA->a_type 931 || (u_long)ap->start > (u_long)clk.tv_sec+DAY 932 || (u_long)ap->end+DAY < (u_long)clk.tv_sec) 933 continue; 934 935 if (NA->a_type == RIP_AUTH_PW) { 936 if (!memcmp(NA->au.au_pw, ap->key, RIP_AUTH_PW_LEN)) 937 return 1; 938 939 } else { 940 /* accept MD5 secret with the right key ID 941 */ 942 if (NA->au.a_md5.md5_keyid != ap->keyid) 943 continue; 944 945 len = ntohs(NA->au.a_md5.md5_pkt_len); 946 if ((len-sizeof(*rip)) % sizeof(*NA) != 0 947 || len != (char *)lim-(char*)rip-(int)sizeof(*NA)) { 948 msglim(use_authp, from, 949 "wrong MD5 RIPv2 packet length of %d" 950 " instead of %d from %s", 951 len, (int)((char *)lim-(char *)rip 952 -sizeof(*NA)), 953 naddr_ntoa(from)); 954 return 0; 955 } 956 na2 = (struct netauth *)((char *)rip+len); 957 958 /* Given a good hash value, these are not security 959 * problems so be generous and accept the routes, 960 * after complaining. 961 */ 962 if (TRACEPACKETS) { 963 if (NA->au.a_md5.md5_auth_len 964 != RIP_AUTH_MD5_LEN) 965 msglim(use_authp, from, 966 "unknown MD5 RIPv2 auth len %#x" 967 " instead of %#x from %s", 968 NA->au.a_md5.md5_auth_len, 969 RIP_AUTH_MD5_LEN, 970 naddr_ntoa(from)); 971 if (na2->a_family != RIP_AF_AUTH) 972 msglim(use_authp, from, 973 "unknown MD5 RIPv2 family %#x" 974 " instead of %#x from %s", 975 na2->a_family, RIP_AF_AUTH, 976 naddr_ntoa(from)); 977 if (na2->a_type != ntohs(1)) 978 msglim(use_authp, from, 979 "MD5 RIPv2 hash has %#x" 980 " instead of %#x from %s", 981 na2->a_type, ntohs(1), 982 naddr_ntoa(from)); 983 } 984 985 MD5_Init(&md5_ctx); 986 MD5_Update(&md5_ctx, (u_char *)rip, len); 987 MD5_Update(&md5_ctx, ap->key, RIP_AUTH_MD5_LEN); 988 MD5_Final(hash, &md5_ctx); 989 if (!memcmp(hash, na2->au.au_pw, sizeof(hash))) 990 return 1; 991 } 992 } 993 994 msglim(use_authp, from, "bad password from %s", 995 naddr_ntoa(from)); 996 return 0; 997 #undef NA 998 } 999