1 /* 2 * Copyright (c) 1983, 1988, 1993 3 * The Regents of the University of California. All rights reserved. 4 * 5 * Redistribution and use in source and binary forms, with or without 6 * modification, are permitted provided that the following conditions 7 * are met: 8 * 1. Redistributions of source code must retain the above copyright 9 * notice, this list of conditions and the following disclaimer. 10 * 2. Redistributions in binary form must reproduce the above copyright 11 * notice, this list of conditions and the following disclaimer in the 12 * documentation and/or other materials provided with the distribution. 13 * 4. Neither the name of the University nor the names of its contributors 14 * may be used to endorse or promote products derived from this software 15 * without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 20 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 27 * SUCH DAMAGE. 28 * 29 * $FreeBSD$ 30 */ 31 32 #include "defs.h" 33 34 #ifdef __NetBSD__ 35 __RCSID("$NetBSD$"); 36 #elif defined(__FreeBSD__) 37 __RCSID("$FreeBSD$"); 38 #else 39 __RCSID("$Revision: 2.26 $"); 40 #ident "$Revision: 2.26 $" 41 #endif 42 43 static void input(struct sockaddr_in *, struct interface *, struct interface *, 44 struct rip *, int); 45 static void input_route(naddr, naddr, struct rt_spare *, struct netinfo *); 46 static int ck_passwd(struct interface *, struct rip *, void *, 47 naddr, struct msg_limit *); 48 49 50 /* process RIP input 51 */ 52 void 53 read_rip(int sock, 54 struct interface *sifp) 55 { 56 struct sockaddr_in from; 57 struct interface *aifp; 58 socklen_t fromlen; 59 int cc; 60 #ifdef USE_PASSIFNAME 61 static struct msg_limit bad_name; 62 struct { 63 char ifname[IFNAMSIZ]; 64 union pkt_buf pbuf; 65 } inbuf; 66 #else 67 struct { 68 union pkt_buf pbuf; 69 } inbuf; 70 #endif 71 72 73 for (;;) { 74 fromlen = sizeof(from); 75 cc = recvfrom(sock, &inbuf, sizeof(inbuf), 0, 76 (struct sockaddr*)&from, &fromlen); 77 if (cc <= 0) { 78 if (cc < 0 && errno != EWOULDBLOCK) 79 LOGERR("recvfrom(rip)"); 80 break; 81 } 82 if (fromlen != sizeof(struct sockaddr_in)) 83 logbad(1,"impossible recvfrom(rip) fromlen=%d", 84 (int)fromlen); 85 86 /* aifp is the "authenticated" interface via which the packet 87 * arrived. In fact, it is only the interface on which 88 * the packet should have arrived based on is source 89 * address. 90 * sifp is interface associated with the socket through which 91 * the packet was received. 92 */ 93 #ifdef USE_PASSIFNAME 94 if ((cc -= sizeof(inbuf.ifname)) < 0) 95 logbad(0,"missing USE_PASSIFNAME; only %d bytes", 96 cc+sizeof(inbuf.ifname)); 97 98 /* check the remote interfaces first */ 99 LIST_FOREACH(aifp, &remote_if, remote_list) { 100 if (aifp->int_addr == from.sin_addr.s_addr) 101 break; 102 } 103 if (aifp == 0) { 104 aifp = ifwithname(inbuf.ifname, 0); 105 if (aifp == 0) { 106 msglim(&bad_name, from.sin_addr.s_addr, 107 "impossible interface name %.*s", 108 IFNAMSIZ, inbuf.ifname); 109 } else if (((aifp->int_if_flags & IFF_POINTOPOINT) 110 && aifp->int_dstaddr!=from.sin_addr.s_addr) 111 || (!(aifp->int_if_flags & IFF_POINTOPOINT) 112 && !on_net(from.sin_addr.s_addr, 113 aifp->int_net, 114 aifp->int_mask))) { 115 /* If it came via the wrong interface, do not 116 * trust it. 117 */ 118 aifp = 0; 119 } 120 } 121 #else 122 aifp = iflookup(from.sin_addr.s_addr); 123 #endif 124 if (sifp == 0) 125 sifp = aifp; 126 127 input(&from, sifp, aifp, &inbuf.pbuf.rip, cc); 128 } 129 } 130 131 132 /* Process a RIP packet 133 */ 134 static void 135 input(struct sockaddr_in *from, /* received from this IP address */ 136 struct interface *sifp, /* interface of incoming socket */ 137 struct interface *aifp, /* "authenticated" interface */ 138 struct rip *rip, 139 int cc) 140 { 141 # define FROM_NADDR from->sin_addr.s_addr 142 static struct msg_limit use_auth, bad_len, bad_mask; 143 static struct msg_limit unk_router, bad_router, bad_nhop; 144 145 struct rt_entry *rt; 146 struct rt_spare new; 147 struct netinfo *n, *lim; 148 struct interface *ifp1; 149 naddr gate, mask, v1_mask, dst, ddst_h = 0; 150 struct auth *ap; 151 struct tgate *tg = 0; 152 struct tgate_net *tn; 153 int i, j; 154 155 /* Notice when we hear from a remote gateway 156 */ 157 if (aifp != 0 158 && (aifp->int_state & IS_REMOTE)) 159 aifp->int_act_time = now.tv_sec; 160 161 trace_rip("Recv", "from", from, sifp, rip, cc); 162 163 if (sifp == 0) { 164 trace_pkt(" discard a request from an indirect router" 165 " (possibly an attack)"); 166 return; 167 } 168 169 if (rip->rip_vers == 0) { 170 msglim(&bad_router, FROM_NADDR, 171 "RIP version 0, cmd %d, packet received from %s", 172 rip->rip_cmd, naddr_ntoa(FROM_NADDR)); 173 return; 174 } else if (rip->rip_vers > RIPv2) { 175 rip->rip_vers = RIPv2; 176 } 177 if (cc > (int)OVER_MAXPACKETSIZE) { 178 msglim(&bad_router, FROM_NADDR, 179 "packet at least %d bytes too long received from %s", 180 cc-MAXPACKETSIZE, naddr_ntoa(FROM_NADDR)); 181 return; 182 } 183 184 n = rip->rip_nets; 185 lim = (struct netinfo *)((char*)rip + cc); 186 187 /* Notice authentication. 188 * As required by section 4.2 in RFC 1723, discard authenticated 189 * RIPv2 messages, but only if configured for that silliness. 190 * 191 * RIPv2 authentication is lame. Why authenticate queries? 192 * Why should a RIPv2 implementation with authentication disabled 193 * not be able to listen to RIPv2 packets with authentication, while 194 * RIPv1 systems will listen? Crazy! 195 */ 196 if (!auth_ok 197 && rip->rip_vers == RIPv2 198 && n < lim && n->n_family == RIP_AF_AUTH) { 199 msglim(&use_auth, FROM_NADDR, 200 "RIPv2 message with authentication from %s discarded", 201 naddr_ntoa(FROM_NADDR)); 202 return; 203 } 204 205 switch (rip->rip_cmd) { 206 case RIPCMD_REQUEST: 207 /* For mere requests, be a little sloppy about the source 208 */ 209 if (aifp == 0) 210 aifp = sifp; 211 212 /* Are we talking to ourself or a remote gateway? 213 */ 214 ifp1 = ifwithaddr(FROM_NADDR, 0, 1); 215 if (ifp1) { 216 if (ifp1->int_state & IS_REMOTE) { 217 /* remote gateway */ 218 aifp = ifp1; 219 if (check_remote(aifp)) { 220 aifp->int_act_time = now.tv_sec; 221 (void)if_ok(aifp, "remote "); 222 } 223 } else if (from->sin_port == htons(RIP_PORT)) { 224 trace_pkt(" discard our own RIP request"); 225 return; 226 } 227 } 228 229 /* did the request come from a router? 230 */ 231 if (from->sin_port == htons(RIP_PORT)) { 232 /* yes, ignore the request if RIP is off so that 233 * the router does not depend on us. 234 */ 235 if (rip_sock < 0 236 || (aifp != 0 237 && IS_RIP_OUT_OFF(aifp->int_state))) { 238 trace_pkt(" discard request while RIP off"); 239 return; 240 } 241 } 242 243 /* According to RFC 1723, we should ignore unauthenticated 244 * queries. That is too silly to bother with. Sheesh! 245 * Are forwarding tables supposed to be secret, when 246 * a bad guy can infer them with test traffic? When RIP 247 * is still the most common router-discovery protocol 248 * and so hosts need to send queries that will be answered? 249 * What about `rtquery`? 250 * Maybe on firewalls you'd care, but not enough to 251 * give up the diagnostic facilities of remote probing. 252 */ 253 254 if (n >= lim) { 255 msglim(&bad_len, FROM_NADDR, "empty request from %s", 256 naddr_ntoa(FROM_NADDR)); 257 return; 258 } 259 if (cc%sizeof(*n) != sizeof(struct rip)%sizeof(*n)) { 260 msglim(&bad_len, FROM_NADDR, 261 "request of bad length (%d) from %s", 262 cc, naddr_ntoa(FROM_NADDR)); 263 } 264 265 if (rip->rip_vers == RIPv2 266 && (aifp == 0 || (aifp->int_state & IS_NO_RIPV1_OUT))) { 267 v12buf.buf->rip_vers = RIPv2; 268 /* If we have a secret but it is a cleartext secret, 269 * do not disclose our secret unless the other guy 270 * already knows it. 271 */ 272 ap = find_auth(aifp); 273 if (ap != 0 && ap->type == RIP_AUTH_PW 274 && n->n_family == RIP_AF_AUTH 275 && !ck_passwd(aifp,rip,lim,FROM_NADDR,&use_auth)) 276 ap = 0; 277 } else { 278 v12buf.buf->rip_vers = RIPv1; 279 ap = 0; 280 } 281 clr_ws_buf(&v12buf, ap); 282 283 do { 284 n->n_metric = ntohl(n->n_metric); 285 286 /* A single entry with family RIP_AF_UNSPEC and 287 * metric HOPCNT_INFINITY means "all routes". 288 * We respond to routers only if we are acting 289 * as a supplier, or to anyone other than a router 290 * (i.e. a query). 291 */ 292 if (n->n_family == RIP_AF_UNSPEC 293 && n->n_metric == HOPCNT_INFINITY) { 294 /* Answer a query from a utility program 295 * with all we know. 296 */ 297 if (aifp == NULL) { 298 trace_pkt("ignore remote query"); 299 return; 300 } 301 if (from->sin_port != htons(RIP_PORT)) { 302 /* 303 * insecure: query from non-router node 304 * > 1: allow from distant node 305 * > 0: allow from neighbor node 306 * == 0: deny 307 */ 308 if ((aifp != NULL && insecure > 0) || 309 (aifp == NULL && insecure > 1)) 310 supply(from, aifp, OUT_QUERY, 0, 311 rip->rip_vers, ap != 0); 312 else 313 trace_pkt("Warning: " 314 "possible attack detected"); 315 return; 316 } 317 318 /* A router trying to prime its tables. 319 * Filter the answer in the about same way 320 * broadcasts are filtered. 321 * 322 * Only answer a router if we are a supplier 323 * to keep an unwary host that is just starting 324 * from picking us as a router. 325 */ 326 if (aifp == 0) { 327 trace_pkt("ignore distant router"); 328 return; 329 } 330 if (!supplier 331 || IS_RIP_OFF(aifp->int_state)) { 332 trace_pkt("ignore; not supplying"); 333 return; 334 } 335 336 /* Do not answer a RIPv1 router if 337 * we are sending RIPv2. But do offer 338 * poor man's router discovery. 339 */ 340 if ((aifp->int_state & IS_NO_RIPV1_OUT) 341 && rip->rip_vers == RIPv1) { 342 if (!(aifp->int_state & IS_PM_RDISC)) { 343 trace_pkt("ignore; sending RIPv2"); 344 return; 345 } 346 347 v12buf.n->n_family = RIP_AF_INET; 348 v12buf.n->n_dst = RIP_DEFAULT; 349 i = aifp->int_d_metric; 350 if (0 != (rt = rtget(RIP_DEFAULT, 0))) { 351 j = (rt->rt_metric 352 +aifp->int_metric 353 +aifp->int_adj_outmetric 354 +1); 355 if (i > j) 356 i = j; 357 } 358 v12buf.n->n_metric = htonl(i); 359 v12buf.n++; 360 break; 361 } 362 363 /* Respond with RIPv1 instead of RIPv2 if 364 * that is what we are broadcasting on the 365 * interface to keep the remote router from 366 * getting the wrong initial idea of the 367 * routes we send. 368 */ 369 supply(from, aifp, OUT_UNICAST, 0, 370 (aifp->int_state & IS_NO_RIPV1_OUT) 371 ? RIPv2 : RIPv1, 372 ap != 0); 373 return; 374 } 375 376 /* Ignore authentication */ 377 if (n->n_family == RIP_AF_AUTH) 378 continue; 379 380 if (n->n_family != RIP_AF_INET) { 381 msglim(&bad_router, FROM_NADDR, 382 "request from %s for unsupported" 383 " (af %d) %s", 384 naddr_ntoa(FROM_NADDR), 385 ntohs(n->n_family), 386 naddr_ntoa(n->n_dst)); 387 return; 388 } 389 390 /* We are being asked about a specific destination. 391 */ 392 dst = n->n_dst; 393 if (!check_dst(dst)) { 394 msglim(&bad_router, FROM_NADDR, 395 "bad queried destination %s from %s", 396 naddr_ntoa(dst), 397 naddr_ntoa(FROM_NADDR)); 398 return; 399 } 400 401 /* decide what mask was intended */ 402 if (rip->rip_vers == RIPv1 403 || 0 == (mask = ntohl(n->n_mask)) 404 || 0 != (ntohl(dst) & ~mask)) 405 mask = ripv1_mask_host(dst, aifp); 406 407 /* try to find the answer */ 408 rt = rtget(dst, mask); 409 if (!rt && dst != RIP_DEFAULT) 410 rt = rtfind(n->n_dst); 411 412 if (v12buf.buf->rip_vers != RIPv1) 413 v12buf.n->n_mask = mask; 414 if (rt == 0) { 415 /* we do not have the answer */ 416 v12buf.n->n_metric = HOPCNT_INFINITY; 417 } else { 418 /* we have the answer, so compute the 419 * right metric and next hop. 420 */ 421 v12buf.n->n_family = RIP_AF_INET; 422 v12buf.n->n_dst = dst; 423 j = rt->rt_metric+1; 424 if (!aifp) 425 ++j; 426 else 427 j += (aifp->int_metric 428 + aifp->int_adj_outmetric); 429 if (j < HOPCNT_INFINITY) 430 v12buf.n->n_metric = j; 431 else 432 v12buf.n->n_metric = HOPCNT_INFINITY; 433 if (v12buf.buf->rip_vers != RIPv1) { 434 v12buf.n->n_tag = rt->rt_tag; 435 v12buf.n->n_mask = mask; 436 if (aifp != 0 437 && on_net(rt->rt_gate, 438 aifp->int_net, 439 aifp->int_mask) 440 && rt->rt_gate != aifp->int_addr) 441 v12buf.n->n_nhop = rt->rt_gate; 442 } 443 } 444 v12buf.n->n_metric = htonl(v12buf.n->n_metric); 445 446 /* Stop paying attention if we fill the output buffer. 447 */ 448 if (++v12buf.n >= v12buf.lim) 449 break; 450 } while (++n < lim); 451 452 /* Send the answer about specific routes. 453 */ 454 if (ap != 0 && ap->type == RIP_AUTH_MD5) 455 end_md5_auth(&v12buf, ap); 456 457 if (from->sin_port != htons(RIP_PORT)) { 458 /* query */ 459 (void)output(OUT_QUERY, from, aifp, 460 v12buf.buf, 461 ((char *)v12buf.n - (char*)v12buf.buf)); 462 } else if (supplier) { 463 (void)output(OUT_UNICAST, from, aifp, 464 v12buf.buf, 465 ((char *)v12buf.n - (char*)v12buf.buf)); 466 } else { 467 /* Only answer a router if we are a supplier 468 * to keep an unwary host that is just starting 469 * from picking us an a router. 470 */ 471 ; 472 } 473 return; 474 475 case RIPCMD_TRACEON: 476 case RIPCMD_TRACEOFF: 477 /* Notice that trace messages are turned off for all possible 478 * abuse if _PATH_TRACE is undefined in pathnames.h. 479 * Notice also that because of the way the trace file is 480 * handled in trace.c, no abuse is plausible even if 481 * _PATH_TRACE_ is defined. 482 * 483 * First verify message came from a privileged port. */ 484 if (ntohs(from->sin_port) > IPPORT_RESERVED) { 485 msglog("trace command from untrusted port on %s", 486 naddr_ntoa(FROM_NADDR)); 487 return; 488 } 489 if (aifp == 0) { 490 msglog("trace command from unknown router %s", 491 naddr_ntoa(FROM_NADDR)); 492 return; 493 } 494 if (rip->rip_cmd == RIPCMD_TRACEON) { 495 rip->rip_tracefile[cc-4] = '\0'; 496 set_tracefile((char*)rip->rip_tracefile, 497 "trace command: %s\n", 0); 498 } else { 499 trace_off("tracing turned off by %s", 500 naddr_ntoa(FROM_NADDR)); 501 } 502 return; 503 504 case RIPCMD_RESPONSE: 505 if (cc%sizeof(*n) != sizeof(struct rip)%sizeof(*n)) { 506 msglim(&bad_len, FROM_NADDR, 507 "response of bad length (%d) from %s", 508 cc, naddr_ntoa(FROM_NADDR)); 509 } 510 511 /* verify message came from a router */ 512 if (from->sin_port != ntohs(RIP_PORT)) { 513 msglim(&bad_router, FROM_NADDR, 514 " discard RIP response from unknown port" 515 " %d on %s", 516 ntohs(from->sin_port), naddr_ntoa(FROM_NADDR)); 517 return; 518 } 519 520 if (rip_sock < 0) { 521 trace_pkt(" discard response while RIP off"); 522 return; 523 } 524 525 /* Are we talking to ourself or a remote gateway? 526 */ 527 ifp1 = ifwithaddr(FROM_NADDR, 0, 1); 528 if (ifp1) { 529 if (ifp1->int_state & IS_REMOTE) { 530 /* remote gateway */ 531 aifp = ifp1; 532 if (check_remote(aifp)) { 533 aifp->int_act_time = now.tv_sec; 534 (void)if_ok(aifp, "remote "); 535 } 536 } else { 537 trace_pkt(" discard our own RIP response"); 538 return; 539 } 540 } 541 542 /* Accept routing packets from routers directly connected 543 * via broadcast or point-to-point networks, and from 544 * those listed in /etc/gateways. 545 */ 546 if (aifp == 0) { 547 msglim(&unk_router, FROM_NADDR, 548 " discard response from %s" 549 " via unexpected interface", 550 naddr_ntoa(FROM_NADDR)); 551 return; 552 } 553 if (IS_RIP_IN_OFF(aifp->int_state)) { 554 trace_pkt(" discard RIPv%d response" 555 " via disabled interface %s", 556 rip->rip_vers, aifp->int_name); 557 return; 558 } 559 560 if (n >= lim) { 561 msglim(&bad_len, FROM_NADDR, "empty response from %s", 562 naddr_ntoa(FROM_NADDR)); 563 return; 564 } 565 566 if (((aifp->int_state & IS_NO_RIPV1_IN) 567 && rip->rip_vers == RIPv1) 568 || ((aifp->int_state & IS_NO_RIPV2_IN) 569 && rip->rip_vers != RIPv1)) { 570 trace_pkt(" discard RIPv%d response", 571 rip->rip_vers); 572 return; 573 } 574 575 /* Ignore routes via dead interface. 576 */ 577 if (aifp->int_state & IS_BROKE) { 578 trace_pkt("discard response via broken interface %s", 579 aifp->int_name); 580 return; 581 } 582 583 /* If the interface cares, ignore bad routers. 584 * Trace but do not log this problem, because where it 585 * happens, it happens frequently. 586 */ 587 if (aifp->int_state & IS_DISTRUST) { 588 tg = tgates; 589 while (tg->tgate_addr != FROM_NADDR) { 590 tg = tg->tgate_next; 591 if (tg == 0) { 592 trace_pkt(" discard RIP response" 593 " from untrusted router %s", 594 naddr_ntoa(FROM_NADDR)); 595 return; 596 } 597 } 598 } 599 600 /* Authenticate the packet if we have a secret. 601 * If we do not have any secrets, ignore the error in 602 * RFC 1723 and accept it regardless. 603 */ 604 if (aifp->int_auth[0].type != RIP_AUTH_NONE 605 && rip->rip_vers != RIPv1 606 && !ck_passwd(aifp,rip,lim,FROM_NADDR,&use_auth)) 607 return; 608 609 do { 610 if (n->n_family == RIP_AF_AUTH) 611 continue; 612 613 n->n_metric = ntohl(n->n_metric); 614 dst = n->n_dst; 615 if (n->n_family != RIP_AF_INET 616 && (n->n_family != RIP_AF_UNSPEC 617 || dst != RIP_DEFAULT)) { 618 msglim(&bad_router, FROM_NADDR, 619 "route from %s to unsupported" 620 " address family=%d destination=%s", 621 naddr_ntoa(FROM_NADDR), 622 n->n_family, 623 naddr_ntoa(dst)); 624 continue; 625 } 626 if (!check_dst(dst)) { 627 msglim(&bad_router, FROM_NADDR, 628 "bad destination %s from %s", 629 naddr_ntoa(dst), 630 naddr_ntoa(FROM_NADDR)); 631 return; 632 } 633 if (n->n_metric == 0 634 || n->n_metric > HOPCNT_INFINITY) { 635 msglim(&bad_router, FROM_NADDR, 636 "bad metric %d from %s" 637 " for destination %s", 638 n->n_metric, 639 naddr_ntoa(FROM_NADDR), 640 naddr_ntoa(dst)); 641 return; 642 } 643 644 /* Notice the next-hop. 645 */ 646 gate = FROM_NADDR; 647 if (n->n_nhop != 0) { 648 if (rip->rip_vers == RIPv1) { 649 n->n_nhop = 0; 650 } else { 651 /* Use it only if it is valid. */ 652 if (on_net(n->n_nhop, 653 aifp->int_net, aifp->int_mask) 654 && check_dst(n->n_nhop)) { 655 gate = n->n_nhop; 656 } else { 657 msglim(&bad_nhop, FROM_NADDR, 658 "router %s to %s" 659 " has bad next hop %s", 660 naddr_ntoa(FROM_NADDR), 661 naddr_ntoa(dst), 662 naddr_ntoa(n->n_nhop)); 663 n->n_nhop = 0; 664 } 665 } 666 } 667 668 if (rip->rip_vers == RIPv1 669 || 0 == (mask = ntohl(n->n_mask))) { 670 mask = ripv1_mask_host(dst,aifp); 671 } else if ((ntohl(dst) & ~mask) != 0) { 672 msglim(&bad_mask, FROM_NADDR, 673 "router %s sent bad netmask" 674 " %#lx with %s", 675 naddr_ntoa(FROM_NADDR), 676 (u_long)mask, 677 naddr_ntoa(dst)); 678 continue; 679 } 680 if (rip->rip_vers == RIPv1) 681 n->n_tag = 0; 682 683 /* Adjust metric according to incoming interface.. 684 */ 685 n->n_metric += (aifp->int_metric 686 + aifp->int_adj_inmetric); 687 if (n->n_metric > HOPCNT_INFINITY) 688 n->n_metric = HOPCNT_INFINITY; 689 690 /* Should we trust this route from this router? */ 691 if (tg && (tn = tg->tgate_nets)->mask != 0) { 692 for (i = 0; i < MAX_TGATE_NETS; i++, tn++) { 693 if (on_net(dst, tn->net, tn->mask) 694 && tn->mask <= mask) 695 break; 696 } 697 if (i >= MAX_TGATE_NETS || tn->mask == 0) { 698 trace_pkt(" ignored unauthorized %s", 699 addrname(dst,mask,0)); 700 continue; 701 } 702 } 703 704 /* Recognize and ignore a default route we faked 705 * which is being sent back to us by a machine with 706 * broken split-horizon. 707 * Be a little more paranoid than that, and reject 708 * default routes with the same metric we advertised. 709 */ 710 if (aifp->int_d_metric != 0 711 && dst == RIP_DEFAULT 712 && (int)n->n_metric >= aifp->int_d_metric) 713 continue; 714 715 /* We can receive aggregated RIPv2 routes that must 716 * be broken down before they are transmitted by 717 * RIPv1 via an interface on a subnet. 718 * We might also receive the same routes aggregated 719 * via other RIPv2 interfaces. 720 * This could cause duplicate routes to be sent on 721 * the RIPv1 interfaces. "Longest matching variable 722 * length netmasks" lets RIPv2 listeners understand, 723 * but breaking down the aggregated routes for RIPv1 724 * listeners can produce duplicate routes. 725 * 726 * Breaking down aggregated routes here bloats 727 * the daemon table, but does not hurt the kernel 728 * table, since routes are always aggregated for 729 * the kernel. 730 * 731 * Notice that this does not break down network 732 * routes corresponding to subnets. This is part 733 * of the defense against RS_NET_SYN. 734 */ 735 if (have_ripv1_out 736 && (((rt = rtget(dst,mask)) == 0 737 || !(rt->rt_state & RS_NET_SYN))) 738 && (v1_mask = ripv1_mask_net(dst,0)) > mask) { 739 ddst_h = v1_mask & -v1_mask; 740 i = (v1_mask & ~mask)/ddst_h; 741 if (i >= 511) { 742 /* Punt if we would have to generate 743 * an unreasonable number of routes. 744 */ 745 if (TRACECONTENTS) 746 trace_misc("accept %s-->%s as 1" 747 " instead of %d routes", 748 addrname(dst,mask,0), 749 naddr_ntoa(FROM_NADDR), 750 i+1); 751 i = 0; 752 } else { 753 mask = v1_mask; 754 } 755 } else { 756 i = 0; 757 } 758 759 new.rts_gate = gate; 760 new.rts_router = FROM_NADDR; 761 new.rts_metric = n->n_metric; 762 new.rts_tag = n->n_tag; 763 new.rts_time = now.tv_sec; 764 new.rts_ifp = aifp; 765 new.rts_de_ag = i; 766 j = 0; 767 for (;;) { 768 input_route(dst, mask, &new, n); 769 if (++j > i) 770 break; 771 dst = htonl(ntohl(dst) + ddst_h); 772 } 773 } while (++n < lim); 774 break; 775 } 776 #undef FROM_NADDR 777 } 778 779 780 /* Process a single input route. 781 */ 782 static void 783 input_route(naddr dst, /* network order */ 784 naddr mask, 785 struct rt_spare *new, 786 struct netinfo *n) 787 { 788 int i; 789 struct rt_entry *rt; 790 struct rt_spare *rts, *rts0; 791 struct interface *ifp1; 792 793 794 /* See if the other guy is telling us to send our packets to him. 795 * Sometimes network routes arrive over a point-to-point link for 796 * the network containing the address(es) of the link. 797 * 798 * If our interface is broken, switch to using the other guy. 799 */ 800 ifp1 = ifwithaddr(dst, 1, 1); 801 if (ifp1 != 0 802 && (!(ifp1->int_state & IS_BROKE) 803 || (ifp1->int_state & IS_PASSIVE))) 804 return; 805 806 /* Look for the route in our table. 807 */ 808 rt = rtget(dst, mask); 809 810 /* Consider adding the route if we do not already have it. 811 */ 812 if (rt == 0) { 813 /* Ignore unknown routes being poisoned. 814 */ 815 if (new->rts_metric == HOPCNT_INFINITY) 816 return; 817 818 /* Ignore the route if it points to us */ 819 if (n->n_nhop != 0 820 && 0 != ifwithaddr(n->n_nhop, 1, 0)) 821 return; 822 823 /* If something has not gone crazy and tried to fill 824 * our memory, accept the new route. 825 */ 826 if (total_routes < MAX_ROUTES) 827 rtadd(dst, mask, 0, new); 828 return; 829 } 830 831 /* We already know about the route. Consider this update. 832 * 833 * If (rt->rt_state & RS_NET_SYN), then this route 834 * is the same as a network route we have inferred 835 * for subnets we know, in order to tell RIPv1 routers 836 * about the subnets. 837 * 838 * It is impossible to tell if the route is coming 839 * from a distant RIPv2 router with the standard 840 * netmask because that router knows about the entire 841 * network, or if it is a round-about echo of a 842 * synthetic, RIPv1 network route of our own. 843 * The worst is that both kinds of routes might be 844 * received, and the bad one might have the smaller 845 * metric. Partly solve this problem by never 846 * aggregating into such a route. Also keep it 847 * around as long as the interface exists. 848 */ 849 850 rts0 = rt->rt_spares; 851 for (rts = rts0, i = NUM_SPARES; i != 0; i--, rts++) { 852 if (rts->rts_router == new->rts_router) 853 break; 854 /* Note the worst slot to reuse, 855 * other than the current slot. 856 */ 857 if (rts0 == rt->rt_spares 858 || BETTER_LINK(rt, rts0, rts)) 859 rts0 = rts; 860 } 861 if (i != 0) { 862 /* Found a route from the router already in the table. 863 */ 864 865 /* If the new route is a route broken down from an 866 * aggregated route, and if the previous route is either 867 * not a broken down route or was broken down from a finer 868 * netmask, and if the previous route is current, 869 * then forget this one. 870 */ 871 if (new->rts_de_ag > rts->rts_de_ag 872 && now_stale <= rts->rts_time) 873 return; 874 875 /* Keep poisoned routes around only long enough to pass 876 * the poison on. Use a new timestamp for good routes. 877 */ 878 if (rts->rts_metric == HOPCNT_INFINITY 879 && new->rts_metric == HOPCNT_INFINITY) 880 new->rts_time = rts->rts_time; 881 882 /* If this is an update for the router we currently prefer, 883 * then note it. 884 */ 885 if (i == NUM_SPARES) { 886 rtchange(rt, rt->rt_state, new, 0); 887 /* If the route got worse, check for something better. 888 */ 889 if (new->rts_metric > rts->rts_metric) 890 rtswitch(rt, 0); 891 return; 892 } 893 894 /* This is an update for a spare route. 895 * Finished if the route is unchanged. 896 */ 897 if (rts->rts_gate == new->rts_gate 898 && rts->rts_metric == new->rts_metric 899 && rts->rts_tag == new->rts_tag) { 900 trace_upslot(rt, rts, new); 901 *rts = *new; 902 return; 903 } 904 /* Forget it if it has gone bad. 905 */ 906 if (new->rts_metric == HOPCNT_INFINITY) { 907 rts_delete(rt, rts); 908 return; 909 } 910 911 } else { 912 /* The update is for a route we know about, 913 * but not from a familiar router. 914 * 915 * Ignore the route if it points to us. 916 */ 917 if (n->n_nhop != 0 918 && 0 != ifwithaddr(n->n_nhop, 1, 0)) 919 return; 920 921 /* the loop above set rts0=worst spare */ 922 rts = rts0; 923 924 /* Save the route as a spare only if it has 925 * a better metric than our worst spare. 926 * This also ignores poisoned routes (those 927 * received with metric HOPCNT_INFINITY). 928 */ 929 if (new->rts_metric >= rts->rts_metric) 930 return; 931 } 932 933 trace_upslot(rt, rts, new); 934 *rts = *new; 935 936 /* try to switch to a better route */ 937 rtswitch(rt, rts); 938 } 939 940 941 static int /* 0 if bad */ 942 ck_passwd(struct interface *aifp, 943 struct rip *rip, 944 void *lim, 945 naddr from, 946 struct msg_limit *use_authp) 947 { 948 # define NA (rip->rip_auths) 949 struct netauth *na2; 950 struct auth *ap; 951 MD5_CTX md5_ctx; 952 u_char hash[RIP_AUTH_PW_LEN]; 953 int i, len; 954 955 assert(aifp != NULL); 956 if ((void *)NA >= lim || NA->a_family != RIP_AF_AUTH) { 957 msglim(use_authp, from, "missing password from %s", 958 naddr_ntoa(from)); 959 return 0; 960 } 961 962 /* accept any current (+/- 24 hours) password 963 */ 964 for (ap = aifp->int_auth, i = 0; i < MAX_AUTH_KEYS; i++, ap++) { 965 if (ap->type != NA->a_type 966 || (u_long)ap->start > (u_long)clk.tv_sec+DAY 967 || (u_long)ap->end+DAY < (u_long)clk.tv_sec) 968 continue; 969 970 if (NA->a_type == RIP_AUTH_PW) { 971 if (!memcmp(NA->au.au_pw, ap->key, RIP_AUTH_PW_LEN)) 972 return 1; 973 974 } else { 975 /* accept MD5 secret with the right key ID 976 */ 977 if (NA->au.a_md5.md5_keyid != ap->keyid) 978 continue; 979 980 len = ntohs(NA->au.a_md5.md5_pkt_len); 981 if ((len-sizeof(*rip)) % sizeof(*NA) != 0 982 || len != (char *)lim-(char*)rip-(int)sizeof(*NA)) { 983 msglim(use_authp, from, 984 "wrong MD5 RIPv2 packet length of %d" 985 " instead of %d from %s", 986 len, (int)((char *)lim-(char *)rip 987 -sizeof(*NA)), 988 naddr_ntoa(from)); 989 return 0; 990 } 991 na2 = (struct netauth *)((char *)rip+len); 992 993 /* Given a good hash value, these are not security 994 * problems so be generous and accept the routes, 995 * after complaining. 996 */ 997 if (TRACEPACKETS) { 998 if (NA->au.a_md5.md5_auth_len 999 != RIP_AUTH_MD5_HASH_LEN) 1000 msglim(use_authp, from, 1001 "unknown MD5 RIPv2 auth len %#x" 1002 " instead of %#x from %s", 1003 NA->au.a_md5.md5_auth_len, 1004 (unsigned)RIP_AUTH_MD5_HASH_LEN, 1005 naddr_ntoa(from)); 1006 if (na2->a_family != RIP_AF_AUTH) 1007 msglim(use_authp, from, 1008 "unknown MD5 RIPv2 family %#x" 1009 " instead of %#x from %s", 1010 na2->a_family, RIP_AF_AUTH, 1011 naddr_ntoa(from)); 1012 if (na2->a_type != ntohs(1)) 1013 msglim(use_authp, from, 1014 "MD5 RIPv2 hash has %#x" 1015 " instead of %#x from %s", 1016 na2->a_type, ntohs(1), 1017 naddr_ntoa(from)); 1018 } 1019 1020 MD5Init(&md5_ctx); 1021 MD5Update(&md5_ctx, (u_char *)rip, 1022 len + RIP_AUTH_MD5_HASH_XTRA); 1023 MD5Update(&md5_ctx, ap->key, RIP_AUTH_MD5_KEY_LEN); 1024 MD5Final(hash, &md5_ctx); 1025 if (!memcmp(hash, na2->au.au_pw, sizeof(hash))) 1026 return 1; 1027 } 1028 } 1029 1030 msglim(use_authp, from, "bad password from %s", 1031 naddr_ntoa(from)); 1032 return 0; 1033 #undef NA 1034 } 1035