1 /* $NetBSD: input.c,v 1.29 2002/12/01 08:19:48 agc Exp $ */ 2 3 /* 4 * Copyright (c) 1983, 1988, 1993 5 * The Regents of the University of California. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. All advertising materials mentioning features or use of this software 16 * must display the following acknowledgment: 17 * This product includes software developed by the University of 18 * California, Berkeley and its contributors. 19 * 4. Neither the name of the University nor the names of its contributors 20 * may be used to endorse or promote products derived from this software 21 * without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 24 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 25 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 26 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 27 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 28 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 29 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 30 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 31 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 32 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 33 * SUCH DAMAGE. 34 */ 35 36 #include "defs.h" 37 38 #ifdef __NetBSD__ 39 __RCSID("$NetBSD: input.c,v 1.29 2002/12/01 08:19:48 agc Exp $"); 40 #elif defined(__FreeBSD__) 41 __RCSID("$FreeBSD$"); 42 #else 43 __RCSID("Revision: 2.26 "); 44 #ident "Revision: 2.26 " 45 #endif 46 47 static void input(struct sockaddr_in *, struct interface *, struct interface *, 48 struct rip *, int); 49 static void input_route(naddr, naddr, struct rt_spare *, struct netinfo *); 50 static int ck_passwd(struct interface *, struct rip *, void *, 51 naddr, struct msg_limit *); 52 53 54 /* process RIP input 55 */ 56 void 57 read_rip(int sock, 58 struct interface *sifp) 59 { 60 struct sockaddr_in from; 61 struct interface *aifp; 62 int fromlen, cc; 63 #ifdef USE_PASSIFNAME 64 static struct msg_limit bad_name; 65 struct { 66 char ifname[IFNAMSIZ]; 67 union pkt_buf pbuf; 68 } inbuf; 69 #else 70 struct { 71 union pkt_buf pbuf; 72 } inbuf; 73 #endif 74 75 76 for (;;) { 77 fromlen = sizeof(from); 78 cc = recvfrom(sock, &inbuf, sizeof(inbuf), 0, 79 (struct sockaddr*)&from, &fromlen); 80 if (cc <= 0) { 81 if (cc < 0 && errno != EWOULDBLOCK) 82 LOGERR("recvfrom(rip)"); 83 break; 84 } 85 if (fromlen != sizeof(struct sockaddr_in)) 86 logbad(1,"impossible recvfrom(rip) fromlen=%d", 87 fromlen); 88 89 /* aifp is the "authenticated" interface via which the packet 90 * arrived. In fact, it is only the interface on which 91 * the packet should have arrived based on is source 92 * address. 93 * sifp is interface associated with the socket through which 94 * the packet was received. 95 */ 96 #ifdef USE_PASSIFNAME 97 if ((cc -= sizeof(inbuf.ifname)) < 0) 98 logbad(0,"missing USE_PASSIFNAME; only %d bytes", 99 cc+sizeof(inbuf.ifname)); 100 101 /* check the remote interfaces first */ 102 for (aifp = remote_if; aifp; aifp = aifp->int_rlink) { 103 if (aifp->int_addr == from.sin_addr.s_addr) 104 break; 105 } 106 if (aifp == 0) { 107 aifp = ifwithname(inbuf.ifname, 0); 108 if (aifp == 0) { 109 msglim(&bad_name, from.sin_addr.s_addr, 110 "impossible interface name %.*s", 111 IFNAMSIZ, inbuf.ifname); 112 } else if (((aifp->int_if_flags & IFF_POINTOPOINT) 113 && aifp->int_dstaddr!=from.sin_addr.s_addr) 114 || (!(aifp->int_if_flags & IFF_POINTOPOINT) 115 && !on_net(from.sin_addr.s_addr, 116 aifp->int_net, 117 aifp->int_mask))) { 118 /* If it came via the wrong interface, do not 119 * trust it. 120 */ 121 aifp = 0; 122 } 123 } 124 #else 125 aifp = iflookup(from.sin_addr.s_addr); 126 #endif 127 if (sifp == 0) 128 sifp = aifp; 129 130 input(&from, sifp, aifp, &inbuf.pbuf.rip, cc); 131 } 132 } 133 134 135 /* Process a RIP packet 136 */ 137 static void 138 input(struct sockaddr_in *from, /* received from this IP address */ 139 struct interface *sifp, /* interface of incoming socket */ 140 struct interface *aifp, /* "authenticated" interface */ 141 struct rip *rip, 142 int cc) 143 { 144 # define FROM_NADDR from->sin_addr.s_addr 145 static struct msg_limit use_auth, bad_len, bad_mask; 146 static struct msg_limit unk_router, bad_router, bad_nhop; 147 148 struct rt_entry *rt; 149 struct rt_spare new; 150 struct netinfo *n, *lim; 151 struct interface *ifp1; 152 naddr gate, mask, v1_mask, dst, ddst_h = 0; 153 struct auth *ap; 154 struct tgate *tg = 0; 155 struct tgate_net *tn; 156 int i, j; 157 158 /* Notice when we hear from a remote gateway 159 */ 160 if (aifp != 0 161 && (aifp->int_state & IS_REMOTE)) 162 aifp->int_act_time = now.tv_sec; 163 164 trace_rip("Recv", "from", from, sifp, rip, cc); 165 166 if (rip->rip_vers == 0) { 167 msglim(&bad_router, FROM_NADDR, 168 "RIP version 0, cmd %d, packet received from %s", 169 rip->rip_cmd, naddr_ntoa(FROM_NADDR)); 170 return; 171 } else if (rip->rip_vers > RIPv2) { 172 rip->rip_vers = RIPv2; 173 } 174 if (cc > (int)OVER_MAXPACKETSIZE) { 175 msglim(&bad_router, FROM_NADDR, 176 "packet at least %d bytes too long received from %s", 177 cc-MAXPACKETSIZE, naddr_ntoa(FROM_NADDR)); 178 return; 179 } 180 181 n = rip->rip_nets; 182 lim = (struct netinfo *)((char*)rip + cc); 183 184 /* Notice authentication. 185 * As required by section 4.2 in RFC 1723, discard authenticated 186 * RIPv2 messages, but only if configured for that silliness. 187 * 188 * RIPv2 authentication is lame. Why authenticate queries? 189 * Why should a RIPv2 implementation with authentication disabled 190 * not be able to listen to RIPv2 packets with authentication, while 191 * RIPv1 systems will listen? Crazy! 192 */ 193 if (!auth_ok 194 && rip->rip_vers == RIPv2 195 && n < lim && n->n_family == RIP_AF_AUTH) { 196 msglim(&use_auth, FROM_NADDR, 197 "RIPv2 message with authentication from %s discarded", 198 naddr_ntoa(FROM_NADDR)); 199 return; 200 } 201 202 switch (rip->rip_cmd) { 203 case RIPCMD_REQUEST: 204 /* For mere requests, be a little sloppy about the source 205 */ 206 if (aifp == 0) 207 aifp = sifp; 208 209 /* Are we talking to ourself or a remote gateway? 210 */ 211 ifp1 = ifwithaddr(FROM_NADDR, 0, 1); 212 if (ifp1) { 213 if (ifp1->int_state & IS_REMOTE) { 214 /* remote gateway */ 215 aifp = ifp1; 216 if (check_remote(aifp)) { 217 aifp->int_act_time = now.tv_sec; 218 (void)if_ok(aifp, "remote "); 219 } 220 } else if (from->sin_port == htons(RIP_PORT)) { 221 trace_pkt(" discard our own RIP request"); 222 return; 223 } 224 } 225 226 /* did the request come from a router? 227 */ 228 if (from->sin_port == htons(RIP_PORT)) { 229 /* yes, ignore the request if RIP is off so that 230 * the router does not depend on us. 231 */ 232 if (rip_sock < 0 233 || (aifp != 0 234 && IS_RIP_OUT_OFF(aifp->int_state))) { 235 trace_pkt(" discard request while RIP off"); 236 return; 237 } 238 } 239 240 /* According to RFC 1723, we should ignore unauthenticated 241 * queries. That is too silly to bother with. Sheesh! 242 * Are forwarding tables supposed to be secret, when 243 * a bad guy can infer them with test traffic? When RIP 244 * is still the most common router-discovery protocol 245 * and so hosts need to send queries that will be answered? 246 * What about `rtquery`? 247 * Maybe on firewalls you'd care, but not enough to 248 * give up the diagnostic facilities of remote probing. 249 */ 250 251 if (n >= lim) { 252 msglim(&bad_len, FROM_NADDR, "empty request from %s", 253 naddr_ntoa(FROM_NADDR)); 254 return; 255 } 256 if (cc%sizeof(*n) != sizeof(struct rip)%sizeof(*n)) { 257 msglim(&bad_len, FROM_NADDR, 258 "request of bad length (%d) from %s", 259 cc, naddr_ntoa(FROM_NADDR)); 260 } 261 262 if (rip->rip_vers == RIPv2 263 && (aifp == 0 || (aifp->int_state & IS_NO_RIPV1_OUT))) { 264 v12buf.buf->rip_vers = RIPv2; 265 /* If we have a secret but it is a cleartext secret, 266 * do not disclose our secret unless the other guy 267 * already knows it. 268 */ 269 ap = find_auth(aifp); 270 if (ap != 0 && ap->type == RIP_AUTH_PW 271 && n->n_family == RIP_AF_AUTH 272 && !ck_passwd(aifp,rip,lim,FROM_NADDR,&use_auth)) 273 ap = 0; 274 } else { 275 v12buf.buf->rip_vers = RIPv1; 276 ap = 0; 277 } 278 clr_ws_buf(&v12buf, ap); 279 280 do { 281 NTOHL(n->n_metric); 282 283 /* A single entry with family RIP_AF_UNSPEC and 284 * metric HOPCNT_INFINITY means "all routes". 285 * We respond to routers only if we are acting 286 * as a supplier, or to anyone other than a router 287 * (i.e. a query). 288 */ 289 if (n->n_family == RIP_AF_UNSPEC 290 && n->n_metric == HOPCNT_INFINITY) { 291 /* Answer a query from a utility program 292 * with all we know. 293 */ 294 if (from->sin_port != htons(RIP_PORT)) { 295 supply(from, aifp, OUT_QUERY, 0, 296 rip->rip_vers, ap != 0); 297 return; 298 } 299 300 /* A router trying to prime its tables. 301 * Filter the answer in the about same way 302 * broadcasts are filtered. 303 * 304 * Only answer a router if we are a supplier 305 * to keep an unwary host that is just starting 306 * from picking us as a router. 307 */ 308 if (aifp == 0) { 309 trace_pkt("ignore distant router"); 310 return; 311 } 312 if (!supplier 313 || IS_RIP_OFF(aifp->int_state)) { 314 trace_pkt("ignore; not supplying"); 315 return; 316 } 317 318 /* Do not answer a RIPv1 router if 319 * we are sending RIPv2. But do offer 320 * poor man's router discovery. 321 */ 322 if ((aifp->int_state & IS_NO_RIPV1_OUT) 323 && rip->rip_vers == RIPv1) { 324 if (!(aifp->int_state & IS_PM_RDISC)) { 325 trace_pkt("ignore; sending RIPv2"); 326 return; 327 } 328 329 v12buf.n->n_family = RIP_AF_INET; 330 v12buf.n->n_dst = RIP_DEFAULT; 331 i = aifp->int_d_metric; 332 if (0 != (rt = rtget(RIP_DEFAULT, 0))) { 333 j = (rt->rt_metric 334 +aifp->int_metric 335 +aifp->int_adj_outmetric 336 +1); 337 if (i > j) 338 i = j; 339 } 340 v12buf.n->n_metric = htonl(i); 341 v12buf.n++; 342 break; 343 } 344 345 /* Respond with RIPv1 instead of RIPv2 if 346 * that is what we are broadcasting on the 347 * interface to keep the remote router from 348 * getting the wrong initial idea of the 349 * routes we send. 350 */ 351 supply(from, aifp, OUT_UNICAST, 0, 352 (aifp->int_state & IS_NO_RIPV1_OUT) 353 ? RIPv2 : RIPv1, 354 ap != 0); 355 return; 356 } 357 358 /* Ignore authentication */ 359 if (n->n_family == RIP_AF_AUTH) 360 continue; 361 362 if (n->n_family != RIP_AF_INET) { 363 msglim(&bad_router, FROM_NADDR, 364 "request from %s for unsupported" 365 " (af %d) %s", 366 naddr_ntoa(FROM_NADDR), 367 ntohs(n->n_family), 368 naddr_ntoa(n->n_dst)); 369 return; 370 } 371 372 /* We are being asked about a specific destination. 373 */ 374 dst = n->n_dst; 375 if (!check_dst(dst)) { 376 msglim(&bad_router, FROM_NADDR, 377 "bad queried destination %s from %s", 378 naddr_ntoa(dst), 379 naddr_ntoa(FROM_NADDR)); 380 return; 381 } 382 383 /* decide what mask was intended */ 384 if (rip->rip_vers == RIPv1 385 || 0 == (mask = ntohl(n->n_mask)) 386 || 0 != (ntohl(dst) & ~mask)) 387 mask = ripv1_mask_host(dst, aifp); 388 389 /* try to find the answer */ 390 rt = rtget(dst, mask); 391 if (!rt && dst != RIP_DEFAULT) 392 rt = rtfind(n->n_dst); 393 394 if (v12buf.buf->rip_vers != RIPv1) 395 v12buf.n->n_mask = mask; 396 if (rt == 0) { 397 /* we do not have the answer */ 398 v12buf.n->n_metric = HOPCNT_INFINITY; 399 } else { 400 /* we have the answer, so compute the 401 * right metric and next hop. 402 */ 403 v12buf.n->n_family = RIP_AF_INET; 404 v12buf.n->n_dst = dst; 405 j = rt->rt_metric+1; 406 if (!aifp) 407 ++j; 408 else 409 j += (aifp->int_metric 410 + aifp->int_adj_outmetric); 411 if (j < HOPCNT_INFINITY) 412 v12buf.n->n_metric = j; 413 else 414 v12buf.n->n_metric = HOPCNT_INFINITY; 415 if (v12buf.buf->rip_vers != RIPv1) { 416 v12buf.n->n_tag = rt->rt_tag; 417 v12buf.n->n_mask = mask; 418 if (aifp != 0 419 && on_net(rt->rt_gate, 420 aifp->int_net, 421 aifp->int_mask) 422 && rt->rt_gate != aifp->int_addr) 423 v12buf.n->n_nhop = rt->rt_gate; 424 } 425 } 426 HTONL(v12buf.n->n_metric); 427 428 /* Stop paying attention if we fill the output buffer. 429 */ 430 if (++v12buf.n >= v12buf.lim) 431 break; 432 } while (++n < lim); 433 434 /* Send the answer about specific routes. 435 */ 436 if (ap != 0 && ap->type == RIP_AUTH_MD5) 437 end_md5_auth(&v12buf, ap); 438 439 if (from->sin_port != htons(RIP_PORT)) { 440 /* query */ 441 (void)output(OUT_QUERY, from, aifp, 442 v12buf.buf, 443 ((char *)v12buf.n - (char*)v12buf.buf)); 444 } else if (supplier) { 445 (void)output(OUT_UNICAST, from, aifp, 446 v12buf.buf, 447 ((char *)v12buf.n - (char*)v12buf.buf)); 448 } else { 449 /* Only answer a router if we are a supplier 450 * to keep an unwary host that is just starting 451 * from picking us an a router. 452 */ 453 ; 454 } 455 return; 456 457 case RIPCMD_TRACEON: 458 case RIPCMD_TRACEOFF: 459 /* Notice that trace messages are turned off for all possible 460 * abuse if _PATH_TRACE is undefined in pathnames.h. 461 * Notice also that because of the way the trace file is 462 * handled in trace.c, no abuse is plausible even if 463 * _PATH_TRACE_ is defined. 464 * 465 * First verify message came from a privileged port. */ 466 if (ntohs(from->sin_port) > IPPORT_RESERVED) { 467 msglog("trace command from untrusted port on %s", 468 naddr_ntoa(FROM_NADDR)); 469 return; 470 } 471 if (aifp == 0) { 472 msglog("trace command from unknown router %s", 473 naddr_ntoa(FROM_NADDR)); 474 return; 475 } 476 if (rip->rip_cmd == RIPCMD_TRACEON) { 477 rip->rip_tracefile[cc-4] = '\0'; 478 #ifndef __NetBSD__ 479 set_tracefile((char*)rip->rip_tracefile, 480 "trace command: %s\n", 0); 481 #else 482 msglog("RIP_TRACEON for `%s' from %s ignored", 483 (char *) rip->rip_tracefile, 484 naddr_ntoa(FROM_NADDR)); 485 #endif 486 } else { 487 #ifndef __NetBSD__ 488 trace_off("tracing turned off by %s", 489 naddr_ntoa(FROM_NADDR)); 490 #else 491 msglog("RIP_TRACEOFF from %s ignored", 492 naddr_ntoa(FROM_NADDR)); 493 #endif 494 } 495 return; 496 497 case RIPCMD_RESPONSE: 498 if (cc%sizeof(*n) != sizeof(struct rip)%sizeof(*n)) { 499 msglim(&bad_len, FROM_NADDR, 500 "response of bad length (%d) from %s", 501 cc, naddr_ntoa(FROM_NADDR)); 502 } 503 504 /* verify message came from a router */ 505 if (from->sin_port != ntohs(RIP_PORT)) { 506 msglim(&bad_router, FROM_NADDR, 507 " discard RIP response from unknown port" 508 " %d on %s", 509 ntohs(from->sin_port), naddr_ntoa(FROM_NADDR)); 510 return; 511 } 512 513 if (rip_sock < 0) { 514 trace_pkt(" discard response while RIP off"); 515 return; 516 } 517 518 /* Are we talking to ourself or a remote gateway? 519 */ 520 ifp1 = ifwithaddr(FROM_NADDR, 0, 1); 521 if (ifp1) { 522 if (ifp1->int_state & IS_REMOTE) { 523 /* remote gateway */ 524 aifp = ifp1; 525 if (check_remote(aifp)) { 526 aifp->int_act_time = now.tv_sec; 527 (void)if_ok(aifp, "remote "); 528 } 529 } else { 530 trace_pkt(" discard our own RIP response"); 531 return; 532 } 533 } 534 535 /* Accept routing packets from routers directly connected 536 * via broadcast or point-to-point networks, and from 537 * those listed in /etc/gateways. 538 */ 539 if (aifp == 0) { 540 msglim(&unk_router, FROM_NADDR, 541 " discard response from %s" 542 " via unexpected interface", 543 naddr_ntoa(FROM_NADDR)); 544 return; 545 } 546 if (IS_RIP_IN_OFF(aifp->int_state)) { 547 trace_pkt(" discard RIPv%d response" 548 " via disabled interface %s", 549 rip->rip_vers, aifp->int_name); 550 return; 551 } 552 553 if (n >= lim) { 554 msglim(&bad_len, FROM_NADDR, "empty response from %s", 555 naddr_ntoa(FROM_NADDR)); 556 return; 557 } 558 559 if (((aifp->int_state & IS_NO_RIPV1_IN) 560 && rip->rip_vers == RIPv1) 561 || ((aifp->int_state & IS_NO_RIPV2_IN) 562 && rip->rip_vers != RIPv1)) { 563 trace_pkt(" discard RIPv%d response", 564 rip->rip_vers); 565 return; 566 } 567 568 /* Ignore routes via dead interface. 569 */ 570 if (aifp->int_state & IS_BROKE) { 571 trace_pkt("discard response via broken interface %s", 572 aifp->int_name); 573 return; 574 } 575 576 /* If the interface cares, ignore bad routers. 577 * Trace but do not log this problem, because where it 578 * happens, it happens frequently. 579 */ 580 if (aifp->int_state & IS_DISTRUST) { 581 tg = tgates; 582 while (tg->tgate_addr != FROM_NADDR) { 583 tg = tg->tgate_next; 584 if (tg == 0) { 585 trace_pkt(" discard RIP response" 586 " from untrusted router %s", 587 naddr_ntoa(FROM_NADDR)); 588 return; 589 } 590 } 591 } 592 593 /* Authenticate the packet if we have a secret. 594 * If we do not have any secrets, ignore the error in 595 * RFC 1723 and accept it regardless. 596 */ 597 if (aifp->int_auth[0].type != RIP_AUTH_NONE 598 && rip->rip_vers != RIPv1 599 && !ck_passwd(aifp,rip,lim,FROM_NADDR,&use_auth)) 600 return; 601 602 do { 603 if (n->n_family == RIP_AF_AUTH) 604 continue; 605 606 NTOHL(n->n_metric); 607 dst = n->n_dst; 608 if (n->n_family != RIP_AF_INET 609 && (n->n_family != RIP_AF_UNSPEC 610 || dst != RIP_DEFAULT)) { 611 msglim(&bad_router, FROM_NADDR, 612 "route from %s to unsupported" 613 " address family=%d destination=%s", 614 naddr_ntoa(FROM_NADDR), 615 n->n_family, 616 naddr_ntoa(dst)); 617 continue; 618 } 619 if (!check_dst(dst)) { 620 msglim(&bad_router, FROM_NADDR, 621 "bad destination %s from %s", 622 naddr_ntoa(dst), 623 naddr_ntoa(FROM_NADDR)); 624 return; 625 } 626 if (n->n_metric == 0 627 || n->n_metric > HOPCNT_INFINITY) { 628 msglim(&bad_router, FROM_NADDR, 629 "bad metric %d from %s" 630 " for destination %s", 631 n->n_metric, 632 naddr_ntoa(FROM_NADDR), 633 naddr_ntoa(dst)); 634 return; 635 } 636 637 /* Notice the next-hop. 638 */ 639 gate = FROM_NADDR; 640 if (n->n_nhop != 0) { 641 if (rip->rip_vers == RIPv1) { 642 n->n_nhop = 0; 643 } else { 644 /* Use it only if it is valid. */ 645 if (on_net(n->n_nhop, 646 aifp->int_net, aifp->int_mask) 647 && check_dst(n->n_nhop)) { 648 gate = n->n_nhop; 649 } else { 650 msglim(&bad_nhop, FROM_NADDR, 651 "router %s to %s" 652 " has bad next hop %s", 653 naddr_ntoa(FROM_NADDR), 654 naddr_ntoa(dst), 655 naddr_ntoa(n->n_nhop)); 656 n->n_nhop = 0; 657 } 658 } 659 } 660 661 if (rip->rip_vers == RIPv1 662 || 0 == (mask = ntohl(n->n_mask))) { 663 mask = ripv1_mask_host(dst,aifp); 664 } else if ((ntohl(dst) & ~mask) != 0) { 665 msglim(&bad_mask, FROM_NADDR, 666 "router %s sent bad netmask" 667 " %#lx with %s", 668 naddr_ntoa(FROM_NADDR), 669 (u_long)mask, 670 naddr_ntoa(dst)); 671 continue; 672 } 673 if (rip->rip_vers == RIPv1) 674 n->n_tag = 0; 675 676 /* Adjust metric according to incoming interface.. 677 */ 678 n->n_metric += (aifp->int_metric 679 + aifp->int_adj_inmetric); 680 if (n->n_metric > HOPCNT_INFINITY) 681 n->n_metric = HOPCNT_INFINITY; 682 683 /* Should we trust this route from this router? */ 684 if (tg && (tn = tg->tgate_nets)->mask != 0) { 685 for (i = 0; i < MAX_TGATE_NETS; i++, tn++) { 686 if (on_net(dst, tn->net, tn->mask) 687 && tn->mask <= mask) 688 break; 689 } 690 if (i >= MAX_TGATE_NETS || tn->mask == 0) { 691 trace_pkt(" ignored unauthorized %s", 692 addrname(dst,mask,0)); 693 continue; 694 } 695 } 696 697 /* Recognize and ignore a default route we faked 698 * which is being sent back to us by a machine with 699 * broken split-horizon. 700 * Be a little more paranoid than that, and reject 701 * default routes with the same metric we advertised. 702 */ 703 if (aifp->int_d_metric != 0 704 && dst == RIP_DEFAULT 705 && (int)n->n_metric >= aifp->int_d_metric) 706 continue; 707 708 /* We can receive aggregated RIPv2 routes that must 709 * be broken down before they are transmitted by 710 * RIPv1 via an interface on a subnet. 711 * We might also receive the same routes aggregated 712 * via other RIPv2 interfaces. 713 * This could cause duplicate routes to be sent on 714 * the RIPv1 interfaces. "Longest matching variable 715 * length netmasks" lets RIPv2 listeners understand, 716 * but breaking down the aggregated routes for RIPv1 717 * listeners can produce duplicate routes. 718 * 719 * Breaking down aggregated routes here bloats 720 * the daemon table, but does not hurt the kernel 721 * table, since routes are always aggregated for 722 * the kernel. 723 * 724 * Notice that this does not break down network 725 * routes corresponding to subnets. This is part 726 * of the defense against RS_NET_SYN. 727 */ 728 if (have_ripv1_out 729 && (((rt = rtget(dst,mask)) == 0 730 || !(rt->rt_state & RS_NET_SYN))) 731 && (v1_mask = ripv1_mask_net(dst,0)) > mask) { 732 ddst_h = v1_mask & -v1_mask; 733 i = (v1_mask & ~mask)/ddst_h; 734 if (i >= 511) { 735 /* Punt if we would have to generate 736 * an unreasonable number of routes. 737 */ 738 if (TRACECONTENTS) 739 trace_misc("accept %s-->%s as 1" 740 " instead of %d routes", 741 addrname(dst,mask,0), 742 naddr_ntoa(FROM_NADDR), 743 i+1); 744 i = 0; 745 } else { 746 mask = v1_mask; 747 } 748 } else { 749 i = 0; 750 } 751 752 new.rts_gate = gate; 753 new.rts_router = FROM_NADDR; 754 new.rts_metric = n->n_metric; 755 new.rts_tag = n->n_tag; 756 new.rts_time = now.tv_sec; 757 new.rts_ifp = aifp; 758 new.rts_de_ag = i; 759 j = 0; 760 for (;;) { 761 input_route(dst, mask, &new, n); 762 if (++j > i) 763 break; 764 dst = htonl(ntohl(dst) + ddst_h); 765 } 766 } while (++n < lim); 767 break; 768 } 769 #undef FROM_NADDR 770 } 771 772 773 /* Process a single input route. 774 */ 775 static void 776 input_route(naddr dst, /* network order */ 777 naddr mask, 778 struct rt_spare *new, 779 struct netinfo *n) 780 { 781 int i; 782 struct rt_entry *rt; 783 struct rt_spare *rts, *rts0; 784 struct interface *ifp1; 785 786 787 /* See if the other guy is telling us to send our packets to him. 788 * Sometimes network routes arrive over a point-to-point link for 789 * the network containing the address(es) of the link. 790 * 791 * If our interface is broken, switch to using the other guy. 792 */ 793 ifp1 = ifwithaddr(dst, 1, 1); 794 if (ifp1 != 0 795 && (!(ifp1->int_state & IS_BROKE) 796 || (ifp1->int_state & IS_PASSIVE))) 797 return; 798 799 /* Look for the route in our table. 800 */ 801 rt = rtget(dst, mask); 802 803 /* Consider adding the route if we do not already have it. 804 */ 805 if (rt == 0) { 806 /* Ignore unknown routes being poisoned. 807 */ 808 if (new->rts_metric == HOPCNT_INFINITY) 809 return; 810 811 /* Ignore the route if it points to us */ 812 if (n->n_nhop != 0 813 && 0 != ifwithaddr(n->n_nhop, 1, 0)) 814 return; 815 816 /* If something has not gone crazy and tried to fill 817 * our memory, accept the new route. 818 */ 819 if (total_routes < MAX_ROUTES) 820 rtadd(dst, mask, 0, new); 821 return; 822 } 823 824 /* We already know about the route. Consider this update. 825 * 826 * If (rt->rt_state & RS_NET_SYN), then this route 827 * is the same as a network route we have inferred 828 * for subnets we know, in order to tell RIPv1 routers 829 * about the subnets. 830 * 831 * It is impossible to tell if the route is coming 832 * from a distant RIPv2 router with the standard 833 * netmask because that router knows about the entire 834 * network, or if it is a round-about echo of a 835 * synthetic, RIPv1 network route of our own. 836 * The worst is that both kinds of routes might be 837 * received, and the bad one might have the smaller 838 * metric. Partly solve this problem by never 839 * aggregating into such a route. Also keep it 840 * around as long as the interface exists. 841 */ 842 843 rts0 = rt->rt_spares; 844 for (rts = rts0, i = NUM_SPARES; i != 0; i--, rts++) { 845 if (rts->rts_router == new->rts_router) 846 break; 847 /* Note the worst slot to reuse, 848 * other than the current slot. 849 */ 850 if (rts0 == rt->rt_spares 851 || BETTER_LINK(rt, rts0, rts)) 852 rts0 = rts; 853 } 854 if (i != 0) { 855 /* Found a route from the router already in the table. 856 */ 857 858 /* If the new route is a route broken down from an 859 * aggregated route, and if the previous route is either 860 * not a broken down route or was broken down from a finer 861 * netmask, and if the previous route is current, 862 * then forget this one. 863 */ 864 if (new->rts_de_ag > rts->rts_de_ag 865 && now_stale <= rts->rts_time) 866 return; 867 868 /* Keep poisoned routes around only long enough to pass 869 * the poison on. Use a new timestamp for good routes. 870 */ 871 if (rts->rts_metric == HOPCNT_INFINITY 872 && new->rts_metric == HOPCNT_INFINITY) 873 new->rts_time = rts->rts_time; 874 875 /* If this is an update for the router we currently prefer, 876 * then note it. 877 */ 878 if (i == NUM_SPARES) { 879 rtchange(rt, rt->rt_state, new, 0); 880 /* If the route got worse, check for something better. 881 */ 882 if (new->rts_metric > rts->rts_metric) 883 rtswitch(rt, 0); 884 return; 885 } 886 887 /* This is an update for a spare route. 888 * Finished if the route is unchanged. 889 */ 890 if (rts->rts_gate == new->rts_gate 891 && rts->rts_metric == new->rts_metric 892 && rts->rts_tag == new->rts_tag) { 893 trace_upslot(rt, rts, new); 894 *rts = *new; 895 return; 896 } 897 /* Forget it if it has gone bad. 898 */ 899 if (new->rts_metric == HOPCNT_INFINITY) { 900 rts_delete(rt, rts); 901 return; 902 } 903 904 } else { 905 /* The update is for a route we know about, 906 * but not from a familiar router. 907 * 908 * Ignore the route if it points to us. 909 */ 910 if (n->n_nhop != 0 911 && 0 != ifwithaddr(n->n_nhop, 1, 0)) 912 return; 913 914 /* the loop above set rts0=worst spare */ 915 rts = rts0; 916 917 /* Save the route as a spare only if it has 918 * a better metric than our worst spare. 919 * This also ignores poisoned routes (those 920 * received with metric HOPCNT_INFINITY). 921 */ 922 if (new->rts_metric >= rts->rts_metric) 923 return; 924 } 925 926 trace_upslot(rt, rts, new); 927 *rts = *new; 928 929 /* try to switch to a better route */ 930 rtswitch(rt, rts); 931 } 932 933 934 static int /* 0 if bad */ 935 ck_passwd(struct interface *aifp, 936 struct rip *rip, 937 void *lim, 938 naddr from, 939 struct msg_limit *use_authp) 940 { 941 # define NA (rip->rip_auths) 942 struct netauth *na2; 943 struct auth *ap; 944 MD5_CTX md5_ctx; 945 u_char hash[RIP_AUTH_PW_LEN]; 946 int i, len; 947 948 949 if ((void *)NA >= lim || NA->a_family != RIP_AF_AUTH) { 950 msglim(use_authp, from, "missing password from %s", 951 naddr_ntoa(from)); 952 return 0; 953 } 954 955 /* accept any current (+/- 24 hours) password 956 */ 957 for (ap = aifp->int_auth, i = 0; i < MAX_AUTH_KEYS; i++, ap++) { 958 if (ap->type != NA->a_type 959 || (u_long)ap->start > (u_long)clk.tv_sec+DAY 960 || (u_long)ap->end+DAY < (u_long)clk.tv_sec) 961 continue; 962 963 if (NA->a_type == RIP_AUTH_PW) { 964 if (!memcmp(NA->au.au_pw, ap->key, RIP_AUTH_PW_LEN)) 965 return 1; 966 967 } else { 968 /* accept MD5 secret with the right key ID 969 */ 970 if (NA->au.a_md5.md5_keyid != ap->keyid) 971 continue; 972 973 len = ntohs(NA->au.a_md5.md5_pkt_len); 974 if ((len-sizeof(*rip)) % sizeof(*NA) != 0 975 || len != (char *)lim-(char*)rip-(int)sizeof(*NA)) { 976 msglim(use_authp, from, 977 "wrong MD5 RIPv2 packet length of %d" 978 " instead of %d from %s", 979 len, (int)((char *)lim-(char *)rip 980 -sizeof(*NA)), 981 naddr_ntoa(from)); 982 return 0; 983 } 984 na2 = (struct netauth *)((char *)rip+len); 985 986 /* Given a good hash value, these are not security 987 * problems so be generous and accept the routes, 988 * after complaining. 989 */ 990 if (TRACEPACKETS) { 991 if (NA->au.a_md5.md5_auth_len 992 != RIP_AUTH_MD5_HASH_LEN) 993 msglim(use_authp, from, 994 "unknown MD5 RIPv2 auth len %#x" 995 " instead of %#lx from %s", 996 NA->au.a_md5.md5_auth_len, 997 (unsigned long) RIP_AUTH_MD5_HASH_LEN, 998 naddr_ntoa(from)); 999 if (na2->a_family != RIP_AF_AUTH) 1000 msglim(use_authp, from, 1001 "unknown MD5 RIPv2 family %#x" 1002 " instead of %#x from %s", 1003 na2->a_family, RIP_AF_AUTH, 1004 naddr_ntoa(from)); 1005 if (na2->a_type != ntohs(1)) 1006 msglim(use_authp, from, 1007 "MD5 RIPv2 hash has %#x" 1008 " instead of %#x from %s", 1009 na2->a_type, ntohs(1), 1010 naddr_ntoa(from)); 1011 } 1012 1013 MD5Init(&md5_ctx); 1014 MD5Update(&md5_ctx, (u_char *)rip, 1015 len + RIP_AUTH_MD5_HASH_XTRA); 1016 MD5Update(&md5_ctx, ap->key, RIP_AUTH_MD5_KEY_LEN); 1017 MD5Final(hash, &md5_ctx); 1018 if (!memcmp(hash, na2->au.au_pw, sizeof(hash))) 1019 return 1; 1020 } 1021 } 1022 1023 msglim(use_authp, from, "bad password from %s", 1024 naddr_ntoa(from)); 1025 return 0; 1026 #undef NA 1027 } 1028