1 /*-
2 * SPDX-License-Identifier: BSD-3-Clause
3 *
4 * Copyright (c) 1983, 1988, 1993
5 * The Regents of the University of California. All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the University nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 *
31 * $FreeBSD$
32 */
33
34 #include "defs.h"
35
36 __RCSID("$FreeBSD$");
37
38 static void input(struct sockaddr_in *, struct interface *, struct interface *,
39 struct rip *, int);
40 static void input_route(naddr, naddr, struct rt_spare *, struct netinfo *);
41 static int ck_passwd(struct interface *, struct rip *, void *,
42 naddr, struct msg_limit *);
43
44
45 /* process RIP input
46 */
47 void
read_rip(int sock,struct interface * sifp)48 read_rip(int sock,
49 struct interface *sifp)
50 {
51 struct sockaddr_in from;
52 struct interface *aifp;
53 socklen_t fromlen;
54 int cc;
55 #ifdef USE_PASSIFNAME
56 static struct msg_limit bad_name;
57 struct {
58 char ifname[IFNAMSIZ];
59 union pkt_buf pbuf;
60 } inbuf;
61 #else
62 struct {
63 union pkt_buf pbuf;
64 } inbuf;
65 #endif
66
67
68 for (;;) {
69 fromlen = sizeof(from);
70 cc = recvfrom(sock, &inbuf, sizeof(inbuf), 0,
71 (struct sockaddr*)&from, &fromlen);
72 if (cc <= 0) {
73 if (cc < 0 && errno != EWOULDBLOCK)
74 LOGERR("recvfrom(rip)");
75 break;
76 }
77 if (fromlen != sizeof(struct sockaddr_in))
78 logbad(1,"impossible recvfrom(rip) fromlen=%d",
79 (int)fromlen);
80
81 /* aifp is the "authenticated" interface via which the packet
82 * arrived. In fact, it is only the interface on which
83 * the packet should have arrived based on is source
84 * address.
85 * sifp is interface associated with the socket through which
86 * the packet was received.
87 */
88 #ifdef USE_PASSIFNAME
89 if ((cc -= sizeof(inbuf.ifname)) < 0)
90 logbad(0,"missing USE_PASSIFNAME; only %d bytes",
91 cc+sizeof(inbuf.ifname));
92
93 /* check the remote interfaces first */
94 LIST_FOREACH(aifp, &remote_if, remote_list) {
95 if (aifp->int_addr == from.sin_addr.s_addr)
96 break;
97 }
98 if (aifp == NULL) {
99 aifp = ifwithname(inbuf.ifname, 0);
100 if (aifp == NULL) {
101 msglim(&bad_name, from.sin_addr.s_addr,
102 "impossible interface name %.*s",
103 IFNAMSIZ, inbuf.ifname);
104 } else if (((aifp->int_if_flags & IFF_POINTOPOINT)
105 && aifp->int_dstaddr!=from.sin_addr.s_addr)
106 || (!(aifp->int_if_flags & IFF_POINTOPOINT)
107 && !on_net(from.sin_addr.s_addr,
108 aifp->int_net,
109 aifp->int_mask))) {
110 /* If it came via the wrong interface, do not
111 * trust it.
112 */
113 aifp = NULL;
114 }
115 }
116 #else
117 aifp = iflookup(from.sin_addr.s_addr);
118 #endif
119 if (sifp == NULL)
120 sifp = aifp;
121
122 input(&from, sifp, aifp, &inbuf.pbuf.rip, cc);
123 }
124 }
125
126
127 /* Process a RIP packet
128 */
129 static void
input(struct sockaddr_in * from,struct interface * sifp,struct interface * aifp,struct rip * rip,int cc)130 input(struct sockaddr_in *from, /* received from this IP address */
131 struct interface *sifp, /* interface of incoming socket */
132 struct interface *aifp, /* "authenticated" interface */
133 struct rip *rip,
134 int cc)
135 {
136 # define FROM_NADDR from->sin_addr.s_addr
137 static struct msg_limit use_auth, bad_len, bad_mask;
138 static struct msg_limit unk_router, bad_router, bad_nhop;
139
140 struct rt_entry *rt;
141 struct rt_spare new;
142 struct netinfo *n, *lim;
143 struct interface *ifp1;
144 naddr gate, mask, v1_mask, dst, ddst_h = 0;
145 struct auth *ap;
146 struct tgate *tg = NULL;
147 struct tgate_net *tn;
148 int i, j;
149
150 /* Notice when we hear from a remote gateway
151 */
152 if (aifp != NULL
153 && (aifp->int_state & IS_REMOTE))
154 aifp->int_act_time = now.tv_sec;
155
156 trace_rip("Recv", "from", from, sifp, rip, cc);
157
158 if (sifp == NULL) {
159 trace_pkt(" discard a request from an indirect router"
160 " (possibly an attack)");
161 return;
162 }
163
164 if (rip->rip_vers == 0) {
165 msglim(&bad_router, FROM_NADDR,
166 "RIP version 0, cmd %d, packet received from %s",
167 rip->rip_cmd, naddr_ntoa(FROM_NADDR));
168 return;
169 } else if (rip->rip_vers > RIPv2) {
170 rip->rip_vers = RIPv2;
171 }
172 if (cc > (int)OVER_MAXPACKETSIZE) {
173 msglim(&bad_router, FROM_NADDR,
174 "packet at least %d bytes too long received from %s",
175 cc-MAXPACKETSIZE, naddr_ntoa(FROM_NADDR));
176 return;
177 }
178
179 n = rip->rip_nets;
180 lim = (struct netinfo *)((char*)rip + cc);
181
182 /* Notice authentication.
183 * As required by section 4.2 in RFC 1723, discard authenticated
184 * RIPv2 messages, but only if configured for that silliness.
185 *
186 * RIPv2 authentication is lame. Why authenticate queries?
187 * Why should a RIPv2 implementation with authentication disabled
188 * not be able to listen to RIPv2 packets with authentication, while
189 * RIPv1 systems will listen? Crazy!
190 */
191 if (!auth_ok
192 && rip->rip_vers == RIPv2
193 && n < lim && n->n_family == RIP_AF_AUTH) {
194 msglim(&use_auth, FROM_NADDR,
195 "RIPv2 message with authentication from %s discarded",
196 naddr_ntoa(FROM_NADDR));
197 return;
198 }
199
200 switch (rip->rip_cmd) {
201 case RIPCMD_REQUEST:
202 /* For mere requests, be a little sloppy about the source
203 */
204 if (aifp == NULL)
205 aifp = sifp;
206
207 /* Are we talking to ourself or a remote gateway?
208 */
209 ifp1 = ifwithaddr(FROM_NADDR, 0, 1);
210 if (ifp1) {
211 if (ifp1->int_state & IS_REMOTE) {
212 /* remote gateway */
213 aifp = ifp1;
214 if (check_remote(aifp)) {
215 aifp->int_act_time = now.tv_sec;
216 (void)if_ok(aifp, "remote ");
217 }
218 } else if (from->sin_port == htons(RIP_PORT)) {
219 trace_pkt(" discard our own RIP request");
220 return;
221 }
222 }
223
224 /* did the request come from a router?
225 */
226 if (from->sin_port == htons(RIP_PORT)) {
227 /* yes, ignore the request if RIP is off so that
228 * the router does not depend on us.
229 */
230 if (rip_sock < 0
231 || (aifp != NULL
232 && IS_RIP_OUT_OFF(aifp->int_state))) {
233 trace_pkt(" discard request while RIP off");
234 return;
235 }
236 }
237
238 /* According to RFC 1723, we should ignore unauthenticated
239 * queries. That is too silly to bother with. Sheesh!
240 * Are forwarding tables supposed to be secret, when
241 * a bad guy can infer them with test traffic? When RIP
242 * is still the most common router-discovery protocol
243 * and so hosts need to send queries that will be answered?
244 * What about `rtquery`?
245 * Maybe on firewalls you'd care, but not enough to
246 * give up the diagnostic facilities of remote probing.
247 */
248
249 if (n >= lim) {
250 msglim(&bad_len, FROM_NADDR, "empty request from %s",
251 naddr_ntoa(FROM_NADDR));
252 return;
253 }
254 if (cc%sizeof(*n) != sizeof(struct rip)%sizeof(*n)) {
255 msglim(&bad_len, FROM_NADDR,
256 "request of bad length (%d) from %s",
257 cc, naddr_ntoa(FROM_NADDR));
258 }
259
260 if (rip->rip_vers == RIPv2
261 && (aifp == NULL || (aifp->int_state & IS_NO_RIPV1_OUT))) {
262 v12buf.buf->rip_vers = RIPv2;
263 /* If we have a secret but it is a cleartext secret,
264 * do not disclose our secret unless the other guy
265 * already knows it.
266 */
267 ap = find_auth(aifp);
268 if (ap != NULL && ap->type == RIP_AUTH_PW
269 && n->n_family == RIP_AF_AUTH
270 && !ck_passwd(aifp,rip,lim,FROM_NADDR,&use_auth))
271 ap = NULL;
272 } else {
273 v12buf.buf->rip_vers = RIPv1;
274 ap = NULL;
275 }
276 clr_ws_buf(&v12buf, ap);
277
278 do {
279 n->n_metric = ntohl(n->n_metric);
280
281 /* A single entry with family RIP_AF_UNSPEC and
282 * metric HOPCNT_INFINITY means "all routes".
283 * We respond to routers only if we are acting
284 * as a supplier, or to anyone other than a router
285 * (i.e. a query).
286 */
287 if (n->n_family == RIP_AF_UNSPEC
288 && n->n_metric == HOPCNT_INFINITY) {
289 /* Answer a query from a utility program
290 * with all we know.
291 */
292 if (aifp == NULL) {
293 trace_pkt("ignore remote query");
294 return;
295 }
296 if (from->sin_port != htons(RIP_PORT)) {
297 /*
298 * insecure: query from non-router node
299 * > 1: allow from distant node
300 * > 0: allow from neighbor node
301 * == 0: deny
302 */
303 if ((aifp != NULL && insecure > 0) ||
304 (aifp == NULL && insecure > 1))
305 supply(from, aifp, OUT_QUERY, 0,
306 rip->rip_vers,
307 ap != NULL);
308 else
309 trace_pkt("Warning: "
310 "possible attack detected");
311 return;
312 }
313
314 /* A router trying to prime its tables.
315 * Filter the answer in the about same way
316 * broadcasts are filtered.
317 *
318 * Only answer a router if we are a supplier
319 * to keep an unwary host that is just starting
320 * from picking us as a router.
321 */
322 if (aifp == NULL) {
323 trace_pkt("ignore distant router");
324 return;
325 }
326 if (!supplier
327 || IS_RIP_OFF(aifp->int_state)) {
328 trace_pkt("ignore; not supplying");
329 return;
330 }
331
332 /* Do not answer a RIPv1 router if
333 * we are sending RIPv2. But do offer
334 * poor man's router discovery.
335 */
336 if ((aifp->int_state & IS_NO_RIPV1_OUT)
337 && rip->rip_vers == RIPv1) {
338 if (!(aifp->int_state & IS_PM_RDISC)) {
339 trace_pkt("ignore; sending RIPv2");
340 return;
341 }
342
343 v12buf.n->n_family = RIP_AF_INET;
344 v12buf.n->n_dst = RIP_DEFAULT;
345 i = aifp->int_d_metric;
346 if (NULL != (rt = rtget(RIP_DEFAULT, 0))) {
347 j = (rt->rt_metric
348 +aifp->int_metric
349 +aifp->int_adj_outmetric
350 +1);
351 if (i > j)
352 i = j;
353 }
354 v12buf.n->n_metric = htonl(i);
355 v12buf.n++;
356 break;
357 }
358
359 /* Respond with RIPv1 instead of RIPv2 if
360 * that is what we are broadcasting on the
361 * interface to keep the remote router from
362 * getting the wrong initial idea of the
363 * routes we send.
364 */
365 supply(from, aifp, OUT_UNICAST, 0,
366 (aifp->int_state & IS_NO_RIPV1_OUT)
367 ? RIPv2 : RIPv1,
368 ap != NULL);
369 return;
370 }
371
372 /* Ignore authentication */
373 if (n->n_family == RIP_AF_AUTH)
374 continue;
375
376 if (n->n_family != RIP_AF_INET) {
377 msglim(&bad_router, FROM_NADDR,
378 "request from %s for unsupported"
379 " (af %d) %s",
380 naddr_ntoa(FROM_NADDR),
381 ntohs(n->n_family),
382 naddr_ntoa(n->n_dst));
383 return;
384 }
385
386 /* We are being asked about a specific destination.
387 */
388 dst = n->n_dst;
389 if (!check_dst(dst)) {
390 msglim(&bad_router, FROM_NADDR,
391 "bad queried destination %s from %s",
392 naddr_ntoa(dst),
393 naddr_ntoa(FROM_NADDR));
394 return;
395 }
396
397 /* decide what mask was intended */
398 if (rip->rip_vers == RIPv1
399 || 0 == (mask = ntohl(n->n_mask))
400 || 0 != (ntohl(dst) & ~mask))
401 mask = ripv1_mask_host(dst, aifp);
402
403 /* try to find the answer */
404 rt = rtget(dst, mask);
405 if (!rt && dst != RIP_DEFAULT)
406 rt = rtfind(n->n_dst);
407
408 if (v12buf.buf->rip_vers != RIPv1)
409 v12buf.n->n_mask = mask;
410 if (rt == NULL) {
411 /* we do not have the answer */
412 v12buf.n->n_metric = HOPCNT_INFINITY;
413 } else {
414 /* we have the answer, so compute the
415 * right metric and next hop.
416 */
417 v12buf.n->n_family = RIP_AF_INET;
418 v12buf.n->n_dst = dst;
419 j = rt->rt_metric+1;
420 if (!aifp)
421 ++j;
422 else
423 j += (aifp->int_metric
424 + aifp->int_adj_outmetric);
425 if (j < HOPCNT_INFINITY)
426 v12buf.n->n_metric = j;
427 else
428 v12buf.n->n_metric = HOPCNT_INFINITY;
429 if (v12buf.buf->rip_vers != RIPv1) {
430 v12buf.n->n_tag = rt->rt_tag;
431 v12buf.n->n_mask = mask;
432 if (aifp != NULL
433 && on_net(rt->rt_gate,
434 aifp->int_net,
435 aifp->int_mask)
436 && rt->rt_gate != aifp->int_addr)
437 v12buf.n->n_nhop = rt->rt_gate;
438 }
439 }
440 v12buf.n->n_metric = htonl(v12buf.n->n_metric);
441
442 /* Stop paying attention if we fill the output buffer.
443 */
444 if (++v12buf.n >= v12buf.lim)
445 break;
446 } while (++n < lim);
447
448 /* Send the answer about specific routes.
449 */
450 if (ap != NULL && ap->type == RIP_AUTH_MD5)
451 end_md5_auth(&v12buf, ap);
452
453 if (from->sin_port != htons(RIP_PORT)) {
454 /* query */
455 (void)output(OUT_QUERY, from, aifp,
456 v12buf.buf,
457 ((char *)v12buf.n - (char*)v12buf.buf));
458 } else if (supplier) {
459 (void)output(OUT_UNICAST, from, aifp,
460 v12buf.buf,
461 ((char *)v12buf.n - (char*)v12buf.buf));
462 } else {
463 /* Only answer a router if we are a supplier
464 * to keep an unwary host that is just starting
465 * from picking us an a router.
466 */
467 ;
468 }
469 return;
470
471 case RIPCMD_TRACEON:
472 case RIPCMD_TRACEOFF:
473 /* Notice that trace messages are turned off for all possible
474 * abuse if _PATH_TRACE is undefined in pathnames.h.
475 * Notice also that because of the way the trace file is
476 * handled in trace.c, no abuse is plausible even if
477 * _PATH_TRACE_ is defined.
478 *
479 * First verify message came from a privileged port. */
480 if (ntohs(from->sin_port) > IPPORT_RESERVED) {
481 msglog("trace command from untrusted port on %s",
482 naddr_ntoa(FROM_NADDR));
483 return;
484 }
485 if (aifp == NULL) {
486 msglog("trace command from unknown router %s",
487 naddr_ntoa(FROM_NADDR));
488 return;
489 }
490 if (rip->rip_cmd == RIPCMD_TRACEON) {
491 rip->rip_tracefile[cc-4] = '\0';
492 set_tracefile((char*)rip->rip_tracefile,
493 "trace command: %s\n", 0);
494 } else {
495 trace_off("tracing turned off by %s",
496 naddr_ntoa(FROM_NADDR));
497 }
498 return;
499
500 case RIPCMD_RESPONSE:
501 if (cc%sizeof(*n) != sizeof(struct rip)%sizeof(*n)) {
502 msglim(&bad_len, FROM_NADDR,
503 "response of bad length (%d) from %s",
504 cc, naddr_ntoa(FROM_NADDR));
505 }
506
507 /* verify message came from a router */
508 if (from->sin_port != ntohs(RIP_PORT)) {
509 msglim(&bad_router, FROM_NADDR,
510 " discard RIP response from unknown port"
511 " %d on %s",
512 ntohs(from->sin_port), naddr_ntoa(FROM_NADDR));
513 return;
514 }
515
516 if (rip_sock < 0) {
517 trace_pkt(" discard response while RIP off");
518 return;
519 }
520
521 /* Are we talking to ourself or a remote gateway?
522 */
523 ifp1 = ifwithaddr(FROM_NADDR, 0, 1);
524 if (ifp1) {
525 if (ifp1->int_state & IS_REMOTE) {
526 /* remote gateway */
527 aifp = ifp1;
528 if (check_remote(aifp)) {
529 aifp->int_act_time = now.tv_sec;
530 (void)if_ok(aifp, "remote ");
531 }
532 } else {
533 trace_pkt(" discard our own RIP response");
534 return;
535 }
536 }
537
538 /* Accept routing packets from routers directly connected
539 * via broadcast or point-to-point networks, and from
540 * those listed in /etc/gateways.
541 */
542 if (aifp == NULL) {
543 msglim(&unk_router, FROM_NADDR,
544 " discard response from %s"
545 " via unexpected interface",
546 naddr_ntoa(FROM_NADDR));
547 return;
548 }
549 if (IS_RIP_IN_OFF(aifp->int_state)) {
550 trace_pkt(" discard RIPv%d response"
551 " via disabled interface %s",
552 rip->rip_vers, aifp->int_name);
553 return;
554 }
555
556 if (n >= lim) {
557 msglim(&bad_len, FROM_NADDR, "empty response from %s",
558 naddr_ntoa(FROM_NADDR));
559 return;
560 }
561
562 if (((aifp->int_state & IS_NO_RIPV1_IN)
563 && rip->rip_vers == RIPv1)
564 || ((aifp->int_state & IS_NO_RIPV2_IN)
565 && rip->rip_vers != RIPv1)) {
566 trace_pkt(" discard RIPv%d response",
567 rip->rip_vers);
568 return;
569 }
570
571 /* Ignore routes via dead interface.
572 */
573 if (aifp->int_state & IS_BROKE) {
574 trace_pkt("discard response via broken interface %s",
575 aifp->int_name);
576 return;
577 }
578
579 /* If the interface cares, ignore bad routers.
580 * Trace but do not log this problem, because where it
581 * happens, it happens frequently.
582 */
583 if (aifp->int_state & IS_DISTRUST) {
584 tg = tgates;
585 while (tg->tgate_addr != FROM_NADDR) {
586 tg = tg->tgate_next;
587 if (tg == NULL) {
588 trace_pkt(" discard RIP response"
589 " from untrusted router %s",
590 naddr_ntoa(FROM_NADDR));
591 return;
592 }
593 }
594 }
595
596 /* Authenticate the packet if we have a secret.
597 * If we do not have any secrets, ignore the error in
598 * RFC 1723 and accept it regardless.
599 */
600 if (aifp->int_auth[0].type != RIP_AUTH_NONE
601 && rip->rip_vers != RIPv1
602 && !ck_passwd(aifp,rip,lim,FROM_NADDR,&use_auth))
603 return;
604
605 do {
606 if (n->n_family == RIP_AF_AUTH)
607 continue;
608
609 n->n_metric = ntohl(n->n_metric);
610 dst = n->n_dst;
611 if (n->n_family != RIP_AF_INET
612 && (n->n_family != RIP_AF_UNSPEC
613 || dst != RIP_DEFAULT)) {
614 msglim(&bad_router, FROM_NADDR,
615 "route from %s to unsupported"
616 " address family=%d destination=%s",
617 naddr_ntoa(FROM_NADDR),
618 n->n_family,
619 naddr_ntoa(dst));
620 continue;
621 }
622 if (!check_dst(dst)) {
623 msglim(&bad_router, FROM_NADDR,
624 "bad destination %s from %s",
625 naddr_ntoa(dst),
626 naddr_ntoa(FROM_NADDR));
627 return;
628 }
629 if (n->n_metric == 0
630 || n->n_metric > HOPCNT_INFINITY) {
631 msglim(&bad_router, FROM_NADDR,
632 "bad metric %d from %s"
633 " for destination %s",
634 n->n_metric,
635 naddr_ntoa(FROM_NADDR),
636 naddr_ntoa(dst));
637 return;
638 }
639
640 /* Notice the next-hop.
641 */
642 gate = FROM_NADDR;
643 if (n->n_nhop != 0) {
644 if (rip->rip_vers == RIPv1) {
645 n->n_nhop = 0;
646 } else {
647 /* Use it only if it is valid. */
648 if (on_net(n->n_nhop,
649 aifp->int_net, aifp->int_mask)
650 && check_dst(n->n_nhop)) {
651 gate = n->n_nhop;
652 } else {
653 msglim(&bad_nhop, FROM_NADDR,
654 "router %s to %s"
655 " has bad next hop %s",
656 naddr_ntoa(FROM_NADDR),
657 naddr_ntoa(dst),
658 naddr_ntoa(n->n_nhop));
659 n->n_nhop = 0;
660 }
661 }
662 }
663
664 if (rip->rip_vers == RIPv1
665 || 0 == (mask = ntohl(n->n_mask))) {
666 mask = ripv1_mask_host(dst,aifp);
667 } else if ((ntohl(dst) & ~mask) != 0) {
668 msglim(&bad_mask, FROM_NADDR,
669 "router %s sent bad netmask"
670 " %#lx with %s",
671 naddr_ntoa(FROM_NADDR),
672 (u_long)mask,
673 naddr_ntoa(dst));
674 continue;
675 }
676 if (rip->rip_vers == RIPv1)
677 n->n_tag = 0;
678
679 /* Adjust metric according to incoming interface..
680 */
681 n->n_metric += (aifp->int_metric
682 + aifp->int_adj_inmetric);
683 if (n->n_metric > HOPCNT_INFINITY)
684 n->n_metric = HOPCNT_INFINITY;
685
686 /* Should we trust this route from this router? */
687 if (tg && (tn = tg->tgate_nets)->mask != 0) {
688 for (i = 0; i < MAX_TGATE_NETS; i++, tn++) {
689 if (on_net(dst, tn->net, tn->mask)
690 && tn->mask <= mask)
691 break;
692 }
693 if (i >= MAX_TGATE_NETS || tn->mask == 0) {
694 trace_pkt(" ignored unauthorized %s",
695 addrname(dst,mask,0));
696 continue;
697 }
698 }
699
700 /* Recognize and ignore a default route we faked
701 * which is being sent back to us by a machine with
702 * broken split-horizon.
703 * Be a little more paranoid than that, and reject
704 * default routes with the same metric we advertised.
705 */
706 if (aifp->int_d_metric != 0
707 && dst == RIP_DEFAULT
708 && (int)n->n_metric >= aifp->int_d_metric)
709 continue;
710
711 /* We can receive aggregated RIPv2 routes that must
712 * be broken down before they are transmitted by
713 * RIPv1 via an interface on a subnet.
714 * We might also receive the same routes aggregated
715 * via other RIPv2 interfaces.
716 * This could cause duplicate routes to be sent on
717 * the RIPv1 interfaces. "Longest matching variable
718 * length netmasks" lets RIPv2 listeners understand,
719 * but breaking down the aggregated routes for RIPv1
720 * listeners can produce duplicate routes.
721 *
722 * Breaking down aggregated routes here bloats
723 * the daemon table, but does not hurt the kernel
724 * table, since routes are always aggregated for
725 * the kernel.
726 *
727 * Notice that this does not break down network
728 * routes corresponding to subnets. This is part
729 * of the defense against RS_NET_SYN.
730 */
731 if (have_ripv1_out
732 && (((rt = rtget(dst,mask)) == NULL
733 || !(rt->rt_state & RS_NET_SYN)))
734 && (v1_mask = ripv1_mask_net(dst,0)) > mask) {
735 ddst_h = v1_mask & -v1_mask;
736 i = (v1_mask & ~mask)/ddst_h;
737 if (i >= 511) {
738 /* Punt if we would have to generate
739 * an unreasonable number of routes.
740 */
741 if (TRACECONTENTS)
742 trace_misc("accept %s-->%s as 1"
743 " instead of %d routes",
744 addrname(dst,mask,0),
745 naddr_ntoa(FROM_NADDR),
746 i+1);
747 i = 0;
748 } else {
749 mask = v1_mask;
750 }
751 } else {
752 i = 0;
753 }
754
755 new.rts_gate = gate;
756 new.rts_router = FROM_NADDR;
757 new.rts_metric = n->n_metric;
758 new.rts_tag = n->n_tag;
759 new.rts_time = now.tv_sec;
760 new.rts_ifp = aifp;
761 new.rts_de_ag = i;
762 j = 0;
763 for (;;) {
764 input_route(dst, mask, &new, n);
765 if (++j > i)
766 break;
767 dst = htonl(ntohl(dst) + ddst_h);
768 }
769 } while (++n < lim);
770 break;
771 }
772 #undef FROM_NADDR
773 }
774
775
776 /* Process a single input route.
777 */
778 static void
input_route(naddr dst,naddr mask,struct rt_spare * new,struct netinfo * n)779 input_route(naddr dst, /* network order */
780 naddr mask,
781 struct rt_spare *new,
782 struct netinfo *n)
783 {
784 int i;
785 struct rt_entry *rt;
786 struct rt_spare *rts, *rts0;
787 struct interface *ifp1;
788
789
790 /* See if the other guy is telling us to send our packets to him.
791 * Sometimes network routes arrive over a point-to-point link for
792 * the network containing the address(es) of the link.
793 *
794 * If our interface is broken, switch to using the other guy.
795 */
796 ifp1 = ifwithaddr(dst, 1, 1);
797 if (ifp1 != NULL
798 && (!(ifp1->int_state & IS_BROKE)
799 || (ifp1->int_state & IS_PASSIVE)))
800 return;
801
802 /* Look for the route in our table.
803 */
804 rt = rtget(dst, mask);
805
806 /* Consider adding the route if we do not already have it.
807 */
808 if (rt == NULL) {
809 /* Ignore unknown routes being poisoned.
810 */
811 if (new->rts_metric == HOPCNT_INFINITY)
812 return;
813
814 /* Ignore the route if it points to us */
815 if (n->n_nhop != 0
816 && ifwithaddr(n->n_nhop, 1, 0) != NULL)
817 return;
818
819 /* If something has not gone crazy and tried to fill
820 * our memory, accept the new route.
821 */
822 if (total_routes < MAX_ROUTES)
823 rtadd(dst, mask, 0, new);
824 return;
825 }
826
827 /* We already know about the route. Consider this update.
828 *
829 * If (rt->rt_state & RS_NET_SYN), then this route
830 * is the same as a network route we have inferred
831 * for subnets we know, in order to tell RIPv1 routers
832 * about the subnets.
833 *
834 * It is impossible to tell if the route is coming
835 * from a distant RIPv2 router with the standard
836 * netmask because that router knows about the entire
837 * network, or if it is a round-about echo of a
838 * synthetic, RIPv1 network route of our own.
839 * The worst is that both kinds of routes might be
840 * received, and the bad one might have the smaller
841 * metric. Partly solve this problem by never
842 * aggregating into such a route. Also keep it
843 * around as long as the interface exists.
844 */
845
846 rts0 = rt->rt_spares;
847 for (rts = rts0, i = NUM_SPARES; i != 0; i--, rts++) {
848 if (rts->rts_router == new->rts_router)
849 break;
850 /* Note the worst slot to reuse,
851 * other than the current slot.
852 */
853 if (rts0 == rt->rt_spares
854 || BETTER_LINK(rt, rts0, rts))
855 rts0 = rts;
856 }
857 if (i != 0) {
858 /* Found a route from the router already in the table.
859 */
860
861 /* If the new route is a route broken down from an
862 * aggregated route, and if the previous route is either
863 * not a broken down route or was broken down from a finer
864 * netmask, and if the previous route is current,
865 * then forget this one.
866 */
867 if (new->rts_de_ag > rts->rts_de_ag
868 && now_stale <= rts->rts_time)
869 return;
870
871 /* Keep poisoned routes around only long enough to pass
872 * the poison on. Use a new timestamp for good routes.
873 */
874 if (rts->rts_metric == HOPCNT_INFINITY
875 && new->rts_metric == HOPCNT_INFINITY)
876 new->rts_time = rts->rts_time;
877
878 /* If this is an update for the router we currently prefer,
879 * then note it.
880 */
881 if (i == NUM_SPARES) {
882 rtchange(rt, rt->rt_state, new, 0);
883 /* If the route got worse, check for something better.
884 */
885 if (new->rts_metric > rts->rts_metric)
886 rtswitch(rt, 0);
887 return;
888 }
889
890 /* This is an update for a spare route.
891 * Finished if the route is unchanged.
892 */
893 if (rts->rts_gate == new->rts_gate
894 && rts->rts_metric == new->rts_metric
895 && rts->rts_tag == new->rts_tag) {
896 trace_upslot(rt, rts, new);
897 *rts = *new;
898 return;
899 }
900 /* Forget it if it has gone bad.
901 */
902 if (new->rts_metric == HOPCNT_INFINITY) {
903 rts_delete(rt, rts);
904 return;
905 }
906
907 } else {
908 /* The update is for a route we know about,
909 * but not from a familiar router.
910 *
911 * Ignore the route if it points to us.
912 */
913 if (n->n_nhop != 0
914 && NULL != ifwithaddr(n->n_nhop, 1, 0))
915 return;
916
917 /* the loop above set rts0=worst spare */
918 rts = rts0;
919
920 /* Save the route as a spare only if it has
921 * a better metric than our worst spare.
922 * This also ignores poisoned routes (those
923 * received with metric HOPCNT_INFINITY).
924 */
925 if (new->rts_metric >= rts->rts_metric)
926 return;
927 }
928
929 trace_upslot(rt, rts, new);
930 *rts = *new;
931
932 /* try to switch to a better route */
933 rtswitch(rt, rts);
934 }
935
936
937 static int /* 0 if bad */
ck_passwd(struct interface * aifp,struct rip * rip,void * lim,naddr from,struct msg_limit * use_authp)938 ck_passwd(struct interface *aifp,
939 struct rip *rip,
940 void *lim,
941 naddr from,
942 struct msg_limit *use_authp)
943 {
944 # define NA (rip->rip_auths)
945 struct netauth *na2;
946 struct auth *ap;
947 MD5_CTX md5_ctx;
948 u_char hash[RIP_AUTH_PW_LEN];
949 int i, len;
950
951 assert(aifp != NULL);
952 if ((void *)NA >= lim || NA->a_family != RIP_AF_AUTH) {
953 msglim(use_authp, from, "missing password from %s",
954 naddr_ntoa(from));
955 return 0;
956 }
957
958 /* accept any current (+/- 24 hours) password
959 */
960 for (ap = aifp->int_auth, i = 0; i < MAX_AUTH_KEYS; i++, ap++) {
961 if (ap->type != NA->a_type
962 || (u_long)ap->start > (u_long)clk.tv_sec+DAY
963 || (u_long)ap->end+DAY < (u_long)clk.tv_sec)
964 continue;
965
966 if (NA->a_type == RIP_AUTH_PW) {
967 if (!memcmp(NA->au.au_pw, ap->key, RIP_AUTH_PW_LEN))
968 return 1;
969
970 } else {
971 /* accept MD5 secret with the right key ID
972 */
973 if (NA->au.a_md5.md5_keyid != ap->keyid)
974 continue;
975
976 len = ntohs(NA->au.a_md5.md5_pkt_len);
977 if ((len-sizeof(*rip)) % sizeof(*NA) != 0
978 || len != (char *)lim-(char*)rip-(int)sizeof(*NA)) {
979 msglim(use_authp, from,
980 "wrong MD5 RIPv2 packet length of %d"
981 " instead of %d from %s",
982 len, (int)((char *)lim-(char *)rip
983 -sizeof(*NA)),
984 naddr_ntoa(from));
985 return 0;
986 }
987 na2 = (struct netauth *)((char *)rip+len);
988
989 /* Given a good hash value, these are not security
990 * problems so be generous and accept the routes,
991 * after complaining.
992 */
993 if (TRACEPACKETS) {
994 if (NA->au.a_md5.md5_auth_len
995 != RIP_AUTH_MD5_HASH_LEN)
996 msglim(use_authp, from,
997 "unknown MD5 RIPv2 auth len %#x"
998 " instead of %#x from %s",
999 NA->au.a_md5.md5_auth_len,
1000 (unsigned)RIP_AUTH_MD5_HASH_LEN,
1001 naddr_ntoa(from));
1002 if (na2->a_family != RIP_AF_AUTH)
1003 msglim(use_authp, from,
1004 "unknown MD5 RIPv2 family %#x"
1005 " instead of %#x from %s",
1006 na2->a_family, RIP_AF_AUTH,
1007 naddr_ntoa(from));
1008 if (na2->a_type != ntohs(1))
1009 msglim(use_authp, from,
1010 "MD5 RIPv2 hash has %#x"
1011 " instead of %#x from %s",
1012 na2->a_type, ntohs(1),
1013 naddr_ntoa(from));
1014 }
1015
1016 MD5Init(&md5_ctx);
1017 MD5Update(&md5_ctx, (u_char *)rip,
1018 len + RIP_AUTH_MD5_HASH_XTRA);
1019 MD5Update(&md5_ctx, ap->key, RIP_AUTH_MD5_KEY_LEN);
1020 MD5Final(hash, &md5_ctx);
1021 if (!memcmp(hash, na2->au.au_pw, sizeof(hash)))
1022 return 1;
1023 }
1024 }
1025
1026 msglim(use_authp, from, "bad password from %s",
1027 naddr_ntoa(from));
1028 return 0;
1029 #undef NA
1030 }
1031