From b9f70ced25d5437114acd4139d3d10238ddb6ac8 Mon Sep 17 00:00:00 2001 From: Hiroki Sato Date: Sun, 21 Sep 2014 04:00:28 +0000 Subject: [PATCH] Fix a bug which could make routed(8) daemon exit by sending a special RIP query from a remote machine, and disable accepting it by default. This requests a routed(8) daemon to dump routing information base for debugging purpose. An -i flag to enable it has been added. --- sbin/routed/defs.h | 1 + sbin/routed/input.c | 15 +++++++++++++-- sbin/routed/main.c | 6 +++++- sbin/routed/output.c | 2 -- sbin/routed/routed.8 | 18 ++++++++++++++++-- 5 files changed, 35 insertions(+), 7 deletions(-) diff --git a/sbin/routed/defs.h b/sbin/routed/defs.h index c42cd806e150..a31d6f596e96 100644 --- a/sbin/routed/defs.h +++ b/sbin/routed/defs.h @@ -462,6 +462,7 @@ extern int ridhosts; /* 1=reduce host routes */ extern int mhome; /* 1=want multi-homed host route */ extern int advertise_mhome; /* 1=must continue advertising it */ extern int auth_ok; /* 1=ignore auth if we do not care */ +extern int insecure; /* Reply to special queries or not */ extern struct timeval clk; /* system clock's idea of time */ extern struct timeval epoch; /* system clock when started */ diff --git a/sbin/routed/input.c b/sbin/routed/input.c index 8f8eefc5614c..901c4f3e6b9e 100644 --- a/sbin/routed/input.c +++ b/sbin/routed/input.c @@ -289,8 +289,19 @@ input(struct sockaddr_in *from, /* received from this IP address */ * with all we know. */ if (from->sin_port != htons(RIP_PORT)) { - supply(from, aifp, OUT_QUERY, 0, - rip->rip_vers, ap != 0); + /* + * insecure: query from non-router node + * > 1: allow from distant node + * > 0: allow from neighbor node + * == 0: deny + */ + if ((aifp != NULL && insecure > 0) || + (aifp == NULL && insecure > 1)) + supply(from, aifp, OUT_QUERY, 0, + rip->rip_vers, ap != 0); + else + trace_pkt("Warning: " + "possible attack detected"); return; } diff --git a/sbin/routed/main.c b/sbin/routed/main.c index 1658d2e48cd8..5ebd7ec03a67 100644 --- a/sbin/routed/main.c +++ b/sbin/routed/main.c @@ -68,6 +68,7 @@ int ridhosts; /* 1=reduce host routes */ int mhome; /* 1=want multi-homed host route */ int advertise_mhome; /* 1=must continue advertising it */ int auth_ok = 1; /* 1=ignore auth if we do not care */ +int insecure; /* Reply to special queries or not */ struct timeval epoch; /* when started */ struct timeval clk; @@ -136,8 +137,11 @@ main(int argc, (void)gethostname(myname, sizeof(myname)-1); (void)gethost(myname, &myaddr); - while ((n = getopt(argc, argv, "sqdghmAtvT:F:P:")) != -1) { + while ((n = getopt(argc, argv, "isqdghmAtvT:F:P:")) != -1) { switch (n) { + case 'i': + insecure++; + break; case 's': supplier = 1; supplier_set = 1; diff --git a/sbin/routed/output.c b/sbin/routed/output.c index 53eb4a5cff99..c2ed468c12c9 100644 --- a/sbin/routed/output.c +++ b/sbin/routed/output.c @@ -673,8 +673,6 @@ supply(struct sockaddr_in *dst, struct rt_entry *rt; int def_metric; - assert(ifp != NULL); - ws.state = 0; ws.gen_limit = 1024; diff --git a/sbin/routed/routed.8 b/sbin/routed/routed.8 index 2f8a02176d3d..dfe39d0f9567 100644 --- a/sbin/routed/routed.8 +++ b/sbin/routed/routed.8 @@ -30,7 +30,7 @@ .\" @(#)routed.8 8.2 (Berkeley) 12/11/93 .\" $FreeBSD$ .\" -.Dd June 1, 1996 +.Dd August 26, 2014 .Dt ROUTED 8 .Os .Sh NAME @@ -39,7 +39,7 @@ .Nd network RIP and router discovery routing daemon .Sh SYNOPSIS .Nm -.Op Fl sqdghmpAtv +.Op Fl isqdghmpAtv .Op Fl T Ar tracefile .Oo .Fl F @@ -250,6 +250,20 @@ to infer the netmask used by the remote system when RIPv1 is used. .Pp The following options are available: .Bl -tag -width indent +.It Fl i +allow +.Nm +to accept a RIP request from non-router node. +When specified once, +.Nm +replies to a route information query from neighbor nodes. +When specified twice, +it replies to a query from remote nodes in addition. +.Xr rtquery 8 +utility can be used to send a request. +.Pp +This feature is disabled by default because of a risk of reflection attack +though it useful for debugging purpose, .It Fl s force .Nm