1
0
mirror of https://git.FreeBSD.org/src.git synced 2024-12-22 11:17:19 +00:00
freebsd/sbin/routed/input.c
Xin LI b07d93f538 Fix a bug which could make routed(8) daemon exit by sending a special RIP
query from a remote machine, similar to SA-14:21.routed.

Submitted by:	hrs
2015-08-05 22:04:56 +00:00

1035 lines
28 KiB
C

/*
* Copyright (c) 1983, 1988, 1993
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* $FreeBSD$
*/
#include "defs.h"
#ifdef __NetBSD__
__RCSID("$NetBSD$");
#elif defined(__FreeBSD__)
__RCSID("$FreeBSD$");
#else
__RCSID("$Revision: 2.26 $");
#ident "$Revision: 2.26 $"
#endif
static void input(struct sockaddr_in *, struct interface *, struct interface *,
struct rip *, int);
static void input_route(naddr, naddr, struct rt_spare *, struct netinfo *);
static int ck_passwd(struct interface *, struct rip *, void *,
naddr, struct msg_limit *);
/* process RIP input
*/
void
read_rip(int sock,
struct interface *sifp)
{
struct sockaddr_in from;
struct interface *aifp;
socklen_t fromlen;
int cc;
#ifdef USE_PASSIFNAME
static struct msg_limit bad_name;
struct {
char ifname[IFNAMSIZ];
union pkt_buf pbuf;
} inbuf;
#else
struct {
union pkt_buf pbuf;
} inbuf;
#endif
for (;;) {
fromlen = sizeof(from);
cc = recvfrom(sock, &inbuf, sizeof(inbuf), 0,
(struct sockaddr*)&from, &fromlen);
if (cc <= 0) {
if (cc < 0 && errno != EWOULDBLOCK)
LOGERR("recvfrom(rip)");
break;
}
if (fromlen != sizeof(struct sockaddr_in))
logbad(1,"impossible recvfrom(rip) fromlen=%d",
(int)fromlen);
/* aifp is the "authenticated" interface via which the packet
* arrived. In fact, it is only the interface on which
* the packet should have arrived based on is source
* address.
* sifp is interface associated with the socket through which
* the packet was received.
*/
#ifdef USE_PASSIFNAME
if ((cc -= sizeof(inbuf.ifname)) < 0)
logbad(0,"missing USE_PASSIFNAME; only %d bytes",
cc+sizeof(inbuf.ifname));
/* check the remote interfaces first */
LIST_FOREACH(aifp, &remote_if, remote_list) {
if (aifp->int_addr == from.sin_addr.s_addr)
break;
}
if (aifp == 0) {
aifp = ifwithname(inbuf.ifname, 0);
if (aifp == 0) {
msglim(&bad_name, from.sin_addr.s_addr,
"impossible interface name %.*s",
IFNAMSIZ, inbuf.ifname);
} else if (((aifp->int_if_flags & IFF_POINTOPOINT)
&& aifp->int_dstaddr!=from.sin_addr.s_addr)
|| (!(aifp->int_if_flags & IFF_POINTOPOINT)
&& !on_net(from.sin_addr.s_addr,
aifp->int_net,
aifp->int_mask))) {
/* If it came via the wrong interface, do not
* trust it.
*/
aifp = 0;
}
}
#else
aifp = iflookup(from.sin_addr.s_addr);
#endif
if (sifp == 0)
sifp = aifp;
input(&from, sifp, aifp, &inbuf.pbuf.rip, cc);
}
}
/* Process a RIP packet
*/
static void
input(struct sockaddr_in *from, /* received from this IP address */
struct interface *sifp, /* interface of incoming socket */
struct interface *aifp, /* "authenticated" interface */
struct rip *rip,
int cc)
{
# define FROM_NADDR from->sin_addr.s_addr
static struct msg_limit use_auth, bad_len, bad_mask;
static struct msg_limit unk_router, bad_router, bad_nhop;
struct rt_entry *rt;
struct rt_spare new;
struct netinfo *n, *lim;
struct interface *ifp1;
naddr gate, mask, v1_mask, dst, ddst_h = 0;
struct auth *ap;
struct tgate *tg = 0;
struct tgate_net *tn;
int i, j;
/* Notice when we hear from a remote gateway
*/
if (aifp != 0
&& (aifp->int_state & IS_REMOTE))
aifp->int_act_time = now.tv_sec;
trace_rip("Recv", "from", from, sifp, rip, cc);
if (sifp == 0) {
trace_pkt(" discard a request from an indirect router"
" (possibly an attack)");
return;
}
if (rip->rip_vers == 0) {
msglim(&bad_router, FROM_NADDR,
"RIP version 0, cmd %d, packet received from %s",
rip->rip_cmd, naddr_ntoa(FROM_NADDR));
return;
} else if (rip->rip_vers > RIPv2) {
rip->rip_vers = RIPv2;
}
if (cc > (int)OVER_MAXPACKETSIZE) {
msglim(&bad_router, FROM_NADDR,
"packet at least %d bytes too long received from %s",
cc-MAXPACKETSIZE, naddr_ntoa(FROM_NADDR));
return;
}
n = rip->rip_nets;
lim = (struct netinfo *)((char*)rip + cc);
/* Notice authentication.
* As required by section 4.2 in RFC 1723, discard authenticated
* RIPv2 messages, but only if configured for that silliness.
*
* RIPv2 authentication is lame. Why authenticate queries?
* Why should a RIPv2 implementation with authentication disabled
* not be able to listen to RIPv2 packets with authentication, while
* RIPv1 systems will listen? Crazy!
*/
if (!auth_ok
&& rip->rip_vers == RIPv2
&& n < lim && n->n_family == RIP_AF_AUTH) {
msglim(&use_auth, FROM_NADDR,
"RIPv2 message with authentication from %s discarded",
naddr_ntoa(FROM_NADDR));
return;
}
switch (rip->rip_cmd) {
case RIPCMD_REQUEST:
/* For mere requests, be a little sloppy about the source
*/
if (aifp == 0)
aifp = sifp;
/* Are we talking to ourself or a remote gateway?
*/
ifp1 = ifwithaddr(FROM_NADDR, 0, 1);
if (ifp1) {
if (ifp1->int_state & IS_REMOTE) {
/* remote gateway */
aifp = ifp1;
if (check_remote(aifp)) {
aifp->int_act_time = now.tv_sec;
(void)if_ok(aifp, "remote ");
}
} else if (from->sin_port == htons(RIP_PORT)) {
trace_pkt(" discard our own RIP request");
return;
}
}
/* did the request come from a router?
*/
if (from->sin_port == htons(RIP_PORT)) {
/* yes, ignore the request if RIP is off so that
* the router does not depend on us.
*/
if (rip_sock < 0
|| (aifp != 0
&& IS_RIP_OUT_OFF(aifp->int_state))) {
trace_pkt(" discard request while RIP off");
return;
}
}
/* According to RFC 1723, we should ignore unauthenticated
* queries. That is too silly to bother with. Sheesh!
* Are forwarding tables supposed to be secret, when
* a bad guy can infer them with test traffic? When RIP
* is still the most common router-discovery protocol
* and so hosts need to send queries that will be answered?
* What about `rtquery`?
* Maybe on firewalls you'd care, but not enough to
* give up the diagnostic facilities of remote probing.
*/
if (n >= lim) {
msglim(&bad_len, FROM_NADDR, "empty request from %s",
naddr_ntoa(FROM_NADDR));
return;
}
if (cc%sizeof(*n) != sizeof(struct rip)%sizeof(*n)) {
msglim(&bad_len, FROM_NADDR,
"request of bad length (%d) from %s",
cc, naddr_ntoa(FROM_NADDR));
}
if (rip->rip_vers == RIPv2
&& (aifp == 0 || (aifp->int_state & IS_NO_RIPV1_OUT))) {
v12buf.buf->rip_vers = RIPv2;
/* If we have a secret but it is a cleartext secret,
* do not disclose our secret unless the other guy
* already knows it.
*/
ap = find_auth(aifp);
if (ap != 0 && ap->type == RIP_AUTH_PW
&& n->n_family == RIP_AF_AUTH
&& !ck_passwd(aifp,rip,lim,FROM_NADDR,&use_auth))
ap = 0;
} else {
v12buf.buf->rip_vers = RIPv1;
ap = 0;
}
clr_ws_buf(&v12buf, ap);
do {
n->n_metric = ntohl(n->n_metric);
/* A single entry with family RIP_AF_UNSPEC and
* metric HOPCNT_INFINITY means "all routes".
* We respond to routers only if we are acting
* as a supplier, or to anyone other than a router
* (i.e. a query).
*/
if (n->n_family == RIP_AF_UNSPEC
&& n->n_metric == HOPCNT_INFINITY) {
/* Answer a query from a utility program
* with all we know.
*/
if (aifp == NULL) {
trace_pkt("ignore remote query");
return;
}
if (from->sin_port != htons(RIP_PORT)) {
/*
* insecure: query from non-router node
* > 1: allow from distant node
* > 0: allow from neighbor node
* == 0: deny
*/
if ((aifp != NULL && insecure > 0) ||
(aifp == NULL && insecure > 1))
supply(from, aifp, OUT_QUERY, 0,
rip->rip_vers, ap != 0);
else
trace_pkt("Warning: "
"possible attack detected");
return;
}
/* A router trying to prime its tables.
* Filter the answer in the about same way
* broadcasts are filtered.
*
* Only answer a router if we are a supplier
* to keep an unwary host that is just starting
* from picking us as a router.
*/
if (aifp == 0) {
trace_pkt("ignore distant router");
return;
}
if (!supplier
|| IS_RIP_OFF(aifp->int_state)) {
trace_pkt("ignore; not supplying");
return;
}
/* Do not answer a RIPv1 router if
* we are sending RIPv2. But do offer
* poor man's router discovery.
*/
if ((aifp->int_state & IS_NO_RIPV1_OUT)
&& rip->rip_vers == RIPv1) {
if (!(aifp->int_state & IS_PM_RDISC)) {
trace_pkt("ignore; sending RIPv2");
return;
}
v12buf.n->n_family = RIP_AF_INET;
v12buf.n->n_dst = RIP_DEFAULT;
i = aifp->int_d_metric;
if (0 != (rt = rtget(RIP_DEFAULT, 0))) {
j = (rt->rt_metric
+aifp->int_metric
+aifp->int_adj_outmetric
+1);
if (i > j)
i = j;
}
v12buf.n->n_metric = htonl(i);
v12buf.n++;
break;
}
/* Respond with RIPv1 instead of RIPv2 if
* that is what we are broadcasting on the
* interface to keep the remote router from
* getting the wrong initial idea of the
* routes we send.
*/
supply(from, aifp, OUT_UNICAST, 0,
(aifp->int_state & IS_NO_RIPV1_OUT)
? RIPv2 : RIPv1,
ap != 0);
return;
}
/* Ignore authentication */
if (n->n_family == RIP_AF_AUTH)
continue;
if (n->n_family != RIP_AF_INET) {
msglim(&bad_router, FROM_NADDR,
"request from %s for unsupported"
" (af %d) %s",
naddr_ntoa(FROM_NADDR),
ntohs(n->n_family),
naddr_ntoa(n->n_dst));
return;
}
/* We are being asked about a specific destination.
*/
dst = n->n_dst;
if (!check_dst(dst)) {
msglim(&bad_router, FROM_NADDR,
"bad queried destination %s from %s",
naddr_ntoa(dst),
naddr_ntoa(FROM_NADDR));
return;
}
/* decide what mask was intended */
if (rip->rip_vers == RIPv1
|| 0 == (mask = ntohl(n->n_mask))
|| 0 != (ntohl(dst) & ~mask))
mask = ripv1_mask_host(dst, aifp);
/* try to find the answer */
rt = rtget(dst, mask);
if (!rt && dst != RIP_DEFAULT)
rt = rtfind(n->n_dst);
if (v12buf.buf->rip_vers != RIPv1)
v12buf.n->n_mask = mask;
if (rt == 0) {
/* we do not have the answer */
v12buf.n->n_metric = HOPCNT_INFINITY;
} else {
/* we have the answer, so compute the
* right metric and next hop.
*/
v12buf.n->n_family = RIP_AF_INET;
v12buf.n->n_dst = dst;
j = rt->rt_metric+1;
if (!aifp)
++j;
else
j += (aifp->int_metric
+ aifp->int_adj_outmetric);
if (j < HOPCNT_INFINITY)
v12buf.n->n_metric = j;
else
v12buf.n->n_metric = HOPCNT_INFINITY;
if (v12buf.buf->rip_vers != RIPv1) {
v12buf.n->n_tag = rt->rt_tag;
v12buf.n->n_mask = mask;
if (aifp != 0
&& on_net(rt->rt_gate,
aifp->int_net,
aifp->int_mask)
&& rt->rt_gate != aifp->int_addr)
v12buf.n->n_nhop = rt->rt_gate;
}
}
v12buf.n->n_metric = htonl(v12buf.n->n_metric);
/* Stop paying attention if we fill the output buffer.
*/
if (++v12buf.n >= v12buf.lim)
break;
} while (++n < lim);
/* Send the answer about specific routes.
*/
if (ap != 0 && ap->type == RIP_AUTH_MD5)
end_md5_auth(&v12buf, ap);
if (from->sin_port != htons(RIP_PORT)) {
/* query */
(void)output(OUT_QUERY, from, aifp,
v12buf.buf,
((char *)v12buf.n - (char*)v12buf.buf));
} else if (supplier) {
(void)output(OUT_UNICAST, from, aifp,
v12buf.buf,
((char *)v12buf.n - (char*)v12buf.buf));
} else {
/* Only answer a router if we are a supplier
* to keep an unwary host that is just starting
* from picking us an a router.
*/
;
}
return;
case RIPCMD_TRACEON:
case RIPCMD_TRACEOFF:
/* Notice that trace messages are turned off for all possible
* abuse if _PATH_TRACE is undefined in pathnames.h.
* Notice also that because of the way the trace file is
* handled in trace.c, no abuse is plausible even if
* _PATH_TRACE_ is defined.
*
* First verify message came from a privileged port. */
if (ntohs(from->sin_port) > IPPORT_RESERVED) {
msglog("trace command from untrusted port on %s",
naddr_ntoa(FROM_NADDR));
return;
}
if (aifp == 0) {
msglog("trace command from unknown router %s",
naddr_ntoa(FROM_NADDR));
return;
}
if (rip->rip_cmd == RIPCMD_TRACEON) {
rip->rip_tracefile[cc-4] = '\0';
set_tracefile((char*)rip->rip_tracefile,
"trace command: %s\n", 0);
} else {
trace_off("tracing turned off by %s",
naddr_ntoa(FROM_NADDR));
}
return;
case RIPCMD_RESPONSE:
if (cc%sizeof(*n) != sizeof(struct rip)%sizeof(*n)) {
msglim(&bad_len, FROM_NADDR,
"response of bad length (%d) from %s",
cc, naddr_ntoa(FROM_NADDR));
}
/* verify message came from a router */
if (from->sin_port != ntohs(RIP_PORT)) {
msglim(&bad_router, FROM_NADDR,
" discard RIP response from unknown port"
" %d on %s",
ntohs(from->sin_port), naddr_ntoa(FROM_NADDR));
return;
}
if (rip_sock < 0) {
trace_pkt(" discard response while RIP off");
return;
}
/* Are we talking to ourself or a remote gateway?
*/
ifp1 = ifwithaddr(FROM_NADDR, 0, 1);
if (ifp1) {
if (ifp1->int_state & IS_REMOTE) {
/* remote gateway */
aifp = ifp1;
if (check_remote(aifp)) {
aifp->int_act_time = now.tv_sec;
(void)if_ok(aifp, "remote ");
}
} else {
trace_pkt(" discard our own RIP response");
return;
}
}
/* Accept routing packets from routers directly connected
* via broadcast or point-to-point networks, and from
* those listed in /etc/gateways.
*/
if (aifp == 0) {
msglim(&unk_router, FROM_NADDR,
" discard response from %s"
" via unexpected interface",
naddr_ntoa(FROM_NADDR));
return;
}
if (IS_RIP_IN_OFF(aifp->int_state)) {
trace_pkt(" discard RIPv%d response"
" via disabled interface %s",
rip->rip_vers, aifp->int_name);
return;
}
if (n >= lim) {
msglim(&bad_len, FROM_NADDR, "empty response from %s",
naddr_ntoa(FROM_NADDR));
return;
}
if (((aifp->int_state & IS_NO_RIPV1_IN)
&& rip->rip_vers == RIPv1)
|| ((aifp->int_state & IS_NO_RIPV2_IN)
&& rip->rip_vers != RIPv1)) {
trace_pkt(" discard RIPv%d response",
rip->rip_vers);
return;
}
/* Ignore routes via dead interface.
*/
if (aifp->int_state & IS_BROKE) {
trace_pkt("discard response via broken interface %s",
aifp->int_name);
return;
}
/* If the interface cares, ignore bad routers.
* Trace but do not log this problem, because where it
* happens, it happens frequently.
*/
if (aifp->int_state & IS_DISTRUST) {
tg = tgates;
while (tg->tgate_addr != FROM_NADDR) {
tg = tg->tgate_next;
if (tg == 0) {
trace_pkt(" discard RIP response"
" from untrusted router %s",
naddr_ntoa(FROM_NADDR));
return;
}
}
}
/* Authenticate the packet if we have a secret.
* If we do not have any secrets, ignore the error in
* RFC 1723 and accept it regardless.
*/
if (aifp->int_auth[0].type != RIP_AUTH_NONE
&& rip->rip_vers != RIPv1
&& !ck_passwd(aifp,rip,lim,FROM_NADDR,&use_auth))
return;
do {
if (n->n_family == RIP_AF_AUTH)
continue;
n->n_metric = ntohl(n->n_metric);
dst = n->n_dst;
if (n->n_family != RIP_AF_INET
&& (n->n_family != RIP_AF_UNSPEC
|| dst != RIP_DEFAULT)) {
msglim(&bad_router, FROM_NADDR,
"route from %s to unsupported"
" address family=%d destination=%s",
naddr_ntoa(FROM_NADDR),
n->n_family,
naddr_ntoa(dst));
continue;
}
if (!check_dst(dst)) {
msglim(&bad_router, FROM_NADDR,
"bad destination %s from %s",
naddr_ntoa(dst),
naddr_ntoa(FROM_NADDR));
return;
}
if (n->n_metric == 0
|| n->n_metric > HOPCNT_INFINITY) {
msglim(&bad_router, FROM_NADDR,
"bad metric %d from %s"
" for destination %s",
n->n_metric,
naddr_ntoa(FROM_NADDR),
naddr_ntoa(dst));
return;
}
/* Notice the next-hop.
*/
gate = FROM_NADDR;
if (n->n_nhop != 0) {
if (rip->rip_vers == RIPv1) {
n->n_nhop = 0;
} else {
/* Use it only if it is valid. */
if (on_net(n->n_nhop,
aifp->int_net, aifp->int_mask)
&& check_dst(n->n_nhop)) {
gate = n->n_nhop;
} else {
msglim(&bad_nhop, FROM_NADDR,
"router %s to %s"
" has bad next hop %s",
naddr_ntoa(FROM_NADDR),
naddr_ntoa(dst),
naddr_ntoa(n->n_nhop));
n->n_nhop = 0;
}
}
}
if (rip->rip_vers == RIPv1
|| 0 == (mask = ntohl(n->n_mask))) {
mask = ripv1_mask_host(dst,aifp);
} else if ((ntohl(dst) & ~mask) != 0) {
msglim(&bad_mask, FROM_NADDR,
"router %s sent bad netmask"
" %#lx with %s",
naddr_ntoa(FROM_NADDR),
(u_long)mask,
naddr_ntoa(dst));
continue;
}
if (rip->rip_vers == RIPv1)
n->n_tag = 0;
/* Adjust metric according to incoming interface..
*/
n->n_metric += (aifp->int_metric
+ aifp->int_adj_inmetric);
if (n->n_metric > HOPCNT_INFINITY)
n->n_metric = HOPCNT_INFINITY;
/* Should we trust this route from this router? */
if (tg && (tn = tg->tgate_nets)->mask != 0) {
for (i = 0; i < MAX_TGATE_NETS; i++, tn++) {
if (on_net(dst, tn->net, tn->mask)
&& tn->mask <= mask)
break;
}
if (i >= MAX_TGATE_NETS || tn->mask == 0) {
trace_pkt(" ignored unauthorized %s",
addrname(dst,mask,0));
continue;
}
}
/* Recognize and ignore a default route we faked
* which is being sent back to us by a machine with
* broken split-horizon.
* Be a little more paranoid than that, and reject
* default routes with the same metric we advertised.
*/
if (aifp->int_d_metric != 0
&& dst == RIP_DEFAULT
&& (int)n->n_metric >= aifp->int_d_metric)
continue;
/* We can receive aggregated RIPv2 routes that must
* be broken down before they are transmitted by
* RIPv1 via an interface on a subnet.
* We might also receive the same routes aggregated
* via other RIPv2 interfaces.
* This could cause duplicate routes to be sent on
* the RIPv1 interfaces. "Longest matching variable
* length netmasks" lets RIPv2 listeners understand,
* but breaking down the aggregated routes for RIPv1
* listeners can produce duplicate routes.
*
* Breaking down aggregated routes here bloats
* the daemon table, but does not hurt the kernel
* table, since routes are always aggregated for
* the kernel.
*
* Notice that this does not break down network
* routes corresponding to subnets. This is part
* of the defense against RS_NET_SYN.
*/
if (have_ripv1_out
&& (((rt = rtget(dst,mask)) == 0
|| !(rt->rt_state & RS_NET_SYN)))
&& (v1_mask = ripv1_mask_net(dst,0)) > mask) {
ddst_h = v1_mask & -v1_mask;
i = (v1_mask & ~mask)/ddst_h;
if (i >= 511) {
/* Punt if we would have to generate
* an unreasonable number of routes.
*/
if (TRACECONTENTS)
trace_misc("accept %s-->%s as 1"
" instead of %d routes",
addrname(dst,mask,0),
naddr_ntoa(FROM_NADDR),
i+1);
i = 0;
} else {
mask = v1_mask;
}
} else {
i = 0;
}
new.rts_gate = gate;
new.rts_router = FROM_NADDR;
new.rts_metric = n->n_metric;
new.rts_tag = n->n_tag;
new.rts_time = now.tv_sec;
new.rts_ifp = aifp;
new.rts_de_ag = i;
j = 0;
for (;;) {
input_route(dst, mask, &new, n);
if (++j > i)
break;
dst = htonl(ntohl(dst) + ddst_h);
}
} while (++n < lim);
break;
}
#undef FROM_NADDR
}
/* Process a single input route.
*/
static void
input_route(naddr dst, /* network order */
naddr mask,
struct rt_spare *new,
struct netinfo *n)
{
int i;
struct rt_entry *rt;
struct rt_spare *rts, *rts0;
struct interface *ifp1;
/* See if the other guy is telling us to send our packets to him.
* Sometimes network routes arrive over a point-to-point link for
* the network containing the address(es) of the link.
*
* If our interface is broken, switch to using the other guy.
*/
ifp1 = ifwithaddr(dst, 1, 1);
if (ifp1 != 0
&& (!(ifp1->int_state & IS_BROKE)
|| (ifp1->int_state & IS_PASSIVE)))
return;
/* Look for the route in our table.
*/
rt = rtget(dst, mask);
/* Consider adding the route if we do not already have it.
*/
if (rt == 0) {
/* Ignore unknown routes being poisoned.
*/
if (new->rts_metric == HOPCNT_INFINITY)
return;
/* Ignore the route if it points to us */
if (n->n_nhop != 0
&& 0 != ifwithaddr(n->n_nhop, 1, 0))
return;
/* If something has not gone crazy and tried to fill
* our memory, accept the new route.
*/
if (total_routes < MAX_ROUTES)
rtadd(dst, mask, 0, new);
return;
}
/* We already know about the route. Consider this update.
*
* If (rt->rt_state & RS_NET_SYN), then this route
* is the same as a network route we have inferred
* for subnets we know, in order to tell RIPv1 routers
* about the subnets.
*
* It is impossible to tell if the route is coming
* from a distant RIPv2 router with the standard
* netmask because that router knows about the entire
* network, or if it is a round-about echo of a
* synthetic, RIPv1 network route of our own.
* The worst is that both kinds of routes might be
* received, and the bad one might have the smaller
* metric. Partly solve this problem by never
* aggregating into such a route. Also keep it
* around as long as the interface exists.
*/
rts0 = rt->rt_spares;
for (rts = rts0, i = NUM_SPARES; i != 0; i--, rts++) {
if (rts->rts_router == new->rts_router)
break;
/* Note the worst slot to reuse,
* other than the current slot.
*/
if (rts0 == rt->rt_spares
|| BETTER_LINK(rt, rts0, rts))
rts0 = rts;
}
if (i != 0) {
/* Found a route from the router already in the table.
*/
/* If the new route is a route broken down from an
* aggregated route, and if the previous route is either
* not a broken down route or was broken down from a finer
* netmask, and if the previous route is current,
* then forget this one.
*/
if (new->rts_de_ag > rts->rts_de_ag
&& now_stale <= rts->rts_time)
return;
/* Keep poisoned routes around only long enough to pass
* the poison on. Use a new timestamp for good routes.
*/
if (rts->rts_metric == HOPCNT_INFINITY
&& new->rts_metric == HOPCNT_INFINITY)
new->rts_time = rts->rts_time;
/* If this is an update for the router we currently prefer,
* then note it.
*/
if (i == NUM_SPARES) {
rtchange(rt, rt->rt_state, new, 0);
/* If the route got worse, check for something better.
*/
if (new->rts_metric > rts->rts_metric)
rtswitch(rt, 0);
return;
}
/* This is an update for a spare route.
* Finished if the route is unchanged.
*/
if (rts->rts_gate == new->rts_gate
&& rts->rts_metric == new->rts_metric
&& rts->rts_tag == new->rts_tag) {
trace_upslot(rt, rts, new);
*rts = *new;
return;
}
/* Forget it if it has gone bad.
*/
if (new->rts_metric == HOPCNT_INFINITY) {
rts_delete(rt, rts);
return;
}
} else {
/* The update is for a route we know about,
* but not from a familiar router.
*
* Ignore the route if it points to us.
*/
if (n->n_nhop != 0
&& 0 != ifwithaddr(n->n_nhop, 1, 0))
return;
/* the loop above set rts0=worst spare */
rts = rts0;
/* Save the route as a spare only if it has
* a better metric than our worst spare.
* This also ignores poisoned routes (those
* received with metric HOPCNT_INFINITY).
*/
if (new->rts_metric >= rts->rts_metric)
return;
}
trace_upslot(rt, rts, new);
*rts = *new;
/* try to switch to a better route */
rtswitch(rt, rts);
}
static int /* 0 if bad */
ck_passwd(struct interface *aifp,
struct rip *rip,
void *lim,
naddr from,
struct msg_limit *use_authp)
{
# define NA (rip->rip_auths)
struct netauth *na2;
struct auth *ap;
MD5_CTX md5_ctx;
u_char hash[RIP_AUTH_PW_LEN];
int i, len;
assert(aifp != NULL);
if ((void *)NA >= lim || NA->a_family != RIP_AF_AUTH) {
msglim(use_authp, from, "missing password from %s",
naddr_ntoa(from));
return 0;
}
/* accept any current (+/- 24 hours) password
*/
for (ap = aifp->int_auth, i = 0; i < MAX_AUTH_KEYS; i++, ap++) {
if (ap->type != NA->a_type
|| (u_long)ap->start > (u_long)clk.tv_sec+DAY
|| (u_long)ap->end+DAY < (u_long)clk.tv_sec)
continue;
if (NA->a_type == RIP_AUTH_PW) {
if (!memcmp(NA->au.au_pw, ap->key, RIP_AUTH_PW_LEN))
return 1;
} else {
/* accept MD5 secret with the right key ID
*/
if (NA->au.a_md5.md5_keyid != ap->keyid)
continue;
len = ntohs(NA->au.a_md5.md5_pkt_len);
if ((len-sizeof(*rip)) % sizeof(*NA) != 0
|| len != (char *)lim-(char*)rip-(int)sizeof(*NA)) {
msglim(use_authp, from,
"wrong MD5 RIPv2 packet length of %d"
" instead of %d from %s",
len, (int)((char *)lim-(char *)rip
-sizeof(*NA)),
naddr_ntoa(from));
return 0;
}
na2 = (struct netauth *)((char *)rip+len);
/* Given a good hash value, these are not security
* problems so be generous and accept the routes,
* after complaining.
*/
if (TRACEPACKETS) {
if (NA->au.a_md5.md5_auth_len
!= RIP_AUTH_MD5_HASH_LEN)
msglim(use_authp, from,
"unknown MD5 RIPv2 auth len %#x"
" instead of %#x from %s",
NA->au.a_md5.md5_auth_len,
(unsigned)RIP_AUTH_MD5_HASH_LEN,
naddr_ntoa(from));
if (na2->a_family != RIP_AF_AUTH)
msglim(use_authp, from,
"unknown MD5 RIPv2 family %#x"
" instead of %#x from %s",
na2->a_family, RIP_AF_AUTH,
naddr_ntoa(from));
if (na2->a_type != ntohs(1))
msglim(use_authp, from,
"MD5 RIPv2 hash has %#x"
" instead of %#x from %s",
na2->a_type, ntohs(1),
naddr_ntoa(from));
}
MD5Init(&md5_ctx);
MD5Update(&md5_ctx, (u_char *)rip,
len + RIP_AUTH_MD5_HASH_XTRA);
MD5Update(&md5_ctx, ap->key, RIP_AUTH_MD5_KEY_LEN);
MD5Final(hash, &md5_ctx);
if (!memcmp(hash, na2->au.au_pw, sizeof(hash)))
return 1;
}
}
msglim(use_authp, from, "bad password from %s",
naddr_ntoa(from));
return 0;
#undef NA
}