1 /* 2 * Routine to disable IP-level socket options. This code was taken from 4.4BSD 3 * rlogind and kernel source, but all mistakes in it are my fault. 4 * 5 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
| 1 /* 2 * Routine to disable IP-level socket options. This code was taken from 4.4BSD 3 * rlogind and kernel source, but all mistakes in it are my fault. 4 * 5 * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
|
14#include <netinet/in.h> 15#include <netinet/in_systm.h> 16#include <netinet/ip.h> 17#include <netdb.h> 18#include <stdio.h> 19#include <syslog.h> 20 21#ifndef IPOPT_OPTVAL 22#define IPOPT_OPTVAL 0 23#define IPOPT_OLEN 1 24#endif 25 26#include "tcpd.h" 27 28#define BUFFER_SIZE 512 /* Was: BUFSIZ */ 29 30/* fix_options - get rid of IP-level socket options */ 31 32fix_options(request) 33struct request_info *request; 34{ 35#ifdef IP_OPTIONS 36 unsigned char optbuf[BUFFER_SIZE / 3], *cp; 37 char lbuf[BUFFER_SIZE], *lp; 38 int optsize = sizeof(optbuf), ipproto; 39 struct protoent *ip; 40 int fd = request->fd; 41 unsigned int opt; 42 int optlen; 43 struct in_addr dummy;
| 19#include <netinet/in.h> 20#include <netinet/in_systm.h> 21#include <netinet/ip.h> 22#include <netdb.h> 23#include <stdio.h> 24#include <syslog.h> 25 26#ifndef IPOPT_OPTVAL 27#define IPOPT_OPTVAL 0 28#define IPOPT_OLEN 1 29#endif 30 31#include "tcpd.h" 32 33#define BUFFER_SIZE 512 /* Was: BUFSIZ */ 34 35/* fix_options - get rid of IP-level socket options */ 36 37fix_options(request) 38struct request_info *request; 39{ 40#ifdef IP_OPTIONS 41 unsigned char optbuf[BUFFER_SIZE / 3], *cp; 42 char lbuf[BUFFER_SIZE], *lp; 43 int optsize = sizeof(optbuf), ipproto; 44 struct protoent *ip; 45 int fd = request->fd; 46 unsigned int opt; 47 int optlen; 48 struct in_addr dummy;
|
45 if ((ip = getprotobyname("ip")) != 0) 46 ipproto = ip->p_proto; 47 else 48 ipproto = IPPROTO_IP; 49 50 if (getsockopt(fd, ipproto, IP_OPTIONS, (char *) optbuf, &optsize) == 0 51 && optsize != 0) { 52 53 /* 54 * Horror! 4.[34] BSD getsockopt() prepends the first-hop destination 55 * address to the result IP options list when source routing options 56 * are present (see <netinet/ip_var.h>), but produces no output for 57 * other IP options. Solaris 2.x getsockopt() does produce output for 58 * non-routing IP options, and uses the same format as BSD even when 59 * the space for the destination address is unused. The code below 60 * does the right thing with 4.[34]BSD derivatives and Solaris 2, but 61 * may occasionally miss source routing options on incompatible 62 * systems such as Linux. Their choice. 63 * 64 * Look for source routing options. Drop the connection when one is 65 * found. Just wiping the IP options is insufficient: we would still 66 * help the attacker by providing a real TCP sequence number, and the 67 * attacker would still be able to send packets (blind spoofing). I 68 * discussed this attack with Niels Provos, half a year before the 69 * attack was described in open mailing lists. 70 * 71 * It would be cleaner to just return a yes/no reply and let the caller 72 * decide how to deal with it. Resident servers should not terminate. 73 * However I am not prepared to make changes to internal interfaces 74 * on short notice. 75 */ 76#define ADDR_LEN sizeof(dummy.s_addr) 77 78 for (cp = optbuf + ADDR_LEN; cp < optbuf + optsize; cp += optlen) { 79 opt = cp[IPOPT_OPTVAL]; 80 if (opt == IPOPT_LSRR || opt == IPOPT_SSRR) { 81 syslog(LOG_WARNING, 82 "refused connect from %s with IP source routing options", 83 eval_client(request)); 84 shutdown(fd, 2); 85 return; 86 } 87 if (opt == IPOPT_EOL) 88 break; 89 if (opt == IPOPT_NOP) { 90 optlen = 1; 91 } else { 92 optlen = cp[IPOPT_OLEN]; 93 if (optlen <= 0) /* Do not loop! */ 94 break; 95 } 96 } 97 lp = lbuf; 98 for (cp = optbuf; optsize > 0; cp++, optsize--, lp += 3) 99 sprintf(lp, " %2.2x", *cp); 100 syslog(LOG_NOTICE, 101 "connect from %s with IP options (ignored):%s", 102 eval_client(request), lbuf); 103 if (setsockopt(fd, ipproto, IP_OPTIONS, (char *) 0, optsize) != 0) { 104 syslog(LOG_ERR, "setsockopt IP_OPTIONS NULL: %m"); 105 shutdown(fd, 2); 106 } 107 } 108#endif 109}
| 66 if ((ip = getprotobyname("ip")) != 0) 67 ipproto = ip->p_proto; 68 else 69 ipproto = IPPROTO_IP; 70 71 if (getsockopt(fd, ipproto, IP_OPTIONS, (char *) optbuf, &optsize) == 0 72 && optsize != 0) { 73 74 /* 75 * Horror! 4.[34] BSD getsockopt() prepends the first-hop destination 76 * address to the result IP options list when source routing options 77 * are present (see <netinet/ip_var.h>), but produces no output for 78 * other IP options. Solaris 2.x getsockopt() does produce output for 79 * non-routing IP options, and uses the same format as BSD even when 80 * the space for the destination address is unused. The code below 81 * does the right thing with 4.[34]BSD derivatives and Solaris 2, but 82 * may occasionally miss source routing options on incompatible 83 * systems such as Linux. Their choice. 84 * 85 * Look for source routing options. Drop the connection when one is 86 * found. Just wiping the IP options is insufficient: we would still 87 * help the attacker by providing a real TCP sequence number, and the 88 * attacker would still be able to send packets (blind spoofing). I 89 * discussed this attack with Niels Provos, half a year before the 90 * attack was described in open mailing lists. 91 * 92 * It would be cleaner to just return a yes/no reply and let the caller 93 * decide how to deal with it. Resident servers should not terminate. 94 * However I am not prepared to make changes to internal interfaces 95 * on short notice. 96 */ 97#define ADDR_LEN sizeof(dummy.s_addr) 98 99 for (cp = optbuf + ADDR_LEN; cp < optbuf + optsize; cp += optlen) { 100 opt = cp[IPOPT_OPTVAL]; 101 if (opt == IPOPT_LSRR || opt == IPOPT_SSRR) { 102 syslog(LOG_WARNING, 103 "refused connect from %s with IP source routing options", 104 eval_client(request)); 105 shutdown(fd, 2); 106 return; 107 } 108 if (opt == IPOPT_EOL) 109 break; 110 if (opt == IPOPT_NOP) { 111 optlen = 1; 112 } else { 113 optlen = cp[IPOPT_OLEN]; 114 if (optlen <= 0) /* Do not loop! */ 115 break; 116 } 117 } 118 lp = lbuf; 119 for (cp = optbuf; optsize > 0; cp++, optsize--, lp += 3) 120 sprintf(lp, " %2.2x", *cp); 121 syslog(LOG_NOTICE, 122 "connect from %s with IP options (ignored):%s", 123 eval_client(request), lbuf); 124 if (setsockopt(fd, ipproto, IP_OPTIONS, (char *) 0, optsize) != 0) { 125 syslog(LOG_ERR, "setsockopt IP_OPTIONS NULL: %m"); 126 shutdown(fd, 2); 127 } 128 } 129#endif 130}
|