1 /*
2  * Routine to disable IP-level socket options. This code was taken from 4.4BSD
3  * rlogind and kernel source, but all mistakes in it are my fault.
4  *
5  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
6  *
7  * $FreeBSD$
8  */
9
10#ifndef lint
11static char sccsid[] = "@(#) fix_options.c 1.6 97/04/08 02:29:19";
12#endif
13
14#include <sys/types.h>
15#include <sys/param.h>
16#ifdef INET6
17#include <sys/socket.h>
18#endif
19#include <netinet/in.h>
20#include <netinet/in_systm.h>
21#include <netinet/ip.h>
22#include <netdb.h>
23#include <stdio.h>
24#include <syslog.h>
25
26#ifndef IPOPT_OPTVAL
27#define IPOPT_OPTVAL	0
28#define IPOPT_OLEN	1
29#endif
30
31#include "tcpd.h"
32
33#define BUFFER_SIZE	512		/* Was: BUFSIZ */
34
35/* fix_options - get rid of IP-level socket options */
36
37void
38fix_options(request)
39struct request_info *request;
40{
41#ifdef IP_OPTIONS
42    unsigned char optbuf[BUFFER_SIZE / 3], *cp;
43    char    lbuf[BUFFER_SIZE], *lp;
44    int     optsize = sizeof(optbuf), ipproto;
45    struct protoent *ip;
46    int     fd = request->fd;
47    unsigned int opt;
48    int     optlen;
49    struct in_addr dummy;
50#ifdef INET6
51    struct sockaddr_storage ss;
52    int sslen;
53
54    /*
55     * check if this is AF_INET socket
56     * XXX IPv6 support?
57     */
58    sslen = sizeof(ss);
59    if (getsockname(fd, (struct sockaddr *)&ss, &sslen) < 0) {
60	syslog(LOG_ERR, "getpeername: %m");
61	clean_exit(request);
62    }
63    if (ss.ss_family != AF_INET)
64	return;
65#endif
66
67    if ((ip = getprotobyname("ip")) != 0)
68	ipproto = ip->p_proto;
69    else
70	ipproto = IPPROTO_IP;
71
72    if (getsockopt(fd, ipproto, IP_OPTIONS, (char *) optbuf, &optsize) == 0
73	&& optsize != 0) {
74
75	/*
76	 * Horror! 4.[34] BSD getsockopt() prepends the first-hop destination
77	 * address to the result IP options list when source routing options
78	 * are present (see <netinet/ip_var.h>), but produces no output for
79	 * other IP options. Solaris 2.x getsockopt() does produce output for
80	 * non-routing IP options, and uses the same format as BSD even when
81	 * the space for the destination address is unused. The code below
82	 * does the right thing with 4.[34]BSD derivatives and Solaris 2, but
83	 * may occasionally miss source routing options on incompatible
84	 * systems such as Linux. Their choice.
85	 *
86	 * Look for source routing options. Drop the connection when one is
87	 * found. Just wiping the IP options is insufficient: we would still
88	 * help the attacker by providing a real TCP sequence number, and the
89	 * attacker would still be able to send packets (blind spoofing). I
90	 * discussed this attack with Niels Provos, half a year before the
91	 * attack was described in open mailing lists.
92	 *
93	 * It would be cleaner to just return a yes/no reply and let the caller
94	 * decide how to deal with it. Resident servers should not terminate.
95	 * However I am not prepared to make changes to internal interfaces
96	 * on short notice.
97	 */
98#define ADDR_LEN sizeof(dummy.s_addr)
99
100	for (cp = optbuf + ADDR_LEN; cp < optbuf + optsize; cp += optlen) {
101	    opt = cp[IPOPT_OPTVAL];
102	    if (opt == IPOPT_LSRR || opt == IPOPT_SSRR) {
103		syslog(LOG_WARNING,
104		   "refused connect from %s with IP source routing options",
105		       eval_client(request));
106		shutdown(fd, 2);
107		return;
108	    }
109	    if (opt == IPOPT_EOL)
110		break;
111	    if (opt == IPOPT_NOP) {
112		optlen = 1;
113	    } else {
114		optlen = cp[IPOPT_OLEN];
115		if (optlen <= 0)		/* Do not loop! */
116		    break;
117	    }
118	}
119	lp = lbuf;
120	for (cp = optbuf; optsize > 0; cp++, optsize--, lp += 3)
121	    sprintf(lp, " %2.2x", *cp);
122	syslog(LOG_NOTICE,
123	       "connect from %s with IP options (ignored):%s",
124	       eval_client(request), lbuf);
125	if (setsockopt(fd, ipproto, IP_OPTIONS, (char *) 0, optsize) != 0) {
126	    syslog(LOG_ERR, "setsockopt IP_OPTIONS NULL: %m");
127	    shutdown(fd, 2);
128	}
129    }
130#endif
131}
132