1/*- 2 * SPDX-License-Identifier: BSD-3-Clause 3 * 4 * Copyright (c) 1983, 1988, 1993 5 * The Regents of the University of California. All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the University nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 * 31 * $FreeBSD$ 32 */ 33 34#include "defs.h" 35 36#ifdef __NetBSD__ 37__RCSID("$NetBSD$"); 38#elif defined(__FreeBSD__) 39__RCSID("$FreeBSD$"); 40#else 41__RCSID("$Revision: 2.26 $"); 42#ident "$Revision: 2.26 $" 43#endif 44 45static void input(struct sockaddr_in *, struct interface *, struct interface *, 46 struct rip *, int); 47static void input_route(naddr, naddr, struct rt_spare *, struct netinfo *); 48static int ck_passwd(struct interface *, struct rip *, void *, 49 naddr, struct msg_limit *); 50 51 52/* process RIP input 53 */ 54void 55read_rip(int sock, 56 struct interface *sifp) 57{ 58 struct sockaddr_in from; 59 struct interface *aifp; 60 socklen_t fromlen; 61 int cc; 62#ifdef USE_PASSIFNAME 63 static struct msg_limit bad_name; 64 struct { 65 char ifname[IFNAMSIZ]; 66 union pkt_buf pbuf; 67 } inbuf; 68#else 69 struct { 70 union pkt_buf pbuf; 71 } inbuf; 72#endif 73 74 75 for (;;) { 76 fromlen = sizeof(from); 77 cc = recvfrom(sock, &inbuf, sizeof(inbuf), 0, 78 (struct sockaddr*)&from, &fromlen); 79 if (cc <= 0) { 80 if (cc < 0 && errno != EWOULDBLOCK) 81 LOGERR("recvfrom(rip)"); 82 break; 83 } 84 if (fromlen != sizeof(struct sockaddr_in)) 85 logbad(1,"impossible recvfrom(rip) fromlen=%d", 86 (int)fromlen); 87 88 /* aifp is the "authenticated" interface via which the packet 89 * arrived. In fact, it is only the interface on which 90 * the packet should have arrived based on is source 91 * address. 92 * sifp is interface associated with the socket through which 93 * the packet was received. 94 */ 95#ifdef USE_PASSIFNAME 96 if ((cc -= sizeof(inbuf.ifname)) < 0) 97 logbad(0,"missing USE_PASSIFNAME; only %d bytes", 98 cc+sizeof(inbuf.ifname)); 99 100 /* check the remote interfaces first */ 101 LIST_FOREACH(aifp, &remote_if, remote_list) { 102 if (aifp->int_addr == from.sin_addr.s_addr) 103 break; 104 } 105 if (aifp == NULL) { 106 aifp = ifwithname(inbuf.ifname, 0); 107 if (aifp == NULL) { 108 msglim(&bad_name, from.sin_addr.s_addr, 109 "impossible interface name %.*s", 110 IFNAMSIZ, inbuf.ifname); 111 } else if (((aifp->int_if_flags & IFF_POINTOPOINT) 112 && aifp->int_dstaddr!=from.sin_addr.s_addr) 113 || (!(aifp->int_if_flags & IFF_POINTOPOINT) 114 && !on_net(from.sin_addr.s_addr, 115 aifp->int_net, 116 aifp->int_mask))) { 117 /* If it came via the wrong interface, do not 118 * trust it. 119 */ 120 aifp = NULL; 121 } 122 } 123#else 124 aifp = iflookup(from.sin_addr.s_addr); 125#endif 126 if (sifp == NULL) 127 sifp = aifp; 128 129 input(&from, sifp, aifp, &inbuf.pbuf.rip, cc); 130 } 131} 132 133 134/* Process a RIP packet 135 */ 136static void 137input(struct sockaddr_in *from, /* received from this IP address */ 138 struct interface *sifp, /* interface of incoming socket */ 139 struct interface *aifp, /* "authenticated" interface */ 140 struct rip *rip, 141 int cc) 142{ 143# define FROM_NADDR from->sin_addr.s_addr 144 static struct msg_limit use_auth, bad_len, bad_mask; 145 static struct msg_limit unk_router, bad_router, bad_nhop; 146 147 struct rt_entry *rt; 148 struct rt_spare new; 149 struct netinfo *n, *lim; 150 struct interface *ifp1; 151 naddr gate, mask, v1_mask, dst, ddst_h = 0; 152 struct auth *ap; 153 struct tgate *tg = NULL; 154 struct tgate_net *tn; 155 int i, j; 156 157 /* Notice when we hear from a remote gateway 158 */ 159 if (aifp != NULL 160 && (aifp->int_state & IS_REMOTE)) 161 aifp->int_act_time = now.tv_sec; 162 163 trace_rip("Recv", "from", from, sifp, rip, cc); 164 165 if (sifp == NULL) { 166 trace_pkt(" discard a request from an indirect router" 167 " (possibly an attack)"); 168 return; 169 } 170 171 if (rip->rip_vers == 0) { 172 msglim(&bad_router, FROM_NADDR, 173 "RIP version 0, cmd %d, packet received from %s", 174 rip->rip_cmd, naddr_ntoa(FROM_NADDR)); 175 return; 176 } else if (rip->rip_vers > RIPv2) { 177 rip->rip_vers = RIPv2; 178 } 179 if (cc > (int)OVER_MAXPACKETSIZE) { 180 msglim(&bad_router, FROM_NADDR, 181 "packet at least %d bytes too long received from %s", 182 cc-MAXPACKETSIZE, naddr_ntoa(FROM_NADDR)); 183 return; 184 } 185 186 n = rip->rip_nets; 187 lim = (struct netinfo *)((char*)rip + cc); 188 189 /* Notice authentication. 190 * As required by section 4.2 in RFC 1723, discard authenticated 191 * RIPv2 messages, but only if configured for that silliness. 192 * 193 * RIPv2 authentication is lame. Why authenticate queries? 194 * Why should a RIPv2 implementation with authentication disabled 195 * not be able to listen to RIPv2 packets with authentication, while 196 * RIPv1 systems will listen? Crazy! 197 */ 198 if (!auth_ok 199 && rip->rip_vers == RIPv2 200 && n < lim && n->n_family == RIP_AF_AUTH) { 201 msglim(&use_auth, FROM_NADDR, 202 "RIPv2 message with authentication from %s discarded", 203 naddr_ntoa(FROM_NADDR)); 204 return; 205 } 206 207 switch (rip->rip_cmd) { 208 case RIPCMD_REQUEST: 209 /* For mere requests, be a little sloppy about the source 210 */ 211 if (aifp == NULL) 212 aifp = sifp; 213 214 /* Are we talking to ourself or a remote gateway? 215 */ 216 ifp1 = ifwithaddr(FROM_NADDR, 0, 1); 217 if (ifp1) { 218 if (ifp1->int_state & IS_REMOTE) { 219 /* remote gateway */ 220 aifp = ifp1; 221 if (check_remote(aifp)) { 222 aifp->int_act_time = now.tv_sec; 223 (void)if_ok(aifp, "remote "); 224 } 225 } else if (from->sin_port == htons(RIP_PORT)) { 226 trace_pkt(" discard our own RIP request"); 227 return; 228 } 229 } 230 231 /* did the request come from a router? 232 */ 233 if (from->sin_port == htons(RIP_PORT)) { 234 /* yes, ignore the request if RIP is off so that 235 * the router does not depend on us. 236 */ 237 if (rip_sock < 0 238 || (aifp != NULL 239 && IS_RIP_OUT_OFF(aifp->int_state))) { 240 trace_pkt(" discard request while RIP off"); 241 return; 242 } 243 } 244 245 /* According to RFC 1723, we should ignore unauthenticated 246 * queries. That is too silly to bother with. Sheesh! 247 * Are forwarding tables supposed to be secret, when 248 * a bad guy can infer them with test traffic? When RIP 249 * is still the most common router-discovery protocol 250 * and so hosts need to send queries that will be answered? 251 * What about `rtquery`? 252 * Maybe on firewalls you'd care, but not enough to 253 * give up the diagnostic facilities of remote probing. 254 */ 255 256 if (n >= lim) { 257 msglim(&bad_len, FROM_NADDR, "empty request from %s", 258 naddr_ntoa(FROM_NADDR)); 259 return; 260 } 261 if (cc%sizeof(*n) != sizeof(struct rip)%sizeof(*n)) { 262 msglim(&bad_len, FROM_NADDR, 263 "request of bad length (%d) from %s", 264 cc, naddr_ntoa(FROM_NADDR)); 265 } 266 267 if (rip->rip_vers == RIPv2 268 && (aifp == NULL || (aifp->int_state & IS_NO_RIPV1_OUT))) { 269 v12buf.buf->rip_vers = RIPv2; 270 /* If we have a secret but it is a cleartext secret, 271 * do not disclose our secret unless the other guy 272 * already knows it. 273 */ 274 ap = find_auth(aifp); 275 if (ap != NULL && ap->type == RIP_AUTH_PW 276 && n->n_family == RIP_AF_AUTH 277 && !ck_passwd(aifp,rip,lim,FROM_NADDR,&use_auth)) 278 ap = NULL; 279 } else { 280 v12buf.buf->rip_vers = RIPv1; 281 ap = NULL; 282 } 283 clr_ws_buf(&v12buf, ap); 284 285 do { 286 n->n_metric = ntohl(n->n_metric); 287 288 /* A single entry with family RIP_AF_UNSPEC and 289 * metric HOPCNT_INFINITY means "all routes". 290 * We respond to routers only if we are acting 291 * as a supplier, or to anyone other than a router 292 * (i.e. a query). 293 */ 294 if (n->n_family == RIP_AF_UNSPEC 295 && n->n_metric == HOPCNT_INFINITY) { 296 /* Answer a query from a utility program 297 * with all we know. 298 */ 299 if (aifp == NULL) { 300 trace_pkt("ignore remote query"); 301 return; 302 } 303 if (from->sin_port != htons(RIP_PORT)) { 304 /* 305 * insecure: query from non-router node 306 * > 1: allow from distant node 307 * > 0: allow from neighbor node 308 * == 0: deny 309 */ 310 if ((aifp != NULL && insecure > 0) || 311 (aifp == NULL && insecure > 1)) 312 supply(from, aifp, OUT_QUERY, 0, 313 rip->rip_vers, 314 ap != NULL); 315 else 316 trace_pkt("Warning: " 317 "possible attack detected"); 318 return; 319 } 320 321 /* A router trying to prime its tables. 322 * Filter the answer in the about same way 323 * broadcasts are filtered. 324 * 325 * Only answer a router if we are a supplier 326 * to keep an unwary host that is just starting 327 * from picking us as a router. 328 */ 329 if (aifp == NULL) { 330 trace_pkt("ignore distant router"); 331 return; 332 } 333 if (!supplier 334 || IS_RIP_OFF(aifp->int_state)) { 335 trace_pkt("ignore; not supplying"); 336 return; 337 } 338 339 /* Do not answer a RIPv1 router if 340 * we are sending RIPv2. But do offer 341 * poor man's router discovery. 342 */ 343 if ((aifp->int_state & IS_NO_RIPV1_OUT) 344 && rip->rip_vers == RIPv1) { 345 if (!(aifp->int_state & IS_PM_RDISC)) { 346 trace_pkt("ignore; sending RIPv2"); 347 return; 348 } 349 350 v12buf.n->n_family = RIP_AF_INET; 351 v12buf.n->n_dst = RIP_DEFAULT; 352 i = aifp->int_d_metric; 353 if (NULL != (rt = rtget(RIP_DEFAULT, 0))) { 354 j = (rt->rt_metric 355 +aifp->int_metric 356 +aifp->int_adj_outmetric 357 +1); 358 if (i > j) 359 i = j; 360 } 361 v12buf.n->n_metric = htonl(i); 362 v12buf.n++; 363 break; 364 } 365 366 /* Respond with RIPv1 instead of RIPv2 if 367 * that is what we are broadcasting on the 368 * interface to keep the remote router from 369 * getting the wrong initial idea of the 370 * routes we send. 371 */ 372 supply(from, aifp, OUT_UNICAST, 0, 373 (aifp->int_state & IS_NO_RIPV1_OUT) 374 ? RIPv2 : RIPv1, 375 ap != NULL); 376 return; 377 } 378 379 /* Ignore authentication */ 380 if (n->n_family == RIP_AF_AUTH) 381 continue; 382 383 if (n->n_family != RIP_AF_INET) { 384 msglim(&bad_router, FROM_NADDR, 385 "request from %s for unsupported" 386 " (af %d) %s", 387 naddr_ntoa(FROM_NADDR), 388 ntohs(n->n_family), 389 naddr_ntoa(n->n_dst)); 390 return; 391 } 392 393 /* We are being asked about a specific destination. 394 */ 395 dst = n->n_dst; 396 if (!check_dst(dst)) { 397 msglim(&bad_router, FROM_NADDR, 398 "bad queried destination %s from %s", 399 naddr_ntoa(dst), 400 naddr_ntoa(FROM_NADDR)); 401 return; 402 } 403 404 /* decide what mask was intended */ 405 if (rip->rip_vers == RIPv1 406 || 0 == (mask = ntohl(n->n_mask)) 407 || 0 != (ntohl(dst) & ~mask)) 408 mask = ripv1_mask_host(dst, aifp); 409 410 /* try to find the answer */ 411 rt = rtget(dst, mask); 412 if (!rt && dst != RIP_DEFAULT) 413 rt = rtfind(n->n_dst); 414 415 if (v12buf.buf->rip_vers != RIPv1) 416 v12buf.n->n_mask = mask; 417 if (rt == NULL) { 418 /* we do not have the answer */ 419 v12buf.n->n_metric = HOPCNT_INFINITY; 420 } else { 421 /* we have the answer, so compute the 422 * right metric and next hop. 423 */ 424 v12buf.n->n_family = RIP_AF_INET; 425 v12buf.n->n_dst = dst; 426 j = rt->rt_metric+1; 427 if (!aifp) 428 ++j; 429 else 430 j += (aifp->int_metric 431 + aifp->int_adj_outmetric); 432 if (j < HOPCNT_INFINITY) 433 v12buf.n->n_metric = j; 434 else 435 v12buf.n->n_metric = HOPCNT_INFINITY; 436 if (v12buf.buf->rip_vers != RIPv1) { 437 v12buf.n->n_tag = rt->rt_tag; 438 v12buf.n->n_mask = mask; 439 if (aifp != NULL 440 && on_net(rt->rt_gate, 441 aifp->int_net, 442 aifp->int_mask) 443 && rt->rt_gate != aifp->int_addr) 444 v12buf.n->n_nhop = rt->rt_gate; 445 } 446 } 447 v12buf.n->n_metric = htonl(v12buf.n->n_metric); 448 449 /* Stop paying attention if we fill the output buffer. 450 */ 451 if (++v12buf.n >= v12buf.lim) 452 break; 453 } while (++n < lim); 454 455 /* Send the answer about specific routes. 456 */ 457 if (ap != NULL && ap->type == RIP_AUTH_MD5) 458 end_md5_auth(&v12buf, ap); 459 460 if (from->sin_port != htons(RIP_PORT)) { 461 /* query */ 462 (void)output(OUT_QUERY, from, aifp, 463 v12buf.buf, 464 ((char *)v12buf.n - (char*)v12buf.buf)); 465 } else if (supplier) { 466 (void)output(OUT_UNICAST, from, aifp, 467 v12buf.buf, 468 ((char *)v12buf.n - (char*)v12buf.buf)); 469 } else { 470 /* Only answer a router if we are a supplier 471 * to keep an unwary host that is just starting 472 * from picking us an a router. 473 */ 474 ; 475 } 476 return; 477 478 case RIPCMD_TRACEON: 479 case RIPCMD_TRACEOFF: 480 /* Notice that trace messages are turned off for all possible 481 * abuse if _PATH_TRACE is undefined in pathnames.h. 482 * Notice also that because of the way the trace file is 483 * handled in trace.c, no abuse is plausible even if 484 * _PATH_TRACE_ is defined. 485 * 486 * First verify message came from a privileged port. */ 487 if (ntohs(from->sin_port) > IPPORT_RESERVED) { 488 msglog("trace command from untrusted port on %s", 489 naddr_ntoa(FROM_NADDR)); 490 return; 491 } 492 if (aifp == NULL) { 493 msglog("trace command from unknown router %s", 494 naddr_ntoa(FROM_NADDR)); 495 return; 496 } 497 if (rip->rip_cmd == RIPCMD_TRACEON) { 498 rip->rip_tracefile[cc-4] = '\0'; 499 set_tracefile((char*)rip->rip_tracefile, 500 "trace command: %s\n", 0); 501 } else { 502 trace_off("tracing turned off by %s", 503 naddr_ntoa(FROM_NADDR)); 504 } 505 return; 506 507 case RIPCMD_RESPONSE: 508 if (cc%sizeof(*n) != sizeof(struct rip)%sizeof(*n)) { 509 msglim(&bad_len, FROM_NADDR, 510 "response of bad length (%d) from %s", 511 cc, naddr_ntoa(FROM_NADDR)); 512 } 513 514 /* verify message came from a router */ 515 if (from->sin_port != ntohs(RIP_PORT)) { 516 msglim(&bad_router, FROM_NADDR, 517 " discard RIP response from unknown port" 518 " %d on %s", 519 ntohs(from->sin_port), naddr_ntoa(FROM_NADDR)); 520 return; 521 } 522 523 if (rip_sock < 0) { 524 trace_pkt(" discard response while RIP off"); 525 return; 526 } 527 528 /* Are we talking to ourself or a remote gateway? 529 */ 530 ifp1 = ifwithaddr(FROM_NADDR, 0, 1); 531 if (ifp1) { 532 if (ifp1->int_state & IS_REMOTE) { 533 /* remote gateway */ 534 aifp = ifp1; 535 if (check_remote(aifp)) { 536 aifp->int_act_time = now.tv_sec; 537 (void)if_ok(aifp, "remote "); 538 } 539 } else { 540 trace_pkt(" discard our own RIP response"); 541 return; 542 } 543 } 544 545 /* Accept routing packets from routers directly connected 546 * via broadcast or point-to-point networks, and from 547 * those listed in /etc/gateways. 548 */ 549 if (aifp == NULL) { 550 msglim(&unk_router, FROM_NADDR, 551 " discard response from %s" 552 " via unexpected interface", 553 naddr_ntoa(FROM_NADDR)); 554 return; 555 } 556 if (IS_RIP_IN_OFF(aifp->int_state)) { 557 trace_pkt(" discard RIPv%d response" 558 " via disabled interface %s", 559 rip->rip_vers, aifp->int_name); 560 return; 561 } 562 563 if (n >= lim) { 564 msglim(&bad_len, FROM_NADDR, "empty response from %s", 565 naddr_ntoa(FROM_NADDR)); 566 return; 567 } 568 569 if (((aifp->int_state & IS_NO_RIPV1_IN) 570 && rip->rip_vers == RIPv1) 571 || ((aifp->int_state & IS_NO_RIPV2_IN) 572 && rip->rip_vers != RIPv1)) { 573 trace_pkt(" discard RIPv%d response", 574 rip->rip_vers); 575 return; 576 } 577 578 /* Ignore routes via dead interface. 579 */ 580 if (aifp->int_state & IS_BROKE) { 581 trace_pkt("discard response via broken interface %s", 582 aifp->int_name); 583 return; 584 } 585 586 /* If the interface cares, ignore bad routers. 587 * Trace but do not log this problem, because where it 588 * happens, it happens frequently. 589 */ 590 if (aifp->int_state & IS_DISTRUST) { 591 tg = tgates; 592 while (tg->tgate_addr != FROM_NADDR) { 593 tg = tg->tgate_next; 594 if (tg == NULL) { 595 trace_pkt(" discard RIP response" 596 " from untrusted router %s", 597 naddr_ntoa(FROM_NADDR)); 598 return; 599 } 600 } 601 } 602 603 /* Authenticate the packet if we have a secret. 604 * If we do not have any secrets, ignore the error in 605 * RFC 1723 and accept it regardless. 606 */ 607 if (aifp->int_auth[0].type != RIP_AUTH_NONE 608 && rip->rip_vers != RIPv1 609 && !ck_passwd(aifp,rip,lim,FROM_NADDR,&use_auth)) 610 return; 611 612 do { 613 if (n->n_family == RIP_AF_AUTH) 614 continue; 615 616 n->n_metric = ntohl(n->n_metric); 617 dst = n->n_dst; 618 if (n->n_family != RIP_AF_INET 619 && (n->n_family != RIP_AF_UNSPEC 620 || dst != RIP_DEFAULT)) { 621 msglim(&bad_router, FROM_NADDR, 622 "route from %s to unsupported" 623 " address family=%d destination=%s", 624 naddr_ntoa(FROM_NADDR), 625 n->n_family, 626 naddr_ntoa(dst)); 627 continue; 628 } 629 if (!check_dst(dst)) { 630 msglim(&bad_router, FROM_NADDR, 631 "bad destination %s from %s", 632 naddr_ntoa(dst), 633 naddr_ntoa(FROM_NADDR)); 634 return; 635 } 636 if (n->n_metric == 0 637 || n->n_metric > HOPCNT_INFINITY) { 638 msglim(&bad_router, FROM_NADDR, 639 "bad metric %d from %s" 640 " for destination %s", 641 n->n_metric, 642 naddr_ntoa(FROM_NADDR), 643 naddr_ntoa(dst)); 644 return; 645 } 646 647 /* Notice the next-hop. 648 */ 649 gate = FROM_NADDR; 650 if (n->n_nhop != 0) { 651 if (rip->rip_vers == RIPv1) { 652 n->n_nhop = 0; 653 } else { 654 /* Use it only if it is valid. */ 655 if (on_net(n->n_nhop, 656 aifp->int_net, aifp->int_mask) 657 && check_dst(n->n_nhop)) { 658 gate = n->n_nhop; 659 } else { 660 msglim(&bad_nhop, FROM_NADDR, 661 "router %s to %s" 662 " has bad next hop %s", 663 naddr_ntoa(FROM_NADDR), 664 naddr_ntoa(dst), 665 naddr_ntoa(n->n_nhop)); 666 n->n_nhop = 0; 667 } 668 } 669 } 670 671 if (rip->rip_vers == RIPv1 672 || 0 == (mask = ntohl(n->n_mask))) { 673 mask = ripv1_mask_host(dst,aifp); 674 } else if ((ntohl(dst) & ~mask) != 0) { 675 msglim(&bad_mask, FROM_NADDR, 676 "router %s sent bad netmask" 677 " %#lx with %s", 678 naddr_ntoa(FROM_NADDR), 679 (u_long)mask, 680 naddr_ntoa(dst)); 681 continue; 682 } 683 if (rip->rip_vers == RIPv1) 684 n->n_tag = 0; 685 686 /* Adjust metric according to incoming interface.. 687 */ 688 n->n_metric += (aifp->int_metric 689 + aifp->int_adj_inmetric); 690 if (n->n_metric > HOPCNT_INFINITY) 691 n->n_metric = HOPCNT_INFINITY; 692 693 /* Should we trust this route from this router? */ 694 if (tg && (tn = tg->tgate_nets)->mask != 0) { 695 for (i = 0; i < MAX_TGATE_NETS; i++, tn++) { 696 if (on_net(dst, tn->net, tn->mask) 697 && tn->mask <= mask) 698 break; 699 } 700 if (i >= MAX_TGATE_NETS || tn->mask == 0) { 701 trace_pkt(" ignored unauthorized %s", 702 addrname(dst,mask,0)); 703 continue; 704 } 705 } 706 707 /* Recognize and ignore a default route we faked 708 * which is being sent back to us by a machine with 709 * broken split-horizon. 710 * Be a little more paranoid than that, and reject 711 * default routes with the same metric we advertised. 712 */ 713 if (aifp->int_d_metric != 0 714 && dst == RIP_DEFAULT 715 && (int)n->n_metric >= aifp->int_d_metric) 716 continue; 717 718 /* We can receive aggregated RIPv2 routes that must 719 * be broken down before they are transmitted by 720 * RIPv1 via an interface on a subnet. 721 * We might also receive the same routes aggregated 722 * via other RIPv2 interfaces. 723 * This could cause duplicate routes to be sent on 724 * the RIPv1 interfaces. "Longest matching variable 725 * length netmasks" lets RIPv2 listeners understand, 726 * but breaking down the aggregated routes for RIPv1 727 * listeners can produce duplicate routes. 728 * 729 * Breaking down aggregated routes here bloats 730 * the daemon table, but does not hurt the kernel 731 * table, since routes are always aggregated for 732 * the kernel. 733 * 734 * Notice that this does not break down network 735 * routes corresponding to subnets. This is part 736 * of the defense against RS_NET_SYN. 737 */ 738 if (have_ripv1_out 739 && (((rt = rtget(dst,mask)) == NULL 740 || !(rt->rt_state & RS_NET_SYN))) 741 && (v1_mask = ripv1_mask_net(dst,0)) > mask) { 742 ddst_h = v1_mask & -v1_mask; 743 i = (v1_mask & ~mask)/ddst_h; 744 if (i >= 511) { 745 /* Punt if we would have to generate 746 * an unreasonable number of routes. 747 */ 748 if (TRACECONTENTS) 749 trace_misc("accept %s-->%s as 1" 750 " instead of %d routes", 751 addrname(dst,mask,0), 752 naddr_ntoa(FROM_NADDR), 753 i+1); 754 i = 0; 755 } else { 756 mask = v1_mask; 757 } 758 } else { 759 i = 0; 760 } 761 762 new.rts_gate = gate; 763 new.rts_router = FROM_NADDR; 764 new.rts_metric = n->n_metric; 765 new.rts_tag = n->n_tag; 766 new.rts_time = now.tv_sec; 767 new.rts_ifp = aifp; 768 new.rts_de_ag = i; 769 j = 0; 770 for (;;) { 771 input_route(dst, mask, &new, n); 772 if (++j > i) 773 break; 774 dst = htonl(ntohl(dst) + ddst_h); 775 } 776 } while (++n < lim); 777 break; 778 } 779#undef FROM_NADDR 780} 781 782 783/* Process a single input route. 784 */ 785static void 786input_route(naddr dst, /* network order */ 787 naddr mask, 788 struct rt_spare *new, 789 struct netinfo *n) 790{ 791 int i; 792 struct rt_entry *rt; 793 struct rt_spare *rts, *rts0; 794 struct interface *ifp1; 795 796 797 /* See if the other guy is telling us to send our packets to him. 798 * Sometimes network routes arrive over a point-to-point link for 799 * the network containing the address(es) of the link. 800 * 801 * If our interface is broken, switch to using the other guy. 802 */ 803 ifp1 = ifwithaddr(dst, 1, 1); 804 if (ifp1 != NULL 805 && (!(ifp1->int_state & IS_BROKE) 806 || (ifp1->int_state & IS_PASSIVE))) 807 return; 808 809 /* Look for the route in our table. 810 */ 811 rt = rtget(dst, mask); 812 813 /* Consider adding the route if we do not already have it. 814 */ 815 if (rt == NULL) { 816 /* Ignore unknown routes being poisoned. 817 */ 818 if (new->rts_metric == HOPCNT_INFINITY) 819 return; 820 821 /* Ignore the route if it points to us */ 822 if (n->n_nhop != 0 823 && ifwithaddr(n->n_nhop, 1, 0) != NULL) 824 return; 825 826 /* If something has not gone crazy and tried to fill 827 * our memory, accept the new route. 828 */ 829 if (total_routes < MAX_ROUTES) 830 rtadd(dst, mask, 0, new); 831 return; 832 } 833 834 /* We already know about the route. Consider this update. 835 * 836 * If (rt->rt_state & RS_NET_SYN), then this route 837 * is the same as a network route we have inferred 838 * for subnets we know, in order to tell RIPv1 routers 839 * about the subnets. 840 * 841 * It is impossible to tell if the route is coming 842 * from a distant RIPv2 router with the standard 843 * netmask because that router knows about the entire 844 * network, or if it is a round-about echo of a 845 * synthetic, RIPv1 network route of our own. 846 * The worst is that both kinds of routes might be 847 * received, and the bad one might have the smaller 848 * metric. Partly solve this problem by never 849 * aggregating into such a route. Also keep it 850 * around as long as the interface exists. 851 */ 852 853 rts0 = rt->rt_spares; 854 for (rts = rts0, i = NUM_SPARES; i != 0; i--, rts++) { 855 if (rts->rts_router == new->rts_router) 856 break; 857 /* Note the worst slot to reuse, 858 * other than the current slot. 859 */ 860 if (rts0 == rt->rt_spares 861 || BETTER_LINK(rt, rts0, rts)) 862 rts0 = rts; 863 } 864 if (i != 0) { 865 /* Found a route from the router already in the table. 866 */ 867 868 /* If the new route is a route broken down from an 869 * aggregated route, and if the previous route is either 870 * not a broken down route or was broken down from a finer 871 * netmask, and if the previous route is current, 872 * then forget this one. 873 */ 874 if (new->rts_de_ag > rts->rts_de_ag 875 && now_stale <= rts->rts_time) 876 return; 877 878 /* Keep poisoned routes around only long enough to pass 879 * the poison on. Use a new timestamp for good routes. 880 */ 881 if (rts->rts_metric == HOPCNT_INFINITY 882 && new->rts_metric == HOPCNT_INFINITY) 883 new->rts_time = rts->rts_time; 884 885 /* If this is an update for the router we currently prefer, 886 * then note it. 887 */ 888 if (i == NUM_SPARES) { 889 rtchange(rt, rt->rt_state, new, 0); 890 /* If the route got worse, check for something better. 891 */ 892 if (new->rts_metric > rts->rts_metric) 893 rtswitch(rt, 0); 894 return; 895 } 896 897 /* This is an update for a spare route. 898 * Finished if the route is unchanged. 899 */ 900 if (rts->rts_gate == new->rts_gate 901 && rts->rts_metric == new->rts_metric 902 && rts->rts_tag == new->rts_tag) { 903 trace_upslot(rt, rts, new); 904 *rts = *new; 905 return; 906 } 907 /* Forget it if it has gone bad. 908 */ 909 if (new->rts_metric == HOPCNT_INFINITY) { 910 rts_delete(rt, rts); 911 return; 912 } 913 914 } else { 915 /* The update is for a route we know about, 916 * but not from a familiar router. 917 * 918 * Ignore the route if it points to us. 919 */ 920 if (n->n_nhop != 0 921 && NULL != ifwithaddr(n->n_nhop, 1, 0)) 922 return; 923 924 /* the loop above set rts0=worst spare */ 925 rts = rts0; 926 927 /* Save the route as a spare only if it has 928 * a better metric than our worst spare. 929 * This also ignores poisoned routes (those 930 * received with metric HOPCNT_INFINITY). 931 */ 932 if (new->rts_metric >= rts->rts_metric) 933 return; 934 } 935 936 trace_upslot(rt, rts, new); 937 *rts = *new; 938 939 /* try to switch to a better route */ 940 rtswitch(rt, rts); 941} 942 943 944static int /* 0 if bad */ 945ck_passwd(struct interface *aifp, 946 struct rip *rip, 947 void *lim, 948 naddr from, 949 struct msg_limit *use_authp) 950{ 951# define NA (rip->rip_auths) 952 struct netauth *na2; 953 struct auth *ap; 954 MD5_CTX md5_ctx; 955 u_char hash[RIP_AUTH_PW_LEN]; 956 int i, len; 957 958 assert(aifp != NULL); 959 if ((void *)NA >= lim || NA->a_family != RIP_AF_AUTH) { 960 msglim(use_authp, from, "missing password from %s", 961 naddr_ntoa(from)); 962 return 0; 963 } 964 965 /* accept any current (+/- 24 hours) password 966 */ 967 for (ap = aifp->int_auth, i = 0; i < MAX_AUTH_KEYS; i++, ap++) { 968 if (ap->type != NA->a_type 969 || (u_long)ap->start > (u_long)clk.tv_sec+DAY 970 || (u_long)ap->end+DAY < (u_long)clk.tv_sec) 971 continue; 972 973 if (NA->a_type == RIP_AUTH_PW) { 974 if (!memcmp(NA->au.au_pw, ap->key, RIP_AUTH_PW_LEN)) 975 return 1; 976 977 } else { 978 /* accept MD5 secret with the right key ID 979 */ 980 if (NA->au.a_md5.md5_keyid != ap->keyid) 981 continue; 982 983 len = ntohs(NA->au.a_md5.md5_pkt_len); 984 if ((len-sizeof(*rip)) % sizeof(*NA) != 0 985 || len != (char *)lim-(char*)rip-(int)sizeof(*NA)) { 986 msglim(use_authp, from, 987 "wrong MD5 RIPv2 packet length of %d" 988 " instead of %d from %s", 989 len, (int)((char *)lim-(char *)rip 990 -sizeof(*NA)), 991 naddr_ntoa(from)); 992 return 0; 993 } 994 na2 = (struct netauth *)((char *)rip+len); 995 996 /* Given a good hash value, these are not security 997 * problems so be generous and accept the routes, 998 * after complaining. 999 */ 1000 if (TRACEPACKETS) { 1001 if (NA->au.a_md5.md5_auth_len 1002 != RIP_AUTH_MD5_HASH_LEN) 1003 msglim(use_authp, from, 1004 "unknown MD5 RIPv2 auth len %#x" 1005 " instead of %#x from %s", 1006 NA->au.a_md5.md5_auth_len, 1007 (unsigned)RIP_AUTH_MD5_HASH_LEN, 1008 naddr_ntoa(from)); 1009 if (na2->a_family != RIP_AF_AUTH) 1010 msglim(use_authp, from, 1011 "unknown MD5 RIPv2 family %#x" 1012 " instead of %#x from %s", 1013 na2->a_family, RIP_AF_AUTH, 1014 naddr_ntoa(from)); 1015 if (na2->a_type != ntohs(1)) 1016 msglim(use_authp, from, 1017 "MD5 RIPv2 hash has %#x" 1018 " instead of %#x from %s", 1019 na2->a_type, ntohs(1), 1020 naddr_ntoa(from)); 1021 } 1022 1023 MD5Init(&md5_ctx); 1024 MD5Update(&md5_ctx, (u_char *)rip, 1025 len + RIP_AUTH_MD5_HASH_XTRA); 1026 MD5Update(&md5_ctx, ap->key, RIP_AUTH_MD5_KEY_LEN); 1027 MD5Final(hash, &md5_ctx); 1028 if (!memcmp(hash, na2->au.au_pw, sizeof(hash))) 1029 return 1; 1030 } 1031 } 1032 1033 msglim(use_authp, from, "bad password from %s", 1034 naddr_ntoa(from)); 1035 return 0; 1036#undef NA 1037} 1038