lib/libwrap/fix_options.c

   1 /*      $NetBSD: fix_options.c,v 1.9 2002/05/24 06:05:31 itojun Exp $   */
   2
   3  /*
   4   * Routine to disable IP-level socket options. This code was taken from 4.4BSD
   5   * rlogind and kernel source, but all mistakes in it are my fault.
   6   *
   7   * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
   8   */
   9
  10 #include <sys/cdefs.h>
  11 #ifndef lint
  12 #if 0
  13 static char sccsid[] = "@(#) fix_options.c 1.6 97/04/08 02:29:19";
  14 #else
  15 __RCSID("$NetBSD: fix_options.c,v 1.9 2002/05/24 06:05:31 itojun Exp $");
  16 #endif
  17 #endif
  18
  19 #include <sys/types.h>
  20 #include <sys/param.h>
  21 #include <sys/socket.h>
  22 #include <netinet/in.h>
  23 #include <netinet/in_systm.h>
  24 #include <netinet/ip.h>
  25 #include <netdb.h>
  26 #include <stdio.h>
  27 #include <syslog.h>
  28 #include <stdlib.h>
  29 #include <unistd.h>
  30
  31 #ifndef IPOPT_OPTVAL
  32 #define IPOPT_OPTVAL    0
  33 #define IPOPT_OLEN      1
  34 #endif
  35
  36 #include "tcpd.h"
  37
  38 #define BUFFER_SIZE     512             /* Was: BUFSIZ */
  39
  40 /* fix_options - get rid of IP-level socket options */
  41
  42 void
  43 fix_options(request)
  44 struct request_info *request;
  45 {
  46 #ifdef IP_OPTIONS
  47     unsigned char optbuf[BUFFER_SIZE / 3], *cp;
  48     char    lbuf[BUFFER_SIZE], *lp;
  49     int     ipproto;
  50     socklen_t optsize = sizeof(optbuf);
  51     struct protoent *ip;
  52     int     fd = request->fd;
  53     int     len = sizeof lbuf;
  54     unsigned int opt;
  55     int     optlen;
  56     struct in_addr dummy;
  57     struct sockaddr_storage ss;
  58     socklen_t sslen;
  59
  60     /*
  61      * check if this is AF_INET socket
  62      * XXX IPv6 support?
  63      */
  64     sslen = sizeof(ss);
  65     if (getsockname(fd, (struct sockaddr *)(void *)&ss, &sslen) < 0) {
  66         syslog(LOG_ERR, "getsockname: %m");
  67         clean_exit(request);
  68     }
  69     if (ss.ss_family != AF_INET)
  70         return;
  71
  72     if ((ip = getprotobyname("ip")) != 0)
  73         ipproto = ip->p_proto;
  74     else
  75         ipproto = IPPROTO_IP;
  76
  77     if (getsockopt(fd, ipproto, IP_OPTIONS, optbuf, &optsize) == 0
  78         && optsize != 0) {
  79
  80         /*
  81          * Horror! 4.[34] BSD getsockopt() prepends the first-hop destination
  82          * address to the result IP options list when source routing options
  83          * are present (see <netinet/ip_var.h>), but produces no output for
  84          * other IP options. Solaris 2.x getsockopt() does produce output for
  85          * non-routing IP options, and uses the same format as BSD even when
  86          * the space for the destination address is unused. The code below
  87          * does the right thing with 4.[34]BSD derivatives and Solaris 2, but
  88          * may occasionally miss source routing options on incompatible
  89          * systems such as Linux. Their choice.
  90          *
  91          * Look for source routing options. Drop the connection when one is
  92          * found. Just wiping the IP options is insufficient: we would still
  93          * help the attacker by providing a real TCP sequence number, and the
  94          * attacker would still be able to send packets (blind spoofing). I
  95          * discussed this attack with Niels Provos, half a year before the
  96          * attack was described in open mailing lists.
  97          *
  98          * It would be cleaner to just return a yes/no reply and let the caller
  99          * decide how to deal with it. Resident servers should not terminate.
 100          * However I am not prepared to make changes to internal interfaces
 101          * on short notice.
 102          */
 103 #define ADDR_LEN sizeof(dummy.s_addr)
 104
 105         for (cp = optbuf + ADDR_LEN; cp < optbuf + optsize; cp += optlen) {
 106             opt = cp[IPOPT_OPTVAL];
 107             if (opt == IPOPT_LSRR || opt == IPOPT_SSRR) {
 108                 syslog(LOG_WARNING,
 109                    "refused connect from %s with IP source routing options",
 110                        eval_client(request));
 111                 shutdown(fd, 2);
 112                 return;
 113             }
 114             if (opt == IPOPT_EOL)
 115                 break;
 116             if (opt == IPOPT_NOP) {
 117                 optlen = 1;
 118             } else if (&cp[IPOPT_OLEN] < optbuf + optsize) {
 119                 optlen = cp[IPOPT_OLEN];
 120                 if (optlen < 2 || cp + optlen >= optbuf + optsize) {
 121                     syslog(LOG_WARNING,
 122                        "refused connect from %s with malformed IP options",
 123                            eval_client(request));
 124                     shutdown(fd, 2);
 125                     return;
 126                 }
 127             } else {
 128                 syslog(LOG_WARNING,
 129                    "refused connect from %s with malformed IP options",
 130                        eval_client(request));
 131                 shutdown(fd, 2);
 132                 return;
 133             }
 134         }
 135         lp = lbuf;
 136         for (cp = optbuf; optsize > 0; cp++, optsize--, lp += 3)
 137             len -= snprintf(lp, len, " %2.2x", *cp);
 138         syslog(LOG_NOTICE,
 139                "connect from %s with IP options (ignored):%s",
 140                eval_client(request), lbuf);
 141         if (setsockopt(fd, ipproto, IP_OPTIONS, (char *) 0, optsize) != 0) {
 142             syslog(LOG_ERR, "setsockopt IP_OPTIONS NULL: %m");
 143             shutdown(fd, 2);
 144         }
 145     }
 146 #endif
 147 }