Home | History | Annotate | Line # | Download | only in libwrap
fix_options.c revision 1.10 
      1 /*	$NetBSD: fix_options.c,v 1.10 2006/05/09 20:18:06 mrg Exp $	*/
      2 
      3  /*
      4   * Routine to disable IP-level socket options. This code was taken from 4.4BSD
      5   * rlogind and kernel source, but all mistakes in it are my fault.
      6   *
      7   * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
      8   */
      9 
     10 #include <sys/cdefs.h>
     11 #ifndef lint
     12 #if 0
     13 static char sccsid[] = "@(#) fix_options.c 1.6 97/04/08 02:29:19";
     14 #else
     15 __RCSID("$NetBSD: fix_options.c,v 1.10 2006/05/09 20:18:06 mrg Exp $");
     16 #endif
     17 #endif
     18 
     19 #include <sys/types.h>
     20 #include <sys/param.h>
     21 #include <sys/socket.h>
     22 #include <netinet/in.h>
     23 #include <netinet/in_systm.h>
     24 #include <netinet/ip.h>
     25 #include <netdb.h>
     26 #include <stdio.h>
     27 #include <syslog.h>
     28 #include <stdlib.h>
     29 #include <unistd.h>
     30 
     31 #ifndef IPOPT_OPTVAL
     32 #define IPOPT_OPTVAL	0
     33 #define IPOPT_OLEN	1
     34 #endif
     35 
     36 #include "tcpd.h"
     37 
     38 #define BUFFER_SIZE	512		/* Was: BUFSIZ */
     39 
     40 /* fix_options - get rid of IP-level socket options */
     41 
     42 void
     43 fix_options(request)
     44 struct request_info *request;
     45 {
     46 #ifdef IP_OPTIONS
     47     unsigned char optbuf[BUFFER_SIZE / 3], *cp;
     48     char    lbuf[BUFFER_SIZE], *lp;
     49     int     ipproto;
     50     socklen_t optsize = sizeof(optbuf);
     51     struct protoent *ip;
     52     int     fd = request->fd;
     53     int     len = sizeof lbuf;
     54     unsigned int opt;
     55     int     optlen;
     56     struct in_addr dummy;
     57     struct sockaddr_storage ss;
     58     socklen_t sslen;
     59 
     60     /*
     61      * check if this is AF_INET socket
     62      * XXX IPv6 support?
     63      */
     64     sslen = sizeof(ss);
     65     if (getsockname(fd, (struct sockaddr *)(void *)&ss, &sslen) < 0) {
     66 	syslog(LOG_ERR, "getsockname: %m");
     67 	clean_exit(request);
     68     }
     69     if (ss.ss_family != AF_INET)
     70 	return;
     71 
     72     if ((ip = getprotobyname("ip")) != 0)
     73 	ipproto = ip->p_proto;
     74     else
     75 	ipproto = IPPROTO_IP;
     76 
     77     if (getsockopt(fd, ipproto, IP_OPTIONS, optbuf, &optsize) == 0
     78 	&& optsize != 0) {
     79 
     80 	/*
     81 	 * Horror! 4.[34] BSD getsockopt() prepends the first-hop destination
     82 	 * address to the result IP options list when source routing options
     83 	 * are present (see <netinet/ip_var.h>), but produces no output for
     84 	 * other IP options. Solaris 2.x getsockopt() does produce output for
     85 	 * non-routing IP options, and uses the same format as BSD even when
     86 	 * the space for the destination address is unused. The code below
     87 	 * does the right thing with 4.[34]BSD derivatives and Solaris 2, but
     88 	 * may occasionally miss source routing options on incompatible
     89 	 * systems such as Linux. Their choice.
     90 	 *
     91 	 * Look for source routing options. Drop the connection when one is
     92 	 * found. Just wiping the IP options is insufficient: we would still
     93 	 * help the attacker by providing a real TCP sequence number, and the
     94 	 * attacker would still be able to send packets (blind spoofing). I
     95 	 * discussed this attack with Niels Provos, half a year before the
     96 	 * attack was described in open mailing lists.
     97 	 *
     98 	 * It would be cleaner to just return a yes/no reply and let the caller
     99 	 * decide how to deal with it. Resident servers should not terminate.
    100 	 * However I am not prepared to make changes to internal interfaces
    101 	 * on short notice.
    102 	 */
    103 #define ADDR_LEN sizeof(dummy.s_addr)
    104 
    105 	for (cp = optbuf + ADDR_LEN; cp < optbuf + optsize; cp += optlen) {
    106 	    opt = cp[IPOPT_OPTVAL];
    107 	    if (opt == IPOPT_LSRR || opt == IPOPT_SSRR) {
    108 		syslog(LOG_WARNING,
    109 		   "refused connect from %s with IP source routing options",
    110 		       eval_client(request));
    111 		shutdown(fd, 2);
    112 		return;
    113 	    }
    114 	    if (opt == IPOPT_EOL)
    115 		break;
    116 	    if (opt == IPOPT_NOP) {
    117 		optlen = 1;
    118 	    } else if (&cp[IPOPT_OLEN] < optbuf + optsize) {
    119 		optlen = cp[IPOPT_OLEN];
    120 		if (optlen < 2 || cp + optlen >= optbuf + optsize) {
    121 		    syslog(LOG_WARNING,
    122 		       "refused connect from %s with malformed IP options",
    123 			   eval_client(request));
    124 		    shutdown(fd, 2);
    125 		    return;
    126 		}
    127 	    } else {
    128 		syslog(LOG_WARNING,
    129 		   "refused connect from %s with malformed IP options",
    130 		       eval_client(request));
    131 		shutdown(fd, 2);
    132 		return;
    133 	    }
    134 	}
    135 	lp = lbuf;
    136 	for (cp = optbuf; optsize > 0; cp++, optsize--, lp += 3)
    137 	    len -= snprintf(lp, len, " %2.2x", *cp);
    138 	syslog(LOG_NOTICE,
    139 	       "connect from %s with IP options (ignored):%s",
    140 	       eval_client(request), lbuf);
    141 	if (setsockopt(fd, ipproto, IP_OPTIONS, (char *) 0, optsize) != 0) {
    142 	    syslog(LOG_ERR, "setsockopt IP_OPTIONS NULL: %m");
    143 	    shutdown(fd, 2);
    144 	}
    145     }
    146 #endif
    147 }
    148