Home | History | Annotate | Line # | Download | only in libwrap
fix_options.c revision 1.8 
      1 /*	$NetBSD: fix_options.c,v 1.8 2002/05/24 05:30:54 itojun Exp $	*/
      2 
      3  /*
      4   * Routine to disable IP-level socket options. This code was taken from 4.4BSD
      5   * rlogind and kernel source, but all mistakes in it are my fault.
      6   *
      7   * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
      8   */
      9 
     10 #include <sys/cdefs.h>
     11 #ifndef lint
     12 #if 0
     13 static char sccsid[] = "@(#) fix_options.c 1.6 97/04/08 02:29:19";
     14 #else
     15 __RCSID("$NetBSD: fix_options.c,v 1.8 2002/05/24 05:30:54 itojun Exp $");
     16 #endif
     17 #endif
     18 
     19 #include <sys/types.h>
     20 #include <sys/param.h>
     21 #include <sys/socket.h>
     22 #include <netinet/in.h>
     23 #include <netinet/in_systm.h>
     24 #include <netinet/ip.h>
     25 #include <netdb.h>
     26 #include <stdio.h>
     27 #include <syslog.h>
     28 #include <stdlib.h>
     29 #include <unistd.h>
     30 
     31 #ifndef IPOPT_OPTVAL
     32 #define IPOPT_OPTVAL	0
     33 #define IPOPT_OLEN	1
     34 #endif
     35 
     36 #include "tcpd.h"
     37 
     38 #define BUFFER_SIZE	512		/* Was: BUFSIZ */
     39 
     40 /* fix_options - get rid of IP-level socket options */
     41 
     42 void
     43 fix_options(request)
     44 struct request_info *request;
     45 {
     46 #ifdef IP_OPTIONS
     47     unsigned char optbuf[BUFFER_SIZE / 3], *cp;
     48     char    lbuf[BUFFER_SIZE], *lp;
     49     int     optsize = sizeof(optbuf), ipproto;
     50     struct protoent *ip;
     51     int     fd = request->fd;
     52     int     len = sizeof lbuf;
     53     unsigned int opt;
     54     int     optlen;
     55     struct in_addr dummy;
     56     struct sockaddr_storage ss;
     57     int sslen;
     58 
     59     /*
     60      * check if this is AF_INET socket
     61      * XXX IPv6 support?
     62      */
     63     sslen = sizeof(ss);
     64     if (getsockname(fd, (struct sockaddr *)&ss, &sslen) < 0) {
     65 	syslog(LOG_ERR, "getsockname: %m");
     66 	clean_exit(request);
     67     }
     68     if (ss.ss_family != AF_INET)
     69 	return;
     70 
     71     if ((ip = getprotobyname("ip")) != 0)
     72 	ipproto = ip->p_proto;
     73     else
     74 	ipproto = IPPROTO_IP;
     75 
     76     if (getsockopt(fd, ipproto, IP_OPTIONS, (char *) optbuf, &optsize) == 0
     77 	&& optsize != 0) {
     78 
     79 	/*
     80 	 * Horror! 4.[34] BSD getsockopt() prepends the first-hop destination
     81 	 * address to the result IP options list when source routing options
     82 	 * are present (see <netinet/ip_var.h>), but produces no output for
     83 	 * other IP options. Solaris 2.x getsockopt() does produce output for
     84 	 * non-routing IP options, and uses the same format as BSD even when
     85 	 * the space for the destination address is unused. The code below
     86 	 * does the right thing with 4.[34]BSD derivatives and Solaris 2, but
     87 	 * may occasionally miss source routing options on incompatible
     88 	 * systems such as Linux. Their choice.
     89 	 *
     90 	 * Look for source routing options. Drop the connection when one is
     91 	 * found. Just wiping the IP options is insufficient: we would still
     92 	 * help the attacker by providing a real TCP sequence number, and the
     93 	 * attacker would still be able to send packets (blind spoofing). I
     94 	 * discussed this attack with Niels Provos, half a year before the
     95 	 * attack was described in open mailing lists.
     96 	 *
     97 	 * It would be cleaner to just return a yes/no reply and let the caller
     98 	 * decide how to deal with it. Resident servers should not terminate.
     99 	 * However I am not prepared to make changes to internal interfaces
    100 	 * on short notice.
    101 	 */
    102 #define ADDR_LEN sizeof(dummy.s_addr)
    103 
    104 	for (cp = optbuf + ADDR_LEN; cp < optbuf + optsize; cp += optlen) {
    105 	    opt = cp[IPOPT_OPTVAL];
    106 	    if (opt == IPOPT_LSRR || opt == IPOPT_SSRR) {
    107 		syslog(LOG_WARNING,
    108 		   "refused connect from %s with IP source routing options",
    109 		       eval_client(request));
    110 		shutdown(fd, 2);
    111 		return;
    112 	    }
    113 	    if (opt == IPOPT_EOL)
    114 		break;
    115 	    if (opt == IPOPT_NOP) {
    116 		optlen = 1;
    117 	    } else if (&cp[IPOPT_OLEN] < optbuf + optsize) {
    118 		optlen = cp[IPOPT_OLEN];
    119 		if (optlen <= 0)		/* Do not loop! */
    120 		    break;
    121 		if (cp + optlen >= optbuf + optsize) {
    122 		    syslog(LOG_WARNING,
    123 		       "refused connect from %s with malformed IP options",
    124 			   eval_client(request));
    125 		    shutdown(fd, 2);
    126 		    return;
    127 		}
    128 	    } else {
    129 		syslog(LOG_WARNING,
    130 		   "refused connect from %s with malformed IP options",
    131 		       eval_client(request));
    132 		shutdown(fd, 2);
    133 		return;
    134 	    }
    135 	}
    136 	lp = lbuf;
    137 	for (cp = optbuf; optsize > 0; cp++, optsize--, lp += 3)
    138 	    len -= snprintf(lp, len, " %2.2x", *cp);
    139 	syslog(LOG_NOTICE,
    140 	       "connect from %s with IP options (ignored):%s",
    141 	       eval_client(request), lbuf);
    142 	if (setsockopt(fd, ipproto, IP_OPTIONS, (char *) 0, optsize) != 0) {
    143 	    syslog(LOG_ERR, "setsockopt IP_OPTIONS NULL: %m");
    144 	    shutdown(fd, 2);
    145 	}
    146     }
    147 #endif
    148 }
    149