1*f1fab66eSDavid van Moolenbroek /* $NetBSD: fix_options.c,v 1.11 2012/03/21 10:10:37 matt Exp $ */
2*f1fab66eSDavid van Moolenbroek
3*f1fab66eSDavid van Moolenbroek /*
4*f1fab66eSDavid van Moolenbroek * Routine to disable IP-level socket options. This code was taken from 4.4BSD
5*f1fab66eSDavid van Moolenbroek * rlogind and kernel source, but all mistakes in it are my fault.
6*f1fab66eSDavid van Moolenbroek *
7*f1fab66eSDavid van Moolenbroek * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
8*f1fab66eSDavid van Moolenbroek */
9*f1fab66eSDavid van Moolenbroek
10*f1fab66eSDavid van Moolenbroek #include <sys/cdefs.h>
11*f1fab66eSDavid van Moolenbroek #ifndef lint
12*f1fab66eSDavid van Moolenbroek #if 0
13*f1fab66eSDavid van Moolenbroek static char sccsid[] = "@(#) fix_options.c 1.6 97/04/08 02:29:19";
14*f1fab66eSDavid van Moolenbroek #else
15*f1fab66eSDavid van Moolenbroek __RCSID("$NetBSD: fix_options.c,v 1.11 2012/03/21 10:10:37 matt Exp $");
16*f1fab66eSDavid van Moolenbroek #endif
17*f1fab66eSDavid van Moolenbroek #endif
18*f1fab66eSDavid van Moolenbroek
19*f1fab66eSDavid van Moolenbroek #include <sys/types.h>
20*f1fab66eSDavid van Moolenbroek #include <sys/param.h>
21*f1fab66eSDavid van Moolenbroek #include <sys/socket.h>
22*f1fab66eSDavid van Moolenbroek #include <netinet/in.h>
23*f1fab66eSDavid van Moolenbroek #include <netinet/in_systm.h>
24*f1fab66eSDavid van Moolenbroek #include <netinet/ip.h>
25*f1fab66eSDavid van Moolenbroek #include <netdb.h>
26*f1fab66eSDavid van Moolenbroek #include <stdio.h>
27*f1fab66eSDavid van Moolenbroek #include <syslog.h>
28*f1fab66eSDavid van Moolenbroek #include <stdlib.h>
29*f1fab66eSDavid van Moolenbroek #include <unistd.h>
30*f1fab66eSDavid van Moolenbroek
31*f1fab66eSDavid van Moolenbroek #ifndef IPOPT_OPTVAL
32*f1fab66eSDavid van Moolenbroek #define IPOPT_OPTVAL 0
33*f1fab66eSDavid van Moolenbroek #define IPOPT_OLEN 1
34*f1fab66eSDavid van Moolenbroek #endif
35*f1fab66eSDavid van Moolenbroek
36*f1fab66eSDavid van Moolenbroek #include "tcpd.h"
37*f1fab66eSDavid van Moolenbroek
38*f1fab66eSDavid van Moolenbroek #define BUFFER_SIZE 512 /* Was: BUFSIZ */
39*f1fab66eSDavid van Moolenbroek
40*f1fab66eSDavid van Moolenbroek /* fix_options - get rid of IP-level socket options */
41*f1fab66eSDavid van Moolenbroek
42*f1fab66eSDavid van Moolenbroek void
fix_options(struct request_info * request)43*f1fab66eSDavid van Moolenbroek fix_options(struct request_info *request)
44*f1fab66eSDavid van Moolenbroek {
45*f1fab66eSDavid van Moolenbroek #ifdef IP_OPTIONS
46*f1fab66eSDavid van Moolenbroek unsigned char optbuf[BUFFER_SIZE / 3], *cp;
47*f1fab66eSDavid van Moolenbroek char lbuf[BUFFER_SIZE], *lp;
48*f1fab66eSDavid van Moolenbroek int ipproto;
49*f1fab66eSDavid van Moolenbroek socklen_t optsize = sizeof(optbuf);
50*f1fab66eSDavid van Moolenbroek struct protoent *ip;
51*f1fab66eSDavid van Moolenbroek int fd = request->fd;
52*f1fab66eSDavid van Moolenbroek int len = sizeof lbuf;
53*f1fab66eSDavid van Moolenbroek unsigned int opt;
54*f1fab66eSDavid van Moolenbroek int optlen;
55*f1fab66eSDavid van Moolenbroek struct in_addr dummy;
56*f1fab66eSDavid van Moolenbroek struct sockaddr_storage ss;
57*f1fab66eSDavid van Moolenbroek socklen_t sslen;
58*f1fab66eSDavid van Moolenbroek
59*f1fab66eSDavid van Moolenbroek /*
60*f1fab66eSDavid van Moolenbroek * check if this is AF_INET socket
61*f1fab66eSDavid van Moolenbroek * XXX IPv6 support?
62*f1fab66eSDavid van Moolenbroek */
63*f1fab66eSDavid van Moolenbroek sslen = sizeof(ss);
64*f1fab66eSDavid van Moolenbroek if (getsockname(fd, (struct sockaddr *)(void *)&ss, &sslen) < 0) {
65*f1fab66eSDavid van Moolenbroek syslog(LOG_ERR, "getsockname: %m");
66*f1fab66eSDavid van Moolenbroek clean_exit(request);
67*f1fab66eSDavid van Moolenbroek }
68*f1fab66eSDavid van Moolenbroek if (ss.ss_family != AF_INET)
69*f1fab66eSDavid van Moolenbroek return;
70*f1fab66eSDavid van Moolenbroek
71*f1fab66eSDavid van Moolenbroek if ((ip = getprotobyname("ip")) != 0)
72*f1fab66eSDavid van Moolenbroek ipproto = ip->p_proto;
73*f1fab66eSDavid van Moolenbroek else
74*f1fab66eSDavid van Moolenbroek ipproto = IPPROTO_IP;
75*f1fab66eSDavid van Moolenbroek
76*f1fab66eSDavid van Moolenbroek if (getsockopt(fd, ipproto, IP_OPTIONS, optbuf, &optsize) == 0
77*f1fab66eSDavid van Moolenbroek && optsize != 0) {
78*f1fab66eSDavid van Moolenbroek
79*f1fab66eSDavid van Moolenbroek /*
80*f1fab66eSDavid van Moolenbroek * Horror! 4.[34] BSD getsockopt() prepends the first-hop destination
81*f1fab66eSDavid van Moolenbroek * address to the result IP options list when source routing options
82*f1fab66eSDavid van Moolenbroek * are present (see <netinet/ip_var.h>), but produces no output for
83*f1fab66eSDavid van Moolenbroek * other IP options. Solaris 2.x getsockopt() does produce output for
84*f1fab66eSDavid van Moolenbroek * non-routing IP options, and uses the same format as BSD even when
85*f1fab66eSDavid van Moolenbroek * the space for the destination address is unused. The code below
86*f1fab66eSDavid van Moolenbroek * does the right thing with 4.[34]BSD derivatives and Solaris 2, but
87*f1fab66eSDavid van Moolenbroek * may occasionally miss source routing options on incompatible
88*f1fab66eSDavid van Moolenbroek * systems such as Linux. Their choice.
89*f1fab66eSDavid van Moolenbroek *
90*f1fab66eSDavid van Moolenbroek * Look for source routing options. Drop the connection when one is
91*f1fab66eSDavid van Moolenbroek * found. Just wiping the IP options is insufficient: we would still
92*f1fab66eSDavid van Moolenbroek * help the attacker by providing a real TCP sequence number, and the
93*f1fab66eSDavid van Moolenbroek * attacker would still be able to send packets (blind spoofing). I
94*f1fab66eSDavid van Moolenbroek * discussed this attack with Niels Provos, half a year before the
95*f1fab66eSDavid van Moolenbroek * attack was described in open mailing lists.
96*f1fab66eSDavid van Moolenbroek *
97*f1fab66eSDavid van Moolenbroek * It would be cleaner to just return a yes/no reply and let the caller
98*f1fab66eSDavid van Moolenbroek * decide how to deal with it. Resident servers should not terminate.
99*f1fab66eSDavid van Moolenbroek * However I am not prepared to make changes to internal interfaces
100*f1fab66eSDavid van Moolenbroek * on short notice.
101*f1fab66eSDavid van Moolenbroek */
102*f1fab66eSDavid van Moolenbroek #define ADDR_LEN sizeof(dummy.s_addr)
103*f1fab66eSDavid van Moolenbroek
104*f1fab66eSDavid van Moolenbroek for (cp = optbuf + ADDR_LEN; cp < optbuf + optsize; cp += optlen) {
105*f1fab66eSDavid van Moolenbroek opt = cp[IPOPT_OPTVAL];
106*f1fab66eSDavid van Moolenbroek if (opt == IPOPT_LSRR || opt == IPOPT_SSRR) {
107*f1fab66eSDavid van Moolenbroek syslog(LOG_WARNING,
108*f1fab66eSDavid van Moolenbroek "refused connect from %s with IP source routing options",
109*f1fab66eSDavid van Moolenbroek eval_client(request));
110*f1fab66eSDavid van Moolenbroek shutdown(fd, 2);
111*f1fab66eSDavid van Moolenbroek return;
112*f1fab66eSDavid van Moolenbroek }
113*f1fab66eSDavid van Moolenbroek if (opt == IPOPT_EOL)
114*f1fab66eSDavid van Moolenbroek break;
115*f1fab66eSDavid van Moolenbroek if (opt == IPOPT_NOP) {
116*f1fab66eSDavid van Moolenbroek optlen = 1;
117*f1fab66eSDavid van Moolenbroek } else if (&cp[IPOPT_OLEN] < optbuf + optsize) {
118*f1fab66eSDavid van Moolenbroek optlen = cp[IPOPT_OLEN];
119*f1fab66eSDavid van Moolenbroek if (optlen < 2 || cp + optlen >= optbuf + optsize) {
120*f1fab66eSDavid van Moolenbroek syslog(LOG_WARNING,
121*f1fab66eSDavid van Moolenbroek "refused connect from %s with malformed IP options",
122*f1fab66eSDavid van Moolenbroek eval_client(request));
123*f1fab66eSDavid van Moolenbroek shutdown(fd, 2);
124*f1fab66eSDavid van Moolenbroek return;
125*f1fab66eSDavid van Moolenbroek }
126*f1fab66eSDavid van Moolenbroek } else {
127*f1fab66eSDavid van Moolenbroek syslog(LOG_WARNING,
128*f1fab66eSDavid van Moolenbroek "refused connect from %s with malformed IP options",
129*f1fab66eSDavid van Moolenbroek eval_client(request));
130*f1fab66eSDavid van Moolenbroek shutdown(fd, 2);
131*f1fab66eSDavid van Moolenbroek return;
132*f1fab66eSDavid van Moolenbroek }
133*f1fab66eSDavid van Moolenbroek }
134*f1fab66eSDavid van Moolenbroek lp = lbuf;
135*f1fab66eSDavid van Moolenbroek for (cp = optbuf; optsize > 0; cp++, optsize--, lp += 3)
136*f1fab66eSDavid van Moolenbroek len -= snprintf(lp, len, " %2.2x", *cp);
137*f1fab66eSDavid van Moolenbroek syslog(LOG_NOTICE,
138*f1fab66eSDavid van Moolenbroek "connect from %s with IP options (ignored):%s",
139*f1fab66eSDavid van Moolenbroek eval_client(request), lbuf);
140*f1fab66eSDavid van Moolenbroek if (setsockopt(fd, ipproto, IP_OPTIONS, (char *) 0, optsize) != 0) {
141*f1fab66eSDavid van Moolenbroek syslog(LOG_ERR, "setsockopt IP_OPTIONS NULL: %m");
142*f1fab66eSDavid van Moolenbroek shutdown(fd, 2);
143*f1fab66eSDavid van Moolenbroek }
144*f1fab66eSDavid van Moolenbroek }
145*f1fab66eSDavid van Moolenbroek #endif
146*f1fab66eSDavid van Moolenbroek }
147