1 /* $OpenBSD: options.c,v 1.24 2008/11/14 02:00:08 krw Exp $ */ 2 3 /* DHCP options parsing and reassembly. */ 4 5 /* 6 * Copyright (c) 1995, 1996, 1997, 1998 The Internet Software Consortium. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. Neither the name of The Internet Software Consortium nor the names 19 * of its contributors may be used to endorse or promote products derived 20 * from this software without specific prior written permission. 21 * 22 * THIS SOFTWARE IS PROVIDED BY THE INTERNET SOFTWARE CONSORTIUM AND 23 * CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, 24 * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF 25 * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE 26 * DISCLAIMED. IN NO EVENT SHALL THE INTERNET SOFTWARE CONSORTIUM OR 27 * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT 29 * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF 30 * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND 31 * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, 32 * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT 33 * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 34 * SUCH DAMAGE. 35 * 36 * This software has been written for the Internet Software Consortium 37 * by Ted Lemon <mellon@fugue.com> in cooperation with Vixie 38 * Enterprises. To learn more about the Internet Software Consortium, 39 * see ``http://www.vix.com/isc''. To learn more about Vixie 40 * Enterprises, see ``http://www.vix.com''. 41 */ 42 43 #include <ctype.h> 44 45 #include "dhcpd.h" 46 47 int bad_options = 0; 48 int bad_options_max = 5; 49 50 void parse_options(struct packet *); 51 void parse_option_buffer(struct packet *, unsigned char *, int); 52 void create_priority_list(unsigned char *, unsigned char *, int); 53 int store_option_fragment(unsigned char *, int, unsigned char, 54 int, unsigned char *); 55 int store_options(unsigned char *, int, struct tree_cache **, 56 unsigned char *, int, int); 57 58 59 /* 60 * Parse all available options out of the specified packet. 61 */ 62 void 63 parse_options(struct packet *packet) 64 { 65 /* Initially, zero all option pointers. */ 66 memset(packet->options, 0, sizeof(packet->options)); 67 68 /* If we don't see the magic cookie, there's nothing to parse. */ 69 if (memcmp(packet->raw->options, DHCP_OPTIONS_COOKIE, 4)) { 70 packet->options_valid = 0; 71 return; 72 } 73 74 /* 75 * Go through the options field, up to the end of the packet or 76 * the End field. 77 */ 78 parse_option_buffer(packet, &packet->raw->options[4], 79 packet->packet_length - DHCP_FIXED_NON_UDP - 4); 80 81 /* 82 * If we parsed a DHCP Option Overload option, parse more 83 * options out of the buffer(s) containing them. 84 */ 85 if (packet->options_valid && 86 packet->options[DHO_DHCP_OPTION_OVERLOAD].data) { 87 if (packet->options[DHO_DHCP_OPTION_OVERLOAD].data[0] & 1) 88 parse_option_buffer(packet, 89 (unsigned char *)packet->raw->file, 90 sizeof(packet->raw->file)); 91 if (packet->options[DHO_DHCP_OPTION_OVERLOAD].data[0] & 2) 92 parse_option_buffer(packet, 93 (unsigned char *)packet->raw->sname, 94 sizeof(packet->raw->sname)); 95 } 96 } 97 98 /* 99 * Parse options out of the specified buffer, storing addresses of 100 * option values in packet->options and setting packet->options_valid if 101 * no errors are encountered. 102 */ 103 void 104 parse_option_buffer(struct packet *packet, 105 unsigned char *buffer, int length) 106 { 107 unsigned char *s, *t; 108 unsigned char *end = buffer + length; 109 int len; 110 int code; 111 112 for (s = buffer; *s != DHO_END && s < end; ) { 113 code = s[0]; 114 115 /* Pad options don't have a length - just skip them. */ 116 if (code == DHO_PAD) { 117 s++; 118 continue; 119 } 120 if (s + 2 > end) { 121 len = 65536; 122 goto bogus; 123 } 124 125 /* 126 * All other fields (except end, see above) have a 127 * one-byte length. 128 */ 129 len = s[1]; 130 131 /* 132 * If the length is outrageous, silently skip the rest, 133 * and mark the packet bad. Unfortunately some crappy 134 * dhcp servers always seem to give us garbage on the 135 * end of a packet. so rather than keep refusing, give 136 * up and try to take one after seeing a few without 137 * anything good. 138 */ 139 if (s + len + 2 > end) { 140 bogus: 141 bad_options++; 142 warning("option %s (%d) %s.", 143 dhcp_options[code].name, len, 144 "larger than buffer"); 145 if (bad_options == bad_options_max) { 146 packet->options_valid = 1; 147 bad_options = 0; 148 warning("Many bogus options seen in offers."); 149 warning("Taking this offer in spite of bogus"); 150 warning("options - hope for the best!"); 151 } else { 152 warning("rejecting bogus offer."); 153 packet->options_valid = 0; 154 } 155 return; 156 } 157 /* 158 * If we haven't seen this option before, just make 159 * space for it and copy it there. 160 */ 161 if (!packet->options[code].data) { 162 if (!(t = dmalloc(len + 1, "parse_option_buffer"))) 163 error("Can't allocate storage for option %s.", 164 dhcp_options[code].name); 165 /* 166 * Copy and NUL-terminate the option (in case 167 * it's an ASCII string). 168 */ 169 memcpy(t, &s[2], len); 170 t[len] = 0; 171 packet->options[code].len = len; 172 packet->options[code].data = t; 173 } else { 174 /* 175 * If it's a repeat, concatenate it to whatever 176 * we last saw. This is really only required 177 * for clients, but what the heck... 178 */ 179 t = dmalloc(len + packet->options[code].len + 1, 180 "parse_option_buffer"); 181 if (!t) 182 error("Can't expand storage for option %s.", 183 dhcp_options[code].name); 184 memcpy(t, packet->options[code].data, 185 packet->options[code].len); 186 memcpy(t + packet->options[code].len, 187 &s[2], len); 188 packet->options[code].len += len; 189 t[packet->options[code].len] = 0; 190 dfree(packet->options[code].data, 191 "parse_option_buffer"); 192 packet->options[code].data = t; 193 } 194 s += len + 2; 195 } 196 packet->options_valid = 1; 197 } 198 199 /* 200 * Fill priority_list with a complete list of DHCP options sorted by 201 * priority. i.e. 202 * 1) Mandatory options. 203 * 2) Options from prl that are not already present. 204 * 3) Options from the default list that are not already present. 205 */ 206 void 207 create_priority_list(unsigned char *priority_list, unsigned char *prl, 208 int prl_len) 209 { 210 unsigned char stored_list[256]; 211 int i, priority_len = 0; 212 213 /* clear stored_list, priority_list should be cleared before */ 214 bzero(&stored_list, sizeof(stored_list)); 215 216 /* Some options we don't want on the priority list. */ 217 stored_list[DHO_PAD] = 1; 218 stored_list[DHO_END] = 1; 219 220 /* Mandatory options. */ 221 for(i = 0; dhcp_option_default_priority_list[i] != DHO_END; i++) { 222 priority_list[priority_len++] = 223 dhcp_option_default_priority_list[i]; 224 stored_list[dhcp_option_default_priority_list[i]] = 1; 225 } 226 227 /* Supplied priority list. */ 228 if (!prl) 229 prl_len = 0; 230 for(i = 0; i < prl_len; i++) { 231 if (stored_list[prl[i]]) 232 continue; 233 priority_list[priority_len++] = prl[i]; 234 stored_list[prl[i]] = 1; 235 } 236 237 /* Default priority list. */ 238 prl = dhcp_option_default_priority_list; 239 for(i = 0; i < 256; i++) { 240 if (stored_list[prl[i]]) 241 continue; 242 priority_list[priority_len++] = prl[i]; 243 stored_list[prl[i]] = 1; 244 } 245 } 246 /* 247 * cons options into a big buffer, and then split them out into the 248 * three separate buffers if needed. This allows us to cons up a set of 249 * vendor options using the same routine. 250 */ 251 int 252 cons_options(struct packet *inpacket, struct dhcp_packet *outpacket, 253 int mms, struct tree_cache **options, 254 int overload, /* Overload flags that may be set. */ 255 int terminate, int bootpp, u_int8_t *prl, int prl_len) 256 { 257 unsigned char priority_list[256]; 258 unsigned char buffer[4096]; /* Really big buffer... */ 259 int bufix, main_buffer_size, option_size; 260 261 /* 262 * If the client has provided a maximum DHCP message size, use 263 * that; otherwise, if it's BOOTP, only 64 bytes; otherwise use 264 * up to the minimum IP MTU size (576 bytes). 265 * 266 * XXX if a BOOTP client specifies a max message size, we will 267 * honor it. 268 */ 269 if (!mms && 270 inpacket && 271 inpacket->options[DHO_DHCP_MAX_MESSAGE_SIZE].data && 272 (inpacket->options[DHO_DHCP_MAX_MESSAGE_SIZE].len >= 273 sizeof(u_int16_t))) { 274 mms = getUShort( 275 inpacket->options[DHO_DHCP_MAX_MESSAGE_SIZE].data); 276 } 277 278 if (mms) { 279 if (mms < 576) 280 mms = 576; /* mms must be >= minimum IP MTU */ 281 main_buffer_size = mms - DHCP_FIXED_LEN; 282 } else if (bootpp) 283 main_buffer_size = 64; 284 else 285 main_buffer_size = 576 - DHCP_FIXED_LEN; 286 287 if (main_buffer_size > sizeof(outpacket->options)) 288 main_buffer_size = sizeof(outpacket->options); 289 290 /* 291 * Initialize the available buffers, some or all of which may not be 292 * used. 293 */ 294 memset(outpacket->options, DHO_PAD, sizeof(outpacket->options)); 295 if (overload & 1) 296 memset(outpacket->file, DHO_PAD, DHCP_FILE_LEN); 297 if (overload & 2) 298 memset(outpacket->sname, DHO_PAD, DHCP_SNAME_LEN); 299 if (bootpp) 300 overload = 0; /* Don't use overload buffers for bootp! */ 301 302 /* 303 * Get complete list of possible options in priority order. Use the 304 * list provided in the options. Lacking that use the list provided by 305 * prl. If that is not available just use the default list. 306 */ 307 bzero(&priority_list, sizeof(priority_list)); 308 if (inpacket && inpacket->options[DHO_DHCP_PARAMETER_REQUEST_LIST].data) 309 create_priority_list(priority_list, 310 inpacket->options[DHO_DHCP_PARAMETER_REQUEST_LIST].data, 311 inpacket->options[DHO_DHCP_PARAMETER_REQUEST_LIST].len); 312 else if (prl) 313 create_priority_list(priority_list, prl, prl_len); 314 else 315 create_priority_list(priority_list, NULL, 0); 316 317 /* 318 * Copy the options into the big buffer, including leading cookie and 319 * DHCP_OVERLOAD_OPTION, and DHO_END if it fits. All unused space will 320 * be set to DHO_PAD 321 */ 322 option_size = store_options(buffer, main_buffer_size, options, 323 priority_list, overload, terminate); 324 if (option_size == 0) 325 return (DHCP_FIXED_NON_UDP); 326 327 /* Copy the main buffer. */ 328 memcpy(&outpacket->options[0], buffer, main_buffer_size); 329 if (option_size <= main_buffer_size) 330 return (DHCP_FIXED_NON_UDP + option_size); 331 332 /* Copy the overflow buffers. */ 333 bufix = main_buffer_size; 334 if (overload & 1) { 335 memcpy(outpacket->file, &buffer[bufix], DHCP_FILE_LEN); 336 bufix += DHCP_FILE_LEN; 337 } 338 if (overload & 2) 339 memcpy(outpacket->sname, &buffer[bufix], DHCP_SNAME_LEN); 340 341 return (DHCP_FIXED_NON_UDP + main_buffer_size); 342 } 343 344 /* 345 * Store a <code><length><data> fragment in buffer. Return the number of 346 * characters used. Return 0 if no data could be stored. 347 */ 348 int 349 store_option_fragment(unsigned char *buffer, int buffer_size, 350 unsigned char code, int length, unsigned char *data) 351 { 352 buffer_size -= 2; /* Space for option code and option length. */ 353 354 if (buffer_size < 1) 355 return (0); 356 357 if (buffer_size > 255) 358 buffer_size = 255; 359 if (length > buffer_size) 360 length = buffer_size; 361 362 buffer[0] = code; 363 buffer[1] = length; 364 365 memcpy(&buffer[2], data, length); 366 367 return (length + 2); 368 } 369 370 /* 371 * Store all the requested options into the requested buffer. Insert the 372 * required cookie, DHO_DHCP_OPTION_OVERLOAD options and append a DHO_END if 373 * if fits. Ensure all buffer space is set to DHO_PAD if unused. 374 */ 375 int 376 store_options(unsigned char *buffer, int main_buffer_size, 377 struct tree_cache **options, unsigned char *priority_list, int overload, 378 int terminate) 379 { 380 int buflen, code, cutoff, i, incr, ix, length, optstart, overflow; 381 int second_cutoff; 382 int bufix = 0; 383 384 overload &= 3; /* Only consider valid bits. */ 385 386 cutoff = main_buffer_size; 387 second_cutoff = cutoff + ((overload & 1) ? DHCP_FILE_LEN : 0); 388 buflen = second_cutoff + ((overload & 2) ? DHCP_SNAME_LEN : 0); 389 390 memset(buffer, DHO_PAD, buflen); 391 memcpy(buffer, DHCP_OPTIONS_COOKIE, 4); 392 393 if (overload) 394 bufix = 7; /* Reserve space for DHO_DHCP_OPTION_OVERLOAD. */ 395 else 396 bufix = 4; 397 398 /* 399 * Store options in the order they appear in the priority list. 400 */ 401 for (i = 0; i < 256; i++) { 402 /* Code for next option to try to store. */ 403 code = priority_list[i]; 404 if (code == DHO_PAD || code == DHO_END) 405 continue; 406 407 if (!options[code] || !tree_evaluate(options[code])) 408 continue; 409 410 /* We should now have a constant length for the option. */ 411 length = options[code]->len; 412 413 /* Try to store the option. */ 414 optstart = bufix; 415 ix = 0; 416 while (length) { 417 incr = store_option_fragment(&buffer[bufix], 418 cutoff - bufix, code, length, 419 options[code]->value + ix); 420 421 if (incr > 0) { 422 bufix += incr; 423 length -= incr - 2; 424 ix += incr - 2; 425 continue; 426 } 427 428 /* 429 * No fragment could be stored in the space before the 430 * cutoff. Fill the unusable space with DHO_PAD and 431 * move cutoff for another attempt. 432 */ 433 memset(&buffer[bufix], DHO_PAD, cutoff - bufix); 434 bufix = cutoff; 435 if (cutoff < second_cutoff) 436 cutoff = second_cutoff; 437 else if (cutoff < buflen) 438 cutoff = buflen; 439 else 440 break; 441 } 442 443 if (length > 0) { 444 zapfrags: 445 memset(&buffer[optstart], DHO_PAD, buflen - optstart); 446 bufix = optstart; 447 } else if (terminate && dhcp_options[code].format[0] == 't') { 448 if (bufix < cutoff) 449 buffer[bufix++] = '\0'; 450 else 451 goto zapfrags; 452 } 453 } 454 455 if (bufix == (4 + (overload ? 3 : 0))) 456 /* Didn't manage to store any options. */ 457 return (0); 458 459 if (bufix < buflen) 460 buffer[bufix++] = DHO_END; 461 462 /* Fill in overload option value based on space used for options. */ 463 if (overload) { 464 overflow = bufix - main_buffer_size; 465 if (overflow > 0) { 466 buffer[4] = DHO_DHCP_OPTION_OVERLOAD; 467 buffer[5] = 1; 468 if (overload & 1) { 469 buffer[6] |= 1; 470 overflow -= DHCP_FILE_LEN; 471 } 472 if ((overload & 2) && overflow > 0) 473 buffer[6] |= 2; 474 } else { 475 /* 476 * Compact buffer to eliminate the unused 477 * DHO_DHCP_OPTION_OVERLOAD option. Some clients 478 * choke on DHO_PAD options there. 479 */ 480 memmove(&buffer[4], &buffer[7], buflen - 7); 481 bufix -= 3; 482 memset(&buffer[bufix], DHO_PAD, 3); 483 } 484 } 485 486 return (bufix); 487 } 488 489 void 490 do_packet(struct interface_info *interface, struct dhcp_packet *packet, 491 int len, unsigned int from_port, struct iaddr from, struct hardware *hfrom) 492 { 493 struct packet tp; 494 int i; 495 496 if (packet->hlen > sizeof(packet->chaddr)) { 497 note("Discarding packet with invalid hlen."); 498 return; 499 } 500 501 memset(&tp, 0, sizeof(tp)); 502 tp.raw = packet; 503 tp.packet_length = len; 504 tp.client_port = from_port; 505 tp.client_addr = from; 506 tp.interface = interface; 507 tp.haddr = hfrom; 508 509 parse_options(&tp); 510 if (tp.options_valid && 511 tp.options[DHO_DHCP_MESSAGE_TYPE].data) 512 tp.packet_type = tp.options[DHO_DHCP_MESSAGE_TYPE].data[0]; 513 if (tp.packet_type) 514 dhcp(&tp); 515 else 516 bootp(&tp); 517 518 /* Free the data associated with the options. */ 519 for (i = 0; i < 256; i++) 520 if (tp.options[i].len && tp.options[i].data) 521 dfree(tp.options[i].data, "do_packet"); 522 } 523