xref: /openbsd-src/usr.sbin/dhcpd/options.c (revision f2da64fbbbf1b03f09f390ab01267c93dfd77c4c) 
1 /*	$OpenBSD: options.c,v 1.31 2016/08/05 14:02:23 krw Exp $	*/
2 
3 /* DHCP options parsing and reassembly. */
4 
5 /*
6  * Copyright (c) 1995, 1996, 1997, 1998 The Internet Software Consortium.
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  *
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  * 3. Neither the name of The Internet Software Consortium nor the names
19  *    of its contributors may be used to endorse or promote products derived
20  *    from this software without specific prior written permission.
21  *
22  * THIS SOFTWARE IS PROVIDED BY THE INTERNET SOFTWARE CONSORTIUM AND
23  * CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
24  * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
25  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
26  * DISCLAIMED.  IN NO EVENT SHALL THE INTERNET SOFTWARE CONSORTIUM OR
27  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
29  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
30  * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
31  * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
32  * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
33  * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34  * SUCH DAMAGE.
35  *
36  * This software has been written for the Internet Software Consortium
37  * by Ted Lemon <mellon@fugue.com> in cooperation with Vixie
38  * Enterprises.  To learn more about the Internet Software Consortium,
39  * see ``http://www.vix.com/isc''.  To learn more about Vixie
40  * Enterprises, see ``http://www.vix.com''.
41  */
42 
43 #include <sys/types.h>
44 #include <sys/socket.h>
45 
46 #include <net/if.h>
47 
48 #include <netinet/in.h>
49 
50 #include <stdio.h>
51 #include <stdlib.h>
52 #include <string.h>
53 
54 #include "dhcp.h"
55 #include "tree.h"
56 #include "dhcpd.h"
57 
58 int bad_options = 0;
59 int bad_options_max = 5;
60 
61 void	parse_options(struct packet *);
62 void	parse_option_buffer(struct packet *, unsigned char *, int);
63 void	create_priority_list(unsigned char *, unsigned char *, int);
64 int	store_option_fragment(unsigned char *, int, unsigned char,
65 	    int, unsigned char *);
66 int	store_options(unsigned char *, int, struct tree_cache **,
67 	    unsigned char *, int, int);
68 
69 
70 /*
71  * Parse all available options out of the specified packet.
72  */
73 void
74 parse_options(struct packet *packet)
75 {
76 	/* Initially, zero all option pointers. */
77 	memset(packet->options, 0, sizeof(packet->options));
78 
79 	/* If we don't see the magic cookie, there's nothing to parse. */
80 	if (memcmp(packet->raw->options, DHCP_OPTIONS_COOKIE, 4)) {
81 		packet->options_valid = 0;
82 		return;
83 	}
84 
85 	/*
86 	 * Go through the options field, up to the end of the packet or
87 	 * the End field.
88 	 */
89 	parse_option_buffer(packet, &packet->raw->options[4],
90 	    packet->packet_length - DHCP_FIXED_NON_UDP - 4);
91 
92 	/*
93 	 * If we parsed a DHCP Option Overload option, parse more
94 	 * options out of the buffer(s) containing them.
95 	 */
96 	if (packet->options_valid &&
97 	    packet->options[DHO_DHCP_OPTION_OVERLOAD].data) {
98 		if (packet->options[DHO_DHCP_OPTION_OVERLOAD].data[0] & 1)
99 			parse_option_buffer(packet,
100 			    (unsigned char *)packet->raw->file,
101 			    sizeof(packet->raw->file));
102 		if (packet->options[DHO_DHCP_OPTION_OVERLOAD].data[0] & 2)
103 			parse_option_buffer(packet,
104 			    (unsigned char *)packet->raw->sname,
105 			    sizeof(packet->raw->sname));
106 	}
107 }
108 
109 /*
110  * Parse options out of the specified buffer, storing addresses of
111  * option values in packet->options and setting packet->options_valid if
112  * no errors are encountered.
113  */
114 void
115 parse_option_buffer(struct packet *packet,
116     unsigned char *buffer, int length)
117 {
118 	unsigned char *s, *t;
119 	unsigned char *end = buffer + length;
120 	int len;
121 	int code;
122 
123 	for (s = buffer; *s != DHO_END && s < end; ) {
124 		code = s[0];
125 
126 		/* Pad options don't have a length - just skip them. */
127 		if (code == DHO_PAD) {
128 			s++;
129 			continue;
130 		}
131 		if (s + 2 > end) {
132 			len = 65536;
133 			goto bogus;
134 		}
135 
136 		/*
137 		 * All other fields (except end, see above) have a
138 		 * one-byte length.
139 		 */
140 		len = s[1];
141 
142 		/*
143 		 * If the length is outrageous, silently skip the rest,
144 		 * and mark the packet bad. Unfortunately some crappy
145 		 * dhcp servers always seem to give us garbage on the
146 		 * end of a packet. so rather than keep refusing, give
147 		 * up and try to take one after seeing a few without
148 		 * anything good.
149 		 */
150 		if (s + len + 2 > end) {
151 		    bogus:
152 			bad_options++;
153 			warning("option %s (%d) %s.",
154 			    dhcp_options[code].name, len,
155 			    "larger than buffer");
156 			if (bad_options == bad_options_max) {
157 				packet->options_valid = 1;
158 				bad_options = 0;
159 				warning("Many bogus options seen in offers.");
160 				warning("Taking this offer in spite of bogus");
161 				warning("options - hope for the best!");
162 			} else {
163 				warning("rejecting bogus offer.");
164 				packet->options_valid = 0;
165 			}
166 			return;
167 		}
168 		/*
169 		 * If we haven't seen this option before, just make
170 		 * space for it and copy it there.
171 		 */
172 		if (!packet->options[code].data) {
173 			t = calloc(1, len + 1);
174 			if (!t)
175 				error("Can't allocate storage for option %s.",
176 				    dhcp_options[code].name);
177 			/*
178 			 * Copy and NUL-terminate the option (in case
179 			 * it's an ASCII string).
180 			 */
181 			memcpy(t, &s[2], len);
182 			t[len] = 0;
183 			packet->options[code].len = len;
184 			packet->options[code].data = t;
185 		} else {
186 			/*
187 			 * If it's a repeat, concatenate it to whatever
188 			 * we last saw.   This is really only required
189 			 * for clients, but what the heck...
190 			 */
191 			t = calloc(1, len + packet->options[code].len + 1);
192 			if (!t)
193 				error("Can't expand storage for option %s.",
194 				    dhcp_options[code].name);
195 			memcpy(t, packet->options[code].data,
196 				packet->options[code].len);
197 			memcpy(t + packet->options[code].len,
198 				&s[2], len);
199 			packet->options[code].len += len;
200 			t[packet->options[code].len] = 0;
201 			free(packet->options[code].data);
202 			packet->options[code].data = t;
203 		}
204 		s += len + 2;
205 	}
206 	packet->options_valid = 1;
207 }
208 
209 /*
210  * Fill priority_list with a complete list of DHCP options sorted by
211  * priority. i.e.
212  *     1) Mandatory options.
213  *     2) Options from prl that are not already present.
214  *     3) Options from the default list that are not already present.
215  */
216 void
217 create_priority_list(unsigned char *priority_list, unsigned char *prl,
218     int prl_len)
219 {
220 	unsigned char stored_list[256];
221 	int i, priority_len = 0;
222 
223 	/* clear stored_list, priority_list should be cleared before */
224 	bzero(&stored_list, sizeof(stored_list));
225 
226 	/* Some options we don't want on the priority list. */
227 	stored_list[DHO_PAD] = 1;
228 	stored_list[DHO_END] = 1;
229 
230 	/* Mandatory options. */
231 	for(i = 0; dhcp_option_default_priority_list[i] != DHO_END; i++) {
232 		priority_list[priority_len++] =
233 		    dhcp_option_default_priority_list[i];
234 		stored_list[dhcp_option_default_priority_list[i]] = 1;
235 	}
236 
237 	/* Supplied priority list. */
238 	if (!prl)
239 		prl_len = 0;
240 	for(i = 0; i < prl_len; i++) {
241 		/* CLASSLESS routes always have priority, sayeth RFC 3442. */
242 		if (prl[i] == DHO_CLASSLESS_STATIC_ROUTES ||
243 		    prl[i] == DHO_CLASSLESS_MS_STATIC_ROUTES) {
244 			priority_list[priority_len++] = prl[i];
245 			stored_list[prl[i]] = 1;
246 		}
247 	}
248 	for(i = 0; i < prl_len; i++) {
249 		if (stored_list[prl[i]])
250 			continue;
251 		priority_list[priority_len++] = prl[i];
252 		stored_list[prl[i]] = 1;
253 	}
254 
255 	/* Default priority list. */
256 	prl = dhcp_option_default_priority_list;
257 	for(i = 0; i < 256; i++) {
258 		if (stored_list[prl[i]])
259 			continue;
260 		priority_list[priority_len++] = prl[i];
261 		stored_list[prl[i]] = 1;
262 	}
263 }
264 /*
265  * cons options into a big buffer, and then split them out into the
266  * three separate buffers if needed.  This allows us to cons up a set of
267  * vendor options using the same routine.
268  */
269 int
270 cons_options(struct packet *inpacket, struct dhcp_packet *outpacket,
271     int mms, struct tree_cache **options,
272     int overload, /* Overload flags that may be set. */
273     int terminate, int bootpp, u_int8_t *prl, int prl_len)
274 {
275 	unsigned char priority_list[256];
276 	unsigned char buffer[4096];	/* Really big buffer... */
277 	int bufix, main_buffer_size, option_size;
278 
279 	/*
280 	 * If the client has provided a maximum DHCP message size, use
281 	 * that; otherwise, if it's BOOTP, only 64 bytes; otherwise use
282 	 * up to the minimum IP MTU size (576 bytes).
283 	 *
284 	 * XXX if a BOOTP client specifies a max message size, we will
285 	 * honor it.
286 	 */
287 	if (!mms &&
288 	    inpacket &&
289 	    inpacket->options[DHO_DHCP_MAX_MESSAGE_SIZE].data &&
290 	    (inpacket->options[DHO_DHCP_MAX_MESSAGE_SIZE].len >=
291 	    sizeof(u_int16_t))) {
292 		mms = getUShort(
293 		    inpacket->options[DHO_DHCP_MAX_MESSAGE_SIZE].data);
294 	}
295 
296 	if (mms) {
297 		if (mms < 576)
298 			mms = 576;	/* mms must be >= minimum IP MTU */
299 		main_buffer_size = mms - DHCP_FIXED_LEN;
300 	} else if (bootpp)
301 		main_buffer_size = 64;
302 	else
303 		main_buffer_size = 576 - DHCP_FIXED_LEN;
304 
305 	if (main_buffer_size > sizeof(outpacket->options))
306 		main_buffer_size = sizeof(outpacket->options);
307 
308 	/*
309 	 * Initialize the available buffers, some or all of which may not be
310 	 * used.
311 	 */
312 	memset(outpacket->options, DHO_PAD, sizeof(outpacket->options));
313 	if (overload & 1)
314 		memset(outpacket->file, DHO_PAD, DHCP_FILE_LEN);
315 	if (overload & 2)
316 		memset(outpacket->sname, DHO_PAD, DHCP_SNAME_LEN);
317 	if (bootpp)
318 		overload = 0; /* Don't use overload buffers for bootp! */
319 
320 	/*
321 	 * Get complete list of possible options in priority order. Use the
322 	 * list provided in the options. Lacking that use the list provided by
323 	 * prl. If that is not available just use the default list.
324 	 */
325 	bzero(&priority_list, sizeof(priority_list));
326 	if (inpacket && inpacket->options[DHO_DHCP_PARAMETER_REQUEST_LIST].data)
327 		create_priority_list(priority_list,
328 		    inpacket->options[DHO_DHCP_PARAMETER_REQUEST_LIST].data,
329 		    inpacket->options[DHO_DHCP_PARAMETER_REQUEST_LIST].len);
330 	else if (prl)
331 		create_priority_list(priority_list, prl, prl_len);
332 	else
333 		create_priority_list(priority_list, NULL, 0);
334 
335 	/*
336 	 * Copy the options into the big buffer, including leading cookie and
337 	 * DHCP_OVERLOAD_OPTION, and DHO_END if it fits. All unused space will
338 	 * be set to DHO_PAD
339 	 */
340 	option_size = store_options(buffer, main_buffer_size, options,
341 	    priority_list, overload, terminate);
342 	if (option_size == 0)
343 		return (DHCP_FIXED_NON_UDP);
344 
345 	/* Copy the main buffer. */
346 	memcpy(&outpacket->options[0], buffer, main_buffer_size);
347 	if (option_size <= main_buffer_size)
348 		return (DHCP_FIXED_NON_UDP + option_size);
349 
350 	/* Copy the overflow buffers. */
351 	bufix = main_buffer_size;
352 	if (overload & 1) {
353 		memcpy(outpacket->file, &buffer[bufix], DHCP_FILE_LEN);
354 		bufix += DHCP_FILE_LEN;
355 	}
356 	if (overload & 2)
357 		memcpy(outpacket->sname, &buffer[bufix], DHCP_SNAME_LEN);
358 
359 	return (DHCP_FIXED_NON_UDP + main_buffer_size);
360 }
361 
362 /*
363  * Store a <code><length><data> fragment in buffer. Return the number of
364  * characters used. Return 0 if no data could be stored.
365  */
366 int
367 store_option_fragment(unsigned char *buffer, int buffer_size,
368     unsigned char code, int length, unsigned char *data)
369 {
370 	buffer_size -= 2; /* Space for option code and option length. */
371 
372 	if (buffer_size < 1)
373 		return (0);
374 
375 	if (buffer_size > 255)
376 		buffer_size = 255;
377 	if (length > buffer_size)
378 		length = buffer_size;
379 
380 	buffer[0] = code;
381 	buffer[1] = length;
382 
383 	memcpy(&buffer[2], data, length);
384 
385 	return (length + 2);
386 }
387 
388 /*
389  * Store all the requested options into the requested buffer. Insert the
390  * required cookie, DHO_DHCP_OPTION_OVERLOAD options and append a DHO_END if
391  * if fits. Ensure all buffer space is set to DHO_PAD if unused.
392  */
393 int
394 store_options(unsigned char *buffer, int main_buffer_size,
395     struct tree_cache **options, unsigned char *priority_list, int overload,
396     int terminate)
397 {
398 	int buflen, code, cutoff, i, incr, ix, length, optstart, overflow;
399 	int second_cutoff;
400 	int bufix = 0;
401 	int stored_classless = 0;
402 
403 	overload &= 3; /* Only consider valid bits. */
404 
405 	cutoff = main_buffer_size;
406 	second_cutoff = cutoff + ((overload & 1) ? DHCP_FILE_LEN : 0);
407 	buflen = second_cutoff + ((overload & 2) ? DHCP_SNAME_LEN : 0);
408 
409 	memset(buffer, DHO_PAD, buflen);
410 	memcpy(buffer, DHCP_OPTIONS_COOKIE, 4);
411 
412 	if (overload)
413 		bufix = 7; /* Reserve space for DHO_DHCP_OPTION_OVERLOAD. */
414 	else
415 		bufix = 4;
416 
417 	/*
418 	 * Store options in the order they appear in the priority list.
419 	 */
420 	for (i = 0; i < 256; i++) {
421 		/* Code for next option to try to store. */
422 		code = priority_list[i];
423 		if (code == DHO_PAD || code == DHO_END)
424 			continue;
425 
426 		if (!options[code] || !tree_evaluate(options[code]))
427 			continue;
428 
429 		/*
430 		 * RFC 3442 says:
431 		 *
432 		 * When a DHCP client requests the Classless Static
433 		 * Routes option and also requests either or both of the
434 		 * Router option and the Static Routes option, and the
435 		 * DHCP server is sending Classless Static Routes options
436 		 * to that client, the server SHOULD NOT include the
437 		 * Router or Static Routes options.
438 		 */
439 		if ((code == DHO_ROUTERS || code == DHO_STATIC_ROUTES) &&
440 		    stored_classless)
441 			continue;
442 
443 		/* We should now have a constant length for the option. */
444 		length = options[code]->len;
445 
446 		/* Try to store the option. */
447 		optstart = bufix;
448 		ix = 0;
449 		while (length) {
450 			incr = store_option_fragment(&buffer[bufix],
451 			    cutoff - bufix, code, length,
452 			    options[code]->value + ix);
453 
454 			if (incr > 0) {
455 				bufix += incr;
456 				length -= incr - 2;
457 				ix += incr - 2;
458 				continue;
459 			}
460 
461 			/*
462 			 * No fragment could be stored in the space before the
463 			 * cutoff. Fill the unusable space with DHO_PAD and
464 			 * move cutoff for another attempt.
465 			 */
466 			memset(&buffer[bufix], DHO_PAD, cutoff - bufix);
467 			bufix = cutoff;
468 			if (cutoff < second_cutoff)
469 				cutoff = second_cutoff;
470 			else if (cutoff < buflen)
471 				cutoff = buflen;
472 			else
473 				break;
474 		}
475 
476 		if (length > 0) {
477 zapfrags:
478 			memset(&buffer[optstart], DHO_PAD, buflen - optstart);
479 			bufix = optstart;
480 		} else if (terminate && dhcp_options[code].format[0] == 't') {
481 			if (bufix < cutoff)
482 				buffer[bufix++] = '\0';
483 			else
484 				goto zapfrags;
485 		}
486 		if (code == DHO_CLASSLESS_STATIC_ROUTES ||
487 		    code == DHO_CLASSLESS_MS_STATIC_ROUTES)
488 			stored_classless = 1;
489 	}
490 
491 	if (bufix == (4 + (overload ? 3 : 0)))
492 		/* Didn't manage to store any options. */
493 		return (0);
494 
495 	if (bufix < buflen)
496 		buffer[bufix++] = DHO_END;
497 
498 	/* Fill in overload option value based on space used for options. */
499 	if (overload) {
500 		overflow = bufix - main_buffer_size;
501 		if (overflow > 0) {
502 			buffer[4] = DHO_DHCP_OPTION_OVERLOAD;
503 			buffer[5] = 1;
504 			if (overload & 1) {
505 				buffer[6] |= 1;
506 				overflow -= DHCP_FILE_LEN;
507 			}
508 			if ((overload & 2) && overflow > 0)
509 				buffer[6] |= 2;
510 		} else {
511 			/*
512 			 * Compact buffer to eliminate the unused
513 			 * DHO_DHCP_OPTION_OVERLOAD option. Some clients
514 			 * choke on DHO_PAD options there.
515 			 */
516 			memmove(&buffer[4], &buffer[7], buflen - 7);
517 			bufix -= 3;
518 			memset(&buffer[bufix], DHO_PAD, 3);
519 		}
520 	}
521 
522 	return (bufix);
523 }
524 
525 void
526 do_packet(struct interface_info *interface, struct dhcp_packet *packet,
527     int len, unsigned int from_port, struct iaddr from, struct hardware *hfrom)
528 {
529 	struct packet tp;
530 	int i;
531 
532 	if (packet->hlen > sizeof(packet->chaddr)) {
533 		note("Discarding packet with invalid hlen.");
534 		return;
535 	}
536 
537 	memset(&tp, 0, sizeof(tp));
538 	tp.raw = packet;
539 	tp.packet_length = len;
540 	tp.client_port = from_port;
541 	tp.client_addr = from;
542 	tp.interface = interface;
543 	tp.haddr = hfrom;
544 
545 	parse_options(&tp);
546 	if (tp.options_valid &&
547 	    tp.options[DHO_DHCP_MESSAGE_TYPE].data)
548 		tp.packet_type = tp.options[DHO_DHCP_MESSAGE_TYPE].data[0];
549 
550 	if (tp.packet_type)
551 		dhcp(&tp, interface->is_udpsock);
552 	else
553 		bootp(&tp);
554 
555 	/* Free the data associated with the options. */
556 	for (i = 0; i < 256; i++)
557 		free(tp.options[i].data);
558 }
559