xref: /openbsd-src/usr.sbin/dhcpd/packet.c (revision d59bb9942320b767f2a19aaa7690c8c6e30b724c) 
1 /*	$OpenBSD: packet.c,v 1.12 2017/02/13 19:13:14 krw Exp $	*/
2 
3 /* Packet assembly code, originally contributed by Archie Cobbs. */
4 
5 /*
6  * Copyright (c) 1995, 1996, 1999 The Internet Software Consortium.
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  *
13  * 1. Redistributions of source code must retain the above copyright
14  *    notice, this list of conditions and the following disclaimer.
15  * 2. Redistributions in binary form must reproduce the above copyright
16  *    notice, this list of conditions and the following disclaimer in the
17  *    documentation and/or other materials provided with the distribution.
18  * 3. Neither the name of The Internet Software Consortium nor the names
19  *    of its contributors may be used to endorse or promote products derived
20  *    from this software without specific prior written permission.
21  *
22  * THIS SOFTWARE IS PROVIDED BY THE INTERNET SOFTWARE CONSORTIUM AND
23  * CONTRIBUTORS ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES,
24  * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
25  * MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
26  * DISCLAIMED.  IN NO EVENT SHALL THE INTERNET SOFTWARE CONSORTIUM OR
27  * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
29  * LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF
30  * USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND
31  * ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY,
32  * OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
33  * OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
34  * SUCH DAMAGE.
35  *
36  * This software has been written for the Internet Software Consortium
37  * by Ted Lemon <mellon@fugue.com> in cooperation with Vixie
38  * Enterprises.  To learn more about the Internet Software Consortium,
39  * see ``http://www.vix.com/isc''.  To learn more about Vixie
40  * Enterprises, see ``http://www.vix.com''.
41  */
42 
43 #include <sys/types.h>
44 #include <sys/socket.h>
45 
46 #include <net/if.h>
47 
48 #include <netinet/in.h>
49 #include <netinet/ip.h>
50 #include <netinet/udp.h>
51 #include <netinet/if_ether.h>
52 
53 #include <stdio.h>
54 #include <string.h>
55 
56 #include "dhcp.h"
57 #include "tree.h"
58 #include "dhcpd.h"
59 #include "log.h"
60 
61 u_int32_t	checksum(unsigned char *, unsigned, u_int32_t);
62 u_int32_t	wrapsum(u_int32_t);
63 
64 u_int32_t
65 checksum(unsigned char *buf, unsigned nbytes, u_int32_t sum)
66 {
67 	int i;
68 
69 	/* Checksum all the pairs of bytes first... */
70 	for (i = 0; i < (nbytes & ~1U); i += 2) {
71 		sum += (u_int16_t)ntohs(*((u_int16_t *)(buf + i)));
72 		if (sum > 0xFFFF)
73 			sum -= 0xFFFF;
74 	}
75 
76 	/*
77 	 * If there's a single byte left over, checksum it, too.
78 	 * Network byte order is big-endian, so the remaining byte is
79 	 * the high byte.
80 	 */
81 	if (i < nbytes) {
82 		sum += buf[i] << 8;
83 		if (sum > 0xFFFF)
84 			sum -= 0xFFFF;
85 	}
86 
87 	return (sum);
88 }
89 
90 u_int32_t
91 wrapsum(u_int32_t sum)
92 {
93 	sum = ~sum & 0xFFFF;
94 	return (htons(sum));
95 }
96 
97 void
98 assemble_hw_header(struct interface_info *interface, unsigned char *buf,
99     int *bufix, struct hardware *to)
100 {
101 	struct ether_header eh;
102 
103 	if (to != NULL && to->hlen == 6) /* XXX */
104 		memcpy(eh.ether_dhost, to->haddr, sizeof(eh.ether_dhost));
105 	else
106 		memset(eh.ether_dhost, 0xff, sizeof(eh.ether_dhost));
107 
108 	/* source address is filled in by the kernel */
109 	memset(eh.ether_shost, 0x00, sizeof(eh.ether_shost));
110 
111 	eh.ether_type = htons(ETHERTYPE_IP);
112 
113 	memcpy(&buf[*bufix], &eh, ETHER_HDR_LEN);
114 	*bufix += ETHER_HDR_LEN;
115 }
116 
117 void
118 assemble_udp_ip_header(struct interface_info *interface, unsigned char *buf,
119     int *bufix, u_int32_t from, u_int32_t to, unsigned int port,
120     unsigned char *data, int len)
121 {
122 	struct ip ip;
123 	struct udphdr udp;
124 
125 	ip.ip_v = 4;
126 	ip.ip_hl = 5;
127 	ip.ip_tos = IPTOS_LOWDELAY;
128 	ip.ip_len = htons(sizeof(ip) + sizeof(udp) + len);
129 	ip.ip_id = 0;
130 	ip.ip_off = 0;
131 	ip.ip_ttl = 16;
132 	ip.ip_p = IPPROTO_UDP;
133 	ip.ip_sum = 0;
134 	ip.ip_src.s_addr = from;
135 	ip.ip_dst.s_addr = to;
136 
137 	ip.ip_sum = wrapsum(checksum((unsigned char *)&ip, sizeof(ip), 0));
138 	memcpy(&buf[*bufix], &ip, sizeof(ip));
139 	*bufix += sizeof(ip);
140 
141 	udp.uh_sport = server_port;	/* XXX */
142 	udp.uh_dport = port;			/* XXX */
143 	udp.uh_ulen = htons(sizeof(udp) + len);
144 	memset(&udp.uh_sum, 0, sizeof(udp.uh_sum));
145 
146 	udp.uh_sum = wrapsum(checksum((unsigned char *)&udp, sizeof(udp),
147 	    checksum(data, len, checksum((unsigned char *)&ip.ip_src,
148 	    2 * sizeof(ip.ip_src),
149 	    IPPROTO_UDP + (u_int32_t)ntohs(udp.uh_ulen)))));
150 
151 	memcpy(&buf[*bufix], &udp, sizeof(udp));
152 	*bufix += sizeof(udp);
153 }
154 
155 ssize_t
156 decode_hw_header(struct interface_info *interface, unsigned char *buf,
157     int bufix, struct hardware *from)
158 {
159 	struct ether_header eh;
160 
161 	memcpy(&eh, buf + bufix, ETHER_HDR_LEN);
162 
163 	memcpy(from->haddr, eh.ether_shost, sizeof(eh.ether_shost));
164 	from->htype = ARPHRD_ETHER;
165 	from->hlen = sizeof(eh.ether_shost);
166 
167 	return (sizeof(eh));
168 }
169 
170 ssize_t
171 decode_udp_ip_header(struct interface_info *interface, unsigned char *buf,
172     int bufix, struct sockaddr_in *from, int buflen)
173 {
174 	struct ip *ip;
175 	struct udphdr *udp;
176 	unsigned char *data;
177 	u_int32_t ip_len;
178 	u_int32_t sum, usum;
179 	static unsigned int ip_packets_seen;
180 	static unsigned int ip_packets_bad_checksum;
181 	static unsigned int udp_packets_seen;
182 	static unsigned int udp_packets_bad_checksum;
183 	static unsigned int udp_packets_length_checked;
184 	static unsigned int udp_packets_length_overflow;
185 	int len;
186 
187 	/* Assure that an entire IP header is within the buffer. */
188 	if (sizeof(*ip) > buflen)
189 		return (-1);
190 	ip_len = (buf[bufix] & 0xf) << 2;
191 	if (ip_len > buflen)
192 		return (-1);
193 
194 	ip = (struct ip *)(buf + bufix);
195 	ip_packets_seen++;
196 
197 	/* Check the IP header checksum - it should be zero. */
198 	if (wrapsum(checksum(buf + bufix, ip_len, 0)) != 0) {
199 		ip_packets_bad_checksum++;
200 		if (ip_packets_seen > 4 && ip_packets_bad_checksum != 0 &&
201 		    (ip_packets_seen / ip_packets_bad_checksum) < 2) {
202 			log_info("%u bad IP checksums seen in %u packets",
203 			    ip_packets_bad_checksum, ip_packets_seen);
204 			ip_packets_seen = ip_packets_bad_checksum = 0;
205 		}
206 		return (-1);
207 	}
208 
209 	memcpy(&from->sin_addr, &ip->ip_src, sizeof(from->sin_addr));
210 
211 #ifdef DEBUG
212 	if (ntohs(ip->ip_len) != buflen)
213 		log_debug("ip length %d disagrees with bytes received %d.",
214 		    ntohs(ip->ip_len), buflen);
215 #endif
216 
217 
218 	/* Assure that the entire IP packet is within the buffer. */
219 	if (ntohs(ip->ip_len) > buflen)
220 		return (-1);
221 
222 	/* Assure that the UDP header is within the buffer. */
223 	if (ip_len + sizeof(*udp) > buflen)
224 		return (-1);
225 	udp = (struct udphdr *)(buf + bufix + ip_len);
226 	udp_packets_seen++;
227 
228 	/* Assure that the entire UDP packet is within the buffer. */
229 	if (ip_len + ntohs(udp->uh_ulen) > buflen)
230 		return (-1);
231 	data = buf + bufix + ip_len + sizeof(*udp);
232 
233 	/*
234 	 * Compute UDP checksums, including the ``pseudo-header'', the
235 	 * UDP header and the data. If the UDP checksum field is zero,
236 	 * we're not supposed to do a checksum.
237 	 */
238 	udp_packets_length_checked++;
239 	len = ntohs(udp->uh_ulen) - sizeof(*udp);
240 	if ((len < 0) || (len + data > buf + bufix + buflen)) {
241 		udp_packets_length_overflow++;
242 		if (udp_packets_length_checked > 4 &&
243 		    udp_packets_length_overflow != 0 &&
244 		    (udp_packets_length_checked /
245 		    udp_packets_length_overflow) < 2) {
246 			log_info("%u udp packets in %u too long - dropped",
247 			    udp_packets_length_overflow,
248 			    udp_packets_length_checked);
249 			udp_packets_length_overflow =
250 			    udp_packets_length_checked = 0;
251 		}
252 		return (-1);
253 	}
254 	if (len + data != buf + bufix + buflen)
255 		log_debug("accepting packet with data after udp payload.");
256 
257 	usum = udp->uh_sum;
258 	udp->uh_sum = 0;
259 
260 	sum = wrapsum(checksum((unsigned char *)udp, sizeof(*udp),
261 	    checksum(data, len, checksum((unsigned char *)&ip->ip_src,
262 	    2 * sizeof(ip->ip_src),
263 	    IPPROTO_UDP + (u_int32_t)ntohs(udp->uh_ulen)))));
264 
265 	udp_packets_seen++;
266 	if (usum && usum != sum) {
267 		udp_packets_bad_checksum++;
268 		if (udp_packets_seen > 4 && udp_packets_bad_checksum != 0 &&
269 		    (udp_packets_seen / udp_packets_bad_checksum) < 2) {
270 			log_info("%u bad udp checksums in %u packets",
271 			    udp_packets_bad_checksum, udp_packets_seen);
272 			udp_packets_seen = udp_packets_bad_checksum = 0;
273 		}
274 		return (-1);
275 	}
276 
277 	memcpy(&from->sin_port, &udp->uh_sport, sizeof(udp->uh_sport));
278 
279 	return (ip_len + sizeof(*udp));
280 }
281