contrib/tcp_wrappers/fix_options.c

   1  /*
   2   * Routine to disable IP-level socket options. This code was taken from 4.4BSD
   3   * rlogind and kernel source, but all mistakes in it are my fault.
   4   *
   5   * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
   6   *
   7   * $FreeBSD: src/contrib/tcp_wrappers/fix_options.c,v 1.2 2000/02/03 10:26:57 shin Exp $
   8   * $DragonFly: src/contrib/tcp_wrappers/fix_options.c,v 1.2 2003/06/17 04:24:06 dillon Exp $
   9   */
  10
  11 #ifndef lint
  12 static char sccsid[] = "@(#) fix_options.c 1.6 97/04/08 02:29:19";
  13 #endif
  14
  15 #include <sys/types.h>
  16 #include <sys/param.h>
  17 #ifdef INET6
  18 #include <sys/socket.h>
  19 #endif
  20 #include <netinet/in.h>
  21 #include <netinet/in_systm.h>
  22 #include <netinet/ip.h>
  23 #include <netdb.h>
  24 #include <stdio.h>
  25 #include <syslog.h>
  26
  27 #ifndef IPOPT_OPTVAL
  28 #define IPOPT_OPTVAL    0
  29 #define IPOPT_OLEN      1
  30 #endif
  31
  32 #include "tcpd.h"
  33
  34 #define BUFFER_SIZE     512             /* Was: BUFSIZ */
  35
  36 /* fix_options - get rid of IP-level socket options */
  37
  38 void
  39 fix_options(request)
  40 struct request_info *request;
  41 {
  42 #ifdef IP_OPTIONS
  43     unsigned char optbuf[BUFFER_SIZE / 3], *cp;
  44     char    lbuf[BUFFER_SIZE], *lp;
  45     int     optsize = sizeof(optbuf), ipproto;
  46     struct protoent *ip;
  47     int     fd = request->fd;
  48     unsigned int opt;
  49     int     optlen;
  50     struct in_addr dummy;
  51 #ifdef INET6
  52     struct sockaddr_storage ss;
  53     int sslen;
  54
  55     /*
  56      * check if this is AF_INET socket
  57      * XXX IPv6 support?
  58      */
  59     sslen = sizeof(ss);
  60     if (getsockname(fd, (struct sockaddr *)&ss, &sslen) < 0) {
  61         syslog(LOG_ERR, "getpeername: %m");
  62         clean_exit(request);
  63     }
  64     if (ss.ss_family != AF_INET)
  65         return;
  66 #endif
  67
  68     if ((ip = getprotobyname("ip")) != 0)
  69         ipproto = ip->p_proto;
  70     else
  71         ipproto = IPPROTO_IP;
  72
  73     if (getsockopt(fd, ipproto, IP_OPTIONS, (char *) optbuf, &optsize) == 0
  74         && optsize != 0) {
  75
  76         /*
  77          * Horror! 4.[34] BSD getsockopt() prepends the first-hop destination
  78          * address to the result IP options list when source routing options
  79          * are present (see <netinet/ip_var.h>), but produces no output for
  80          * other IP options. Solaris 2.x getsockopt() does produce output for
  81          * non-routing IP options, and uses the same format as BSD even when
  82          * the space for the destination address is unused. The code below
  83          * does the right thing with 4.[34]BSD derivatives and Solaris 2, but
  84          * may occasionally miss source routing options on incompatible
  85          * systems such as Linux. Their choice.
  86          *
  87          * Look for source routing options. Drop the connection when one is
  88          * found. Just wiping the IP options is insufficient: we would still
  89          * help the attacker by providing a real TCP sequence number, and the
  90          * attacker would still be able to send packets (blind spoofing). I
  91          * discussed this attack with Niels Provos, half a year before the
  92          * attack was described in open mailing lists.
  93          *
  94          * It would be cleaner to just return a yes/no reply and let the caller
  95          * decide how to deal with it. Resident servers should not terminate.
  96          * However I am not prepared to make changes to internal interfaces
  97          * on short notice.
  98          */
  99 #define ADDR_LEN sizeof(dummy.s_addr)
 100
 101         for (cp = optbuf + ADDR_LEN; cp < optbuf + optsize; cp += optlen) {
 102             opt = cp[IPOPT_OPTVAL];
 103             if (opt == IPOPT_LSRR || opt == IPOPT_SSRR) {
 104                 syslog(LOG_WARNING,
 105                    "refused connect from %s with IP source routing options",
 106                        eval_client(request));
 107                 shutdown(fd, 2);
 108                 return;
 109             }
 110             if (opt == IPOPT_EOL)
 111                 break;
 112             if (opt == IPOPT_NOP) {
 113                 optlen = 1;
 114             } else {
 115                 optlen = cp[IPOPT_OLEN];
 116                 if (optlen <= 0)                /* Do not loop! */
 117                     break;
 118             }
 119         }
 120         lp = lbuf;
 121         for (cp = optbuf; optsize > 0; cp++, optsize--, lp += 3)
 122             sprintf(lp, " %2.2x", *cp);
 123         syslog(LOG_NOTICE,
 124                "connect from %s with IP options (ignored):%s",
 125                eval_client(request), lbuf);
 126         if (setsockopt(fd, ipproto, IP_OPTIONS, (char *) 0, optsize) != 0) {
 127             syslog(LOG_ERR, "setsockopt IP_OPTIONS NULL: %m");
 128             shutdown(fd, 2);
 129         }
 130     }
 131 #endif
 132 }