MFC: following 2 commits:
[dragonfly.git] / sbin / routed / input.c
blobebbf97e2255b5052cc822f0efd7cafed9f56de5f
1 /*
2 * Copyright (c) 1983, 1988, 1993
3 * The Regents of the University of California. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
7 * are met:
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 3. All advertising materials mentioning features or use of this software
14 * must display the following acknowledgment:
15 * This product includes software developed by the University of
16 * California, Berkeley and its contributors.
17 * 4. Neither the name of the University nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
33 * $FreeBSD: src/sbin/routed/input.c,v 1.7.2.1 2001/08/01 09:01:45 obrien Exp $
34 * $DragonFly: src/sbin/routed/input.c,v 1.4 2004/12/18 21:43:40 swildner Exp $
37 #include "defs.h"
39 #if !defined(sgi) && !defined(__NetBSD__)
40 static char sccsid[] __attribute__((unused)) = "@(#)input.c 8.1 (Berkeley) 6/5/93";
41 #elif defined(__NetBSD__)
42 #include <sys/cdefs.h>
43 __RCSID("$NetBSD$");
44 #endif
45 #ident "$FreeBSD: src/sbin/routed/input.c,v 1.7.2.1 2001/08/01 09:01:45 obrien Exp $"
47 static void input(struct sockaddr_in *, struct interface *, struct interface *,
48 struct rip *, int);
49 static void input_route(naddr, naddr, struct rt_spare *, struct netinfo *);
50 static int ck_passwd(struct interface *, struct rip *, void *,
51 naddr, struct msg_limit *);
54 /* process RIP input
56 void
57 read_rip(int sock,
58 struct interface *sifp)
60 struct sockaddr_in from;
61 struct interface *aifp;
62 int fromlen, cc;
63 #ifdef USE_PASSIFNAME
64 static struct msg_limit bad_name;
65 struct {
66 char ifname[IFNAMSIZ];
67 union pkt_buf pbuf;
68 } inbuf;
69 #else
70 struct {
71 union pkt_buf pbuf;
72 } inbuf;
73 #endif
76 for (;;) {
77 fromlen = sizeof(from);
78 cc = recvfrom(sock, &inbuf, sizeof(inbuf), 0,
79 (struct sockaddr*)&from, &fromlen);
80 if (cc <= 0) {
81 if (cc < 0 && errno != EWOULDBLOCK)
82 LOGERR("recvfrom(rip)");
83 break;
85 if (fromlen != sizeof(struct sockaddr_in))
86 logbad(1,"impossible recvfrom(rip) fromlen=%d",
87 fromlen);
89 /* aifp is the "authenticated" interface via which the packet
90 * arrived. In fact, it is only the interface on which
91 * the packet should have arrived based on is source
92 * address.
93 * sifp is interface associated with the socket through which
94 * the packet was received.
96 #ifdef USE_PASSIFNAME
97 if ((cc -= sizeof(inbuf.ifname)) < 0)
98 logbad(0,"missing USE_PASSIFNAME; only %d bytes",
99 cc+sizeof(inbuf.ifname));
101 /* check the remote interfaces first */
102 for (aifp = remote_if; aifp; aifp = aifp->int_rlink) {
103 if (aifp->int_addr == from.sin_addr.s_addr)
104 break;
106 if (aifp == 0) {
107 aifp = ifwithname(inbuf.ifname, 0);
108 if (aifp == 0) {
109 msglim(&bad_name, from.sin_addr.s_addr,
110 "impossible interface name %.*s",
111 IFNAMSIZ, inbuf.ifname);
112 } else if (((aifp->int_if_flags & IFF_POINTOPOINT)
113 && aifp->int_dstaddr!=from.sin_addr.s_addr)
114 || (!(aifp->int_if_flags & IFF_POINTOPOINT)
115 && !on_net(from.sin_addr.s_addr,
116 aifp->int_net,
117 aifp->int_mask))) {
118 /* If it came via the wrong interface, do not
119 * trust it.
121 aifp = 0;
124 #else
125 aifp = iflookup(from.sin_addr.s_addr);
126 #endif
127 if (sifp == 0)
128 sifp = aifp;
130 input(&from, sifp, aifp, &inbuf.pbuf.rip, cc);
135 /* Process a RIP packet
137 static void
138 input(struct sockaddr_in *from, /* received from this IP address */
139 struct interface *sifp, /* interface of incoming socket */
140 struct interface *aifp, /* "authenticated" interface */
141 struct rip *rip,
142 int cc)
144 # define FROM_NADDR from->sin_addr.s_addr
145 static struct msg_limit use_auth, bad_len, bad_mask;
146 static struct msg_limit unk_router, bad_router, bad_nhop;
148 struct rt_entry *rt;
149 struct rt_spare new;
150 struct netinfo *n, *lim;
151 struct interface *ifp1;
152 naddr gate, mask, v1_mask, dst, ddst_h = 0;
153 struct auth *ap;
154 struct tgate *tg = 0;
155 struct tgate_net *tn;
156 int i, j;
158 /* Notice when we hear from a remote gateway
160 if (aifp != 0
161 && (aifp->int_state & IS_REMOTE))
162 aifp->int_act_time = now.tv_sec;
164 trace_rip("Recv", "from", from, sifp, rip, cc);
166 if (rip->rip_vers == 0) {
167 msglim(&bad_router, FROM_NADDR,
168 "RIP version 0, cmd %d, packet received from %s",
169 rip->rip_cmd, naddr_ntoa(FROM_NADDR));
170 return;
171 } else if (rip->rip_vers > RIPv2) {
172 rip->rip_vers = RIPv2;
174 if (cc > (int)OVER_MAXPACKETSIZE) {
175 msglim(&bad_router, FROM_NADDR,
176 "packet at least %d bytes too long received from %s",
177 cc-MAXPACKETSIZE, naddr_ntoa(FROM_NADDR));
178 return;
181 n = rip->rip_nets;
182 lim = (struct netinfo *)((char*)rip + cc);
184 /* Notice authentication.
185 * As required by section 4.2 in RFC 1723, discard authenticated
186 * RIPv2 messages, but only if configured for that silliness.
188 * RIPv2 authentication is lame. Why authenticate queries?
189 * Why should a RIPv2 implementation with authentication disabled
190 * not be able to listen to RIPv2 packets with authentication, while
191 * RIPv1 systems will listen? Crazy!
193 if (!auth_ok
194 && rip->rip_vers == RIPv2
195 && n < lim && n->n_family == RIP_AF_AUTH) {
196 msglim(&use_auth, FROM_NADDR,
197 "RIPv2 message with authentication from %s discarded",
198 naddr_ntoa(FROM_NADDR));
199 return;
202 switch (rip->rip_cmd) {
203 case RIPCMD_REQUEST:
204 /* For mere requests, be a little sloppy about the source
206 if (aifp == 0)
207 aifp = sifp;
209 /* Are we talking to ourself or a remote gateway?
211 ifp1 = ifwithaddr(FROM_NADDR, 0, 1);
212 if (ifp1) {
213 if (ifp1->int_state & IS_REMOTE) {
214 /* remote gateway */
215 aifp = ifp1;
216 if (check_remote(aifp)) {
217 aifp->int_act_time = now.tv_sec;
218 if_ok(aifp, "remote ");
220 } else if (from->sin_port == htons(RIP_PORT)) {
221 trace_pkt(" discard our own RIP request");
222 return;
226 /* did the request come from a router?
228 if (from->sin_port == htons(RIP_PORT)) {
229 /* yes, ignore the request if RIP is off so that
230 * the router does not depend on us.
232 if (rip_sock < 0
233 || (aifp != 0
234 && IS_RIP_OUT_OFF(aifp->int_state))) {
235 trace_pkt(" discard request while RIP off");
236 return;
240 /* According to RFC 1723, we should ignore unauthenticated
241 * queries. That is too silly to bother with. Sheesh!
242 * Are forwarding tables supposed to be secret, when
243 * a bad guy can infer them with test traffic? When RIP
244 * is still the most common router-discovery protocol
245 * and so hosts need to send queries that will be answered?
246 * What about `rtquery`?
247 * Maybe on firewalls you'd care, but not enough to
248 * give up the diagnostic facilities of remote probing.
251 if (n >= lim) {
252 msglim(&bad_len, FROM_NADDR, "empty request from %s",
253 naddr_ntoa(FROM_NADDR));
254 return;
256 if (cc%sizeof(*n) != sizeof(struct rip)%sizeof(*n)) {
257 msglim(&bad_len, FROM_NADDR,
258 "request of bad length (%d) from %s",
259 cc, naddr_ntoa(FROM_NADDR));
262 if (rip->rip_vers == RIPv2
263 && (aifp == 0 || (aifp->int_state & IS_NO_RIPV1_OUT))) {
264 v12buf.buf->rip_vers = RIPv2;
265 /* If we have a secret but it is a cleartext secret,
266 * do not disclose our secret unless the other guy
267 * already knows it.
269 ap = find_auth(aifp);
270 if (ap != 0 && ap->type == RIP_AUTH_PW
271 && n->n_family == RIP_AF_AUTH
272 && !ck_passwd(aifp,rip,lim,FROM_NADDR,&use_auth))
273 ap = 0;
274 } else {
275 v12buf.buf->rip_vers = RIPv1;
276 ap = 0;
278 clr_ws_buf(&v12buf, ap);
280 do {
281 n->n_metric = ntohl(n->n_metric);
283 /* A single entry with family RIP_AF_UNSPEC and
284 * metric HOPCNT_INFINITY means "all routes".
285 * We respond to routers only if we are acting
286 * as a supplier, or to anyone other than a router
287 * (i.e. a query).
289 if (n->n_family == RIP_AF_UNSPEC
290 && n->n_metric == HOPCNT_INFINITY) {
291 /* Answer a query from a utility program
292 * with all we know.
294 if (from->sin_port != htons(RIP_PORT)) {
295 supply(from, aifp, OUT_QUERY, 0,
296 rip->rip_vers, ap != 0);
297 return;
300 /* A router trying to prime its tables.
301 * Filter the answer in the about same way
302 * broadcasts are filtered.
304 * Only answer a router if we are a supplier
305 * to keep an unwary host that is just starting
306 * from picking us as a router.
308 if (aifp == 0) {
309 trace_pkt("ignore distant router");
310 return;
312 if (!supplier
313 || IS_RIP_OFF(aifp->int_state)) {
314 trace_pkt("ignore; not supplying");
315 return;
318 /* Do not answer a RIPv1 router if
319 * we are sending RIPv2. But do offer
320 * poor man's router discovery.
322 if ((aifp->int_state & IS_NO_RIPV1_OUT)
323 && rip->rip_vers == RIPv1) {
324 if (!(aifp->int_state & IS_PM_RDISC)) {
325 trace_pkt("ignore; sending RIPv2");
326 return;
329 v12buf.n->n_family = RIP_AF_INET;
330 v12buf.n->n_dst = RIP_DEFAULT;
331 i = aifp->int_d_metric;
332 if (0 != (rt = rtget(RIP_DEFAULT, 0)))
333 i = MIN(i, (rt->rt_metric
334 +aifp->int_metric+1));
335 v12buf.n->n_metric = htonl(i);
336 v12buf.n++;
337 break;
340 /* Respond with RIPv1 instead of RIPv2 if
341 * that is what we are broadcasting on the
342 * interface to keep the remote router from
343 * getting the wrong initial idea of the
344 * routes we send.
346 supply(from, aifp, OUT_UNICAST, 0,
347 (aifp->int_state & IS_NO_RIPV1_OUT)
348 ? RIPv2 : RIPv1,
349 ap != 0);
350 return;
353 /* Ignore authentication */
354 if (n->n_family == RIP_AF_AUTH)
355 continue;
357 if (n->n_family != RIP_AF_INET) {
358 msglim(&bad_router, FROM_NADDR,
359 "request from %s for unsupported"
360 " (af %d) %s",
361 naddr_ntoa(FROM_NADDR),
362 ntohs(n->n_family),
363 naddr_ntoa(n->n_dst));
364 return;
367 /* We are being asked about a specific destination.
369 dst = n->n_dst;
370 if (!check_dst(dst)) {
371 msglim(&bad_router, FROM_NADDR,
372 "bad queried destination %s from %s",
373 naddr_ntoa(dst),
374 naddr_ntoa(FROM_NADDR));
375 return;
378 /* decide what mask was intended */
379 if (rip->rip_vers == RIPv1
380 || 0 == (mask = ntohl(n->n_mask))
381 || 0 != (ntohl(dst) & ~mask))
382 mask = ripv1_mask_host(dst, aifp);
384 /* try to find the answer */
385 rt = rtget(dst, mask);
386 if (!rt && dst != RIP_DEFAULT)
387 rt = rtfind(n->n_dst);
389 if (v12buf.buf->rip_vers != RIPv1)
390 v12buf.n->n_mask = mask;
391 if (rt == 0) {
392 /* we do not have the answer */
393 v12buf.n->n_metric = HOPCNT_INFINITY;
394 } else {
395 /* we have the answer, so compute the
396 * right metric and next hop.
398 v12buf.n->n_family = RIP_AF_INET;
399 v12buf.n->n_dst = dst;
400 v12buf.n->n_metric = (rt->rt_metric+1
401 + ((aifp!=0)
402 ? aifp->int_metric
403 : 1));
404 if (v12buf.n->n_metric > HOPCNT_INFINITY)
405 v12buf.n->n_metric = HOPCNT_INFINITY;
406 if (v12buf.buf->rip_vers != RIPv1) {
407 v12buf.n->n_tag = rt->rt_tag;
408 v12buf.n->n_mask = mask;
409 if (aifp != 0
410 && on_net(rt->rt_gate,
411 aifp->int_net,
412 aifp->int_mask)
413 && rt->rt_gate != aifp->int_addr)
414 v12buf.n->n_nhop = rt->rt_gate;
417 v12buf.n->n_metric = htonl(v12buf.n->n_metric);
419 /* Stop paying attention if we fill the output buffer.
421 if (++v12buf.n >= v12buf.lim)
422 break;
423 } while (++n < lim);
425 /* Send the answer about specific routes.
427 if (ap != 0 && ap->type == RIP_AUTH_MD5)
428 end_md5_auth(&v12buf, ap);
430 if (from->sin_port != htons(RIP_PORT)) {
431 /* query */
432 output(OUT_QUERY, from, aifp,
433 v12buf.buf,
434 ((char *)v12buf.n - (char*)v12buf.buf));
435 } else if (supplier) {
436 output(OUT_UNICAST, from, aifp,
437 v12buf.buf,
438 ((char *)v12buf.n - (char*)v12buf.buf));
439 } else {
440 /* Only answer a router if we are a supplier
441 * to keep an unwary host that is just starting
442 * from picking us an a router.
446 return;
448 case RIPCMD_TRACEON:
449 case RIPCMD_TRACEOFF:
450 /* Notice that trace messages are turned off for all possible
451 * abuse if _PATH_TRACE is undefined in pathnames.h.
452 * Notice also that because of the way the trace file is
453 * handled in trace.c, no abuse is plausible even if
454 * _PATH_TRACE_ is defined.
456 * First verify message came from a privileged port. */
457 if (ntohs(from->sin_port) > IPPORT_RESERVED) {
458 msglog("trace command from untrusted port on %s",
459 naddr_ntoa(FROM_NADDR));
460 return;
462 if (aifp == 0) {
463 msglog("trace command from unknown router %s",
464 naddr_ntoa(FROM_NADDR));
465 return;
467 if (rip->rip_cmd == RIPCMD_TRACEON) {
468 rip->rip_tracefile[cc-4] = '\0';
469 set_tracefile((char*)rip->rip_tracefile,
470 "trace command: %s\n", 0);
471 } else {
472 trace_off("tracing turned off by %s",
473 naddr_ntoa(FROM_NADDR));
475 return;
477 case RIPCMD_RESPONSE:
478 if (cc%sizeof(*n) != sizeof(struct rip)%sizeof(*n)) {
479 msglim(&bad_len, FROM_NADDR,
480 "response of bad length (%d) from %s",
481 cc, naddr_ntoa(FROM_NADDR));
484 /* verify message came from a router */
485 if (from->sin_port != ntohs(RIP_PORT)) {
486 msglim(&bad_router, FROM_NADDR,
487 " discard RIP response from unknown port"
488 " %d on host %s", ntohs(from->sin_port),
489 naddr_ntoa(FROM_NADDR));
490 return;
493 if (rip_sock < 0) {
494 trace_pkt(" discard response while RIP off");
495 return;
498 /* Are we talking to ourself or a remote gateway?
500 ifp1 = ifwithaddr(FROM_NADDR, 0, 1);
501 if (ifp1) {
502 if (ifp1->int_state & IS_REMOTE) {
503 /* remote gateway */
504 aifp = ifp1;
505 if (check_remote(aifp)) {
506 aifp->int_act_time = now.tv_sec;
507 if_ok(aifp, "remote ");
509 } else {
510 trace_pkt(" discard our own RIP response");
511 return;
515 /* Accept routing packets from routers directly connected
516 * via broadcast or point-to-point networks, and from
517 * those listed in /etc/gateways.
519 if (aifp == 0) {
520 msglim(&unk_router, FROM_NADDR,
521 " discard response from %s"
522 " via unexpected interface",
523 naddr_ntoa(FROM_NADDR));
524 return;
526 if (IS_RIP_IN_OFF(aifp->int_state)) {
527 trace_pkt(" discard RIPv%d response"
528 " via disabled interface %s",
529 rip->rip_vers, aifp->int_name);
530 return;
533 if (n >= lim) {
534 msglim(&bad_len, FROM_NADDR, "empty response from %s",
535 naddr_ntoa(FROM_NADDR));
536 return;
539 if (((aifp->int_state & IS_NO_RIPV1_IN)
540 && rip->rip_vers == RIPv1)
541 || ((aifp->int_state & IS_NO_RIPV2_IN)
542 && rip->rip_vers != RIPv1)) {
543 trace_pkt(" discard RIPv%d response",
544 rip->rip_vers);
545 return;
548 /* Ignore routes via dead interface.
550 if (aifp->int_state & IS_BROKE) {
551 trace_pkt("discard response via broken interface %s",
552 aifp->int_name);
553 return;
556 /* If the interface cares, ignore bad routers.
557 * Trace but do not log this problem, because where it
558 * happens, it happens frequently.
560 if (aifp->int_state & IS_DISTRUST) {
561 tg = tgates;
562 while (tg->tgate_addr != FROM_NADDR) {
563 tg = tg->tgate_next;
564 if (tg == 0) {
565 trace_pkt(" discard RIP response"
566 " from untrusted router %s",
567 naddr_ntoa(FROM_NADDR));
568 return;
573 /* Authenticate the packet if we have a secret.
574 * If we do not have any secrets, ignore the error in
575 * RFC 1723 and accept it regardless.
577 if (aifp->int_auth[0].type != RIP_AUTH_NONE
578 && rip->rip_vers != RIPv1
579 && !ck_passwd(aifp,rip,lim,FROM_NADDR,&use_auth))
580 return;
582 do {
583 if (n->n_family == RIP_AF_AUTH)
584 continue;
586 n->n_metric = ntohl(n->n_metric);
587 dst = n->n_dst;
588 if (n->n_family != RIP_AF_INET
589 && (n->n_family != RIP_AF_UNSPEC
590 || dst != RIP_DEFAULT)) {
591 msglim(&bad_router, FROM_NADDR,
592 "route from %s to unsupported"
593 " address family=%d destination=%s",
594 naddr_ntoa(FROM_NADDR),
595 n->n_family,
596 naddr_ntoa(dst));
597 continue;
599 if (!check_dst(dst)) {
600 msglim(&bad_router, FROM_NADDR,
601 "bad destination %s from %s",
602 naddr_ntoa(dst),
603 naddr_ntoa(FROM_NADDR));
604 return;
606 if (n->n_metric == 0
607 || n->n_metric > HOPCNT_INFINITY) {
608 msglim(&bad_router, FROM_NADDR,
609 "bad metric %d from %s"
610 " for destination %s",
611 n->n_metric,
612 naddr_ntoa(FROM_NADDR),
613 naddr_ntoa(dst));
614 return;
617 /* Notice the next-hop.
619 gate = FROM_NADDR;
620 if (n->n_nhop != 0) {
621 if (rip->rip_vers == RIPv1) {
622 n->n_nhop = 0;
623 } else {
624 /* Use it only if it is valid. */
625 if (on_net(n->n_nhop,
626 aifp->int_net, aifp->int_mask)
627 && check_dst(n->n_nhop)) {
628 gate = n->n_nhop;
629 } else {
630 msglim(&bad_nhop, FROM_NADDR,
631 "router %s to %s"
632 " has bad next hop %s",
633 naddr_ntoa(FROM_NADDR),
634 naddr_ntoa(dst),
635 naddr_ntoa(n->n_nhop));
636 n->n_nhop = 0;
641 if (rip->rip_vers == RIPv1
642 || 0 == (mask = ntohl(n->n_mask))) {
643 mask = ripv1_mask_host(dst,aifp);
644 } else if ((ntohl(dst) & ~mask) != 0) {
645 msglim(&bad_mask, FROM_NADDR,
646 "router %s sent bad netmask"
647 " %#lx with %s",
648 naddr_ntoa(FROM_NADDR),
649 (u_long)mask,
650 naddr_ntoa(dst));
651 continue;
653 if (rip->rip_vers == RIPv1)
654 n->n_tag = 0;
656 /* Adjust metric according to incoming interface..
658 n->n_metric += aifp->int_metric;
659 if (n->n_metric > HOPCNT_INFINITY)
660 n->n_metric = HOPCNT_INFINITY;
662 /* Should we trust this route from this router? */
663 if (tg && (tn = tg->tgate_nets)->mask != 0) {
664 for (i = 0; i < MAX_TGATE_NETS; i++, tn++) {
665 if (on_net(dst, tn->net, tn->mask)
666 && tn->mask <= mask)
667 break;
669 if (i >= MAX_TGATE_NETS || tn->mask == 0) {
670 trace_pkt(" ignored unauthorized %s",
671 addrname(dst,mask,0));
672 continue;
676 /* Recognize and ignore a default route we faked
677 * which is being sent back to us by a machine with
678 * broken split-horizon.
679 * Be a little more paranoid than that, and reject
680 * default routes with the same metric we advertised.
682 if (aifp->int_d_metric != 0
683 && dst == RIP_DEFAULT
684 && (int)n->n_metric >= aifp->int_d_metric)
685 continue;
687 /* We can receive aggregated RIPv2 routes that must
688 * be broken down before they are transmitted by
689 * RIPv1 via an interface on a subnet.
690 * We might also receive the same routes aggregated
691 * via other RIPv2 interfaces.
692 * This could cause duplicate routes to be sent on
693 * the RIPv1 interfaces. "Longest matching variable
694 * length netmasks" lets RIPv2 listeners understand,
695 * but breaking down the aggregated routes for RIPv1
696 * listeners can produce duplicate routes.
698 * Breaking down aggregated routes here bloats
699 * the daemon table, but does not hurt the kernel
700 * table, since routes are always aggregated for
701 * the kernel.
703 * Notice that this does not break down network
704 * routes corresponding to subnets. This is part
705 * of the defense against RS_NET_SYN.
707 if (have_ripv1_out
708 && (((rt = rtget(dst,mask)) == 0
709 || !(rt->rt_state & RS_NET_SYN)))
710 && (v1_mask = ripv1_mask_net(dst,0)) > mask) {
711 ddst_h = v1_mask & -v1_mask;
712 i = (v1_mask & ~mask)/ddst_h;
713 if (i >= 511) {
714 /* Punt if we would have to generate
715 * an unreasonable number of routes.
717 if (TRACECONTENTS)
718 trace_misc("accept %s-->%s as 1"
719 " instead of %d routes",
720 addrname(dst,mask,0),
721 naddr_ntoa(FROM_NADDR),
722 i+1);
723 i = 0;
724 } else {
725 mask = v1_mask;
727 } else {
728 i = 0;
731 new.rts_gate = gate;
732 new.rts_router = FROM_NADDR;
733 new.rts_metric = n->n_metric;
734 new.rts_tag = n->n_tag;
735 new.rts_time = now.tv_sec;
736 new.rts_ifp = aifp;
737 new.rts_de_ag = i;
738 j = 0;
739 for (;;) {
740 input_route(dst, mask, &new, n);
741 if (++j > i)
742 break;
743 dst = htonl(ntohl(dst) + ddst_h);
745 } while (++n < lim);
746 break;
748 #undef FROM_NADDR
752 /* Process a single input route.
754 static void
755 input_route(naddr dst, /* network order */
756 naddr mask,
757 struct rt_spare *new,
758 struct netinfo *n)
760 int i;
761 struct rt_entry *rt;
762 struct rt_spare *rts, *rts0;
763 struct interface *ifp1;
766 /* See if the other guy is telling us to send our packets to him.
767 * Sometimes network routes arrive over a point-to-point link for
768 * the network containing the address(es) of the link.
770 * If our interface is broken, switch to using the other guy.
772 ifp1 = ifwithaddr(dst, 1, 1);
773 if (ifp1 != 0
774 && (!(ifp1->int_state & IS_BROKE)
775 || (ifp1->int_state & IS_PASSIVE)))
776 return;
778 /* Look for the route in our table.
780 rt = rtget(dst, mask);
782 /* Consider adding the route if we do not already have it.
784 if (rt == 0) {
785 /* Ignore unknown routes being poisoned.
787 if (new->rts_metric == HOPCNT_INFINITY)
788 return;
790 /* Ignore the route if it points to us */
791 if (n->n_nhop != 0
792 && 0 != ifwithaddr(n->n_nhop, 1, 0))
793 return;
795 /* If something has not gone crazy and tried to fill
796 * our memory, accept the new route.
798 if (total_routes < MAX_ROUTES)
799 rtadd(dst, mask, 0, new);
800 return;
803 /* We already know about the route. Consider this update.
805 * If (rt->rt_state & RS_NET_SYN), then this route
806 * is the same as a network route we have inferred
807 * for subnets we know, in order to tell RIPv1 routers
808 * about the subnets.
810 * It is impossible to tell if the route is coming
811 * from a distant RIPv2 router with the standard
812 * netmask because that router knows about the entire
813 * network, or if it is a round-about echo of a
814 * synthetic, RIPv1 network route of our own.
815 * The worst is that both kinds of routes might be
816 * received, and the bad one might have the smaller
817 * metric. Partly solve this problem by never
818 * aggregating into such a route. Also keep it
819 * around as long as the interface exists.
822 rts0 = rt->rt_spares;
823 for (rts = rts0, i = NUM_SPARES; i != 0; i--, rts++) {
824 if (rts->rts_router == new->rts_router)
825 break;
826 /* Note the worst slot to reuse,
827 * other than the current slot.
829 if (rts0 == rt->rt_spares
830 || BETTER_LINK(rt, rts0, rts))
831 rts0 = rts;
833 if (i != 0) {
834 /* Found a route from the router already in the table.
837 /* If the new route is a route broken down from an
838 * aggregated route, and if the previous route is either
839 * not a broken down route or was broken down from a finer
840 * netmask, and if the previous route is current,
841 * then forget this one.
843 if (new->rts_de_ag > rts->rts_de_ag
844 && now_stale <= rts->rts_time)
845 return;
847 /* Keep poisoned routes around only long enough to pass
848 * the poison on. Use a new timestamp for good routes.
850 if (rts->rts_metric == HOPCNT_INFINITY
851 && new->rts_metric == HOPCNT_INFINITY)
852 new->rts_time = rts->rts_time;
854 /* If this is an update for the router we currently prefer,
855 * then note it.
857 if (i == NUM_SPARES) {
858 rtchange(rt, rt->rt_state, new, 0);
859 /* If the route got worse, check for something better.
861 if (new->rts_metric > rts->rts_metric)
862 rtswitch(rt, 0);
863 return;
866 /* This is an update for a spare route.
867 * Finished if the route is unchanged.
869 if (rts->rts_gate == new->rts_gate
870 && rts->rts_metric == new->rts_metric
871 && rts->rts_tag == new->rts_tag) {
872 trace_upslot(rt, rts, new);
873 *rts = *new;
874 return;
876 /* Forget it if it has gone bad.
878 if (new->rts_metric == HOPCNT_INFINITY) {
879 rts_delete(rt, rts);
880 return;
883 } else {
884 /* The update is for a route we know about,
885 * but not from a familiar router.
887 * Ignore the route if it points to us.
889 if (n->n_nhop != 0
890 && 0 != ifwithaddr(n->n_nhop, 1, 0))
891 return;
893 /* the loop above set rts0=worst spare */
894 rts = rts0;
896 /* Save the route as a spare only if it has
897 * a better metric than our worst spare.
898 * This also ignores poisoned routes (those
899 * received with metric HOPCNT_INFINITY).
901 if (new->rts_metric >= rts->rts_metric)
902 return;
905 trace_upslot(rt, rts, new);
906 *rts = *new;
908 /* try to switch to a better route */
909 rtswitch(rt, rts);
913 static int /* 0 if bad */
914 ck_passwd(struct interface *aifp,
915 struct rip *rip,
916 void *lim,
917 naddr from,
918 struct msg_limit *use_authp)
920 # define NA (rip->rip_auths)
921 struct netauth *na2;
922 struct auth *ap;
923 MD5_CTX md5_ctx;
924 u_char hash[RIP_AUTH_PW_LEN];
925 int i, len;
928 if ((void *)NA >= lim || NA->a_family != RIP_AF_AUTH) {
929 msglim(use_authp, from, "missing password from %s",
930 naddr_ntoa(from));
931 return 0;
934 /* accept any current (+/- 24 hours) password
936 for (ap = aifp->int_auth, i = 0; i < MAX_AUTH_KEYS; i++, ap++) {
937 if (ap->type != NA->a_type
938 || (u_long)ap->start > (u_long)clk.tv_sec+DAY
939 || (u_long)ap->end+DAY < (u_long)clk.tv_sec)
940 continue;
942 if (NA->a_type == RIP_AUTH_PW) {
943 if (!memcmp(NA->au.au_pw, ap->key, RIP_AUTH_PW_LEN))
944 return 1;
946 } else {
947 /* accept MD5 secret with the right key ID
949 if (NA->au.a_md5.md5_keyid != ap->keyid)
950 continue;
952 len = ntohs(NA->au.a_md5.md5_pkt_len);
953 if ((len-sizeof(*rip)) % sizeof(*NA) != 0
954 || len != (char *)lim-(char*)rip-(int)sizeof(*NA)) {
955 msglim(use_authp, from,
956 "wrong MD5 RIPv2 packet length of %d"
957 " instead of %d from %s",
958 len, (int)((char *)lim-(char *)rip
959 -sizeof(*NA)),
960 naddr_ntoa(from));
961 return 0;
963 na2 = (struct netauth *)((char *)rip+len);
965 /* Given a good hash value, these are not security
966 * problems so be generous and accept the routes,
967 * after complaining.
969 if (TRACEPACKETS) {
970 if (NA->au.a_md5.md5_auth_len
971 != RIP_AUTH_MD5_LEN)
972 msglim(use_authp, from,
973 "unknown MD5 RIPv2 auth len %#x"
974 " instead of %#x from %s",
975 NA->au.a_md5.md5_auth_len,
976 RIP_AUTH_MD5_LEN,
977 naddr_ntoa(from));
978 if (na2->a_family != RIP_AF_AUTH)
979 msglim(use_authp, from,
980 "unknown MD5 RIPv2 family %#x"
981 " instead of %#x from %s",
982 na2->a_family, RIP_AF_AUTH,
983 naddr_ntoa(from));
984 if (na2->a_type != ntohs(1))
985 msglim(use_authp, from,
986 "MD5 RIPv2 hash has %#x"
987 " instead of %#x from %s",
988 na2->a_type, ntohs(1),
989 naddr_ntoa(from));
992 MD5Init(&md5_ctx);
993 MD5Update(&md5_ctx, (u_char *)rip, len);
994 MD5Update(&md5_ctx, ap->key, RIP_AUTH_MD5_LEN);
995 MD5Final(hash, &md5_ctx);
996 if (!memcmp(hash, na2->au.au_pw, sizeof(hash)))
997 return 1;
1001 msglim(use_authp, from, "bad password from %s",
1002 naddr_ntoa(from));
1003 return 0;
1004 #undef NA