/* $NetBSD: input.c,v 1.31 2009/10/26 02:53:15 christos Exp $ */ /* * Copyright (c) 1983, 1988, 1993 * The Regents of the University of California. All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. All advertising materials mentioning features or use of this software * must display the following acknowledgment: * This product includes software developed by the University of * California, Berkeley and its contributors. * 4. Neither the name of the University nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #include "defs.h" #ifdef __NetBSD__ __RCSID("$NetBSD: input.c,v 1.31 2009/10/26 02:53:15 christos Exp $"); #elif defined(__FreeBSD__) __RCSID("$FreeBSD$"); #else __RCSID("Revision: 2.26 "); #ident "Revision: 2.26 " #endif static void input(struct sockaddr_in *, struct interface *, struct interface *, struct rip *, int); static void input_route(naddr, naddr, struct rt_spare *, struct netinfo *); static int ck_passwd(struct interface *, struct rip *, void *, naddr, struct msg_limit *); /* process RIP input */ void read_rip(int sock, struct interface *sifp) { struct sockaddr_in from; struct interface *aifp; socklen_t fromlen; int cc; #ifdef USE_PASSIFNAME static struct msg_limit bad_name; struct { char ifname[IFNAMSIZ]; union pkt_buf pbuf; } inbuf; #else struct { union pkt_buf pbuf; } inbuf; #endif for (;;) { fromlen = sizeof(from); cc = recvfrom(sock, &inbuf, sizeof(inbuf), 0, (struct sockaddr*)&from, &fromlen); if (cc <= 0) { if (cc < 0 && errno != EWOULDBLOCK) LOGERR("recvfrom(rip)"); break; } if (fromlen != sizeof(struct sockaddr_in)) logbad(1,"impossible recvfrom(rip) fromlen=%d", fromlen); /* aifp is the "authenticated" interface via which the packet * arrived. In fact, it is only the interface on which * the packet should have arrived based on is source * address. * sifp is interface associated with the socket through which * the packet was received. */ #ifdef USE_PASSIFNAME if ((cc -= sizeof(inbuf.ifname)) < 0) logbad(0,"missing USE_PASSIFNAME; only %d bytes", cc+sizeof(inbuf.ifname)); /* check the remote interfaces first */ for (aifp = remote_if; aifp; aifp = aifp->int_rlink) { if (aifp->int_addr == from.sin_addr.s_addr) break; } if (aifp == 0) { aifp = ifwithname(inbuf.ifname, 0); if (aifp == 0) { msglim(&bad_name, from.sin_addr.s_addr, "impossible interface name %.*s", IFNAMSIZ, inbuf.ifname); } else if (((aifp->int_if_flags & IFF_POINTOPOINT) && aifp->int_dstaddr!=from.sin_addr.s_addr) || (!(aifp->int_if_flags & IFF_POINTOPOINT) && !on_net(from.sin_addr.s_addr, aifp->int_net, aifp->int_mask))) { /* If it came via the wrong interface, do not * trust it. */ aifp = 0; } } #else aifp = iflookup(from.sin_addr.s_addr); #endif if (sifp == 0) sifp = aifp; input(&from, sifp, aifp, &inbuf.pbuf.rip, cc); } } /* Process a RIP packet */ static void input(struct sockaddr_in *from, /* received from this IP address */ struct interface *sifp, /* interface of incoming socket */ struct interface *aifp, /* "authenticated" interface */ struct rip *rip, int cc) { # define FROM_NADDR from->sin_addr.s_addr static struct msg_limit use_auth, bad_len, bad_mask; static struct msg_limit unk_router, bad_router, bad_nhop; struct rt_entry *rt; struct rt_spare new; struct netinfo *n, *lim; struct interface *ifp1; naddr gate, mask, v1_mask, dst, ddst_h = 0; struct auth *ap; struct tgate *tg = 0; struct tgate_net *tn; int i, j; /* Notice when we hear from a remote gateway */ if (aifp != 0 && (aifp->int_state & IS_REMOTE)) aifp->int_act_time = now.tv_sec; trace_rip("Recv", "from", from, sifp, rip, cc); if (rip->rip_vers == 0) { msglim(&bad_router, FROM_NADDR, "RIP version 0, cmd %d, packet received from %s", rip->rip_cmd, naddr_ntoa(FROM_NADDR)); return; } else if (rip->rip_vers > RIPv2) { rip->rip_vers = RIPv2; } if (cc > (int)OVER_MAXPACKETSIZE) { msglim(&bad_router, FROM_NADDR, "packet at least %d bytes too long received from %s", cc-MAXPACKETSIZE, naddr_ntoa(FROM_NADDR)); return; } n = rip->rip_nets; lim = (struct netinfo *)((char*)rip + cc); /* Notice authentication. * As required by section 4.2 in RFC 1723, discard authenticated * RIPv2 messages, but only if configured for that silliness. * * RIPv2 authentication is lame. Why authenticate queries? * Why should a RIPv2 implementation with authentication disabled * not be able to listen to RIPv2 packets with authentication, while * RIPv1 systems will listen? Crazy! */ if (!auth_ok && rip->rip_vers == RIPv2 && n < lim && n->n_family == RIP_AF_AUTH) { msglim(&use_auth, FROM_NADDR, "RIPv2 message with authentication from %s discarded", naddr_ntoa(FROM_NADDR)); return; } switch (rip->rip_cmd) { case RIPCMD_REQUEST: /* For mere requests, be a little sloppy about the source */ if (aifp == 0) aifp = sifp; /* Are we talking to ourself or a remote gateway? */ ifp1 = ifwithaddr(FROM_NADDR, 0, 1); if (ifp1) { if (ifp1->int_state & IS_REMOTE) { /* remote gateway */ aifp = ifp1; if (check_remote(aifp)) { aifp->int_act_time = now.tv_sec; (void)if_ok(aifp, "remote "); } } else if (from->sin_port == htons(RIP_PORT)) { trace_pkt(" discard our own RIP request"); return; } } /* did the request come from a router? */ if (from->sin_port == htons(RIP_PORT)) { /* yes, ignore the request if RIP is off so that * the router does not depend on us. */ if (rip_sock < 0 || (aifp != 0 && IS_RIP_OUT_OFF(aifp->int_state))) { trace_pkt(" discard request while RIP off"); return; } } /* According to RFC 1723, we should ignore unauthenticated * queries. That is too silly to bother with. Sheesh! * Are forwarding tables supposed to be secret, when * a bad guy can infer them with test traffic? When RIP * is still the most common router-discovery protocol * and so hosts need to send queries that will be answered? * What about `rtquery`? * Maybe on firewalls you'd care, but not enough to * give up the diagnostic facilities of remote probing. */ if (n >= lim) { msglim(&bad_len, FROM_NADDR, "empty request from %s", naddr_ntoa(FROM_NADDR)); return; } if (cc%sizeof(*n) != sizeof(struct rip)%sizeof(*n)) { msglim(&bad_len, FROM_NADDR, "request of bad length (%d) from %s", cc, naddr_ntoa(FROM_NADDR)); } if (rip->rip_vers == RIPv2 && (aifp == 0 || (aifp->int_state & IS_NO_RIPV1_OUT))) { v12buf.buf->rip_vers = RIPv2; /* If we have a secret but it is a cleartext secret, * do not disclose our secret unless the other guy * already knows it. */ ap = find_auth(aifp); if (ap != 0 && ap->type == RIP_AUTH_PW && n->n_family == RIP_AF_AUTH && !ck_passwd(aifp,rip,lim,FROM_NADDR,&use_auth)) ap = 0; } else { v12buf.buf->rip_vers = RIPv1; ap = 0; } clr_ws_buf(&v12buf, ap); do { n->n_metric = ntohl(n->n_metric); /* A single entry with family RIP_AF_UNSPEC and * metric HOPCNT_INFINITY means "all routes". * We respond to routers only if we are acting * as a supplier, or to anyone other than a router * (i.e. a query). */ if (n->n_family == RIP_AF_UNSPEC && n->n_metric == HOPCNT_INFINITY) { /* Answer a query from a utility program * with all we know. */ if (from->sin_port != htons(RIP_PORT)) { supply(from, aifp, OUT_QUERY, 0, rip->rip_vers, ap != 0); return; } /* A router trying to prime its tables. * Filter the answer in the about same way * broadcasts are filtered. * * Only answer a router if we are a supplier * to keep an unwary host that is just starting * from picking us as a router. */ if (aifp == 0) { trace_pkt("ignore distant router"); return; } if (!supplier || IS_RIP_OFF(aifp->int_state)) { trace_pkt("ignore; not supplying"); return; } /* Do not answer a RIPv1 router if * we are sending RIPv2. But do offer * poor man's router discovery. */ if ((aifp->int_state & IS_NO_RIPV1_OUT) && rip->rip_vers == RIPv1) { if (!(aifp->int_state & IS_PM_RDISC)) { trace_pkt("ignore; sending RIPv2"); return; } v12buf.n->n_family = RIP_AF_INET; v12buf.n->n_dst = RIP_DEFAULT; i = aifp->int_d_metric; if (0 != (rt = rtget(RIP_DEFAULT, 0))) { j = (rt->rt_metric +aifp->int_metric +aifp->int_adj_outmetric +1); if (i > j) i = j; } v12buf.n->n_metric = htonl(i); v12buf.n++; break; } /* Respond with RIPv1 instead of RIPv2 if * that is what we are broadcasting on the * interface to keep the remote router from * getting the wrong initial idea of the * routes we send. */ supply(from, aifp, OUT_UNICAST, 0, (aifp->int_state & IS_NO_RIPV1_OUT) ? RIPv2 : RIPv1, ap != 0); return; } /* Ignore authentication */ if (n->n_family == RIP_AF_AUTH) continue; if (n->n_family != RIP_AF_INET) { msglim(&bad_router, FROM_NADDR, "request from %s for unsupported" " (af %d) %s", naddr_ntoa(FROM_NADDR), ntohs(n->n_family), naddr_ntoa(n->n_dst)); return; } /* We are being asked about a specific destination. */ dst = n->n_dst; if (!check_dst(dst)) { msglim(&bad_router, FROM_NADDR, "bad queried destination %s from %s", naddr_ntoa(dst), naddr_ntoa(FROM_NADDR)); return; } /* decide what mask was intended */ if (rip->rip_vers == RIPv1 || 0 == (mask = ntohl(n->n_mask)) || 0 != (ntohl(dst) & ~mask)) mask = ripv1_mask_host(dst, aifp); /* try to find the answer */ rt = rtget(dst, mask); if (!rt && dst != RIP_DEFAULT) rt = rtfind(n->n_dst); if (v12buf.buf->rip_vers != RIPv1) v12buf.n->n_mask = mask; if (rt == 0) { /* we do not have the answer */ v12buf.n->n_metric = HOPCNT_INFINITY; } else { /* we have the answer, so compute the * right metric and next hop. */ v12buf.n->n_family = RIP_AF_INET; v12buf.n->n_dst = dst; j = rt->rt_metric+1; if (!aifp) ++j; else j += (aifp->int_metric + aifp->int_adj_outmetric); if (j < HOPCNT_INFINITY) v12buf.n->n_metric = j; else v12buf.n->n_metric = HOPCNT_INFINITY; if (v12buf.buf->rip_vers != RIPv1) { v12buf.n->n_tag = rt->rt_tag; v12buf.n->n_mask = mask; if (aifp != 0 && on_net(rt->rt_gate, aifp->int_net, aifp->int_mask) && rt->rt_gate != aifp->int_addr) v12buf.n->n_nhop = rt->rt_gate; } } v12buf.n->n_metric = htonl(v12buf.n->n_metric); /* Stop paying attention if we fill the output buffer. */ if (++v12buf.n >= v12buf.lim) break; } while (++n < lim); /* Send the answer about specific routes. */ if (ap != 0 && ap->type == RIP_AUTH_MD5) end_md5_auth(&v12buf, ap); if (from->sin_port != htons(RIP_PORT)) { /* query */ (void)output(OUT_QUERY, from, aifp, v12buf.buf, ((char *)v12buf.n - (char*)v12buf.buf)); } else if (supplier) { (void)output(OUT_UNICAST, from, aifp, v12buf.buf, ((char *)v12buf.n - (char*)v12buf.buf)); } else { /* Only answer a router if we are a supplier * to keep an unwary host that is just starting * from picking us an a router. */ ; } return; case RIPCMD_TRACEON: case RIPCMD_TRACEOFF: /* Notice that trace messages are turned off for all possible * abuse if _PATH_TRACE is undefined in pathnames.h. * Notice also that because of the way the trace file is * handled in trace.c, no abuse is plausible even if * _PATH_TRACE_ is defined. * * First verify message came from a privileged port. */ if (ntohs(from->sin_port) > IPPORT_RESERVED) { msglog("trace command from untrusted port on %s", naddr_ntoa(FROM_NADDR)); return; } if (aifp == 0) { msglog("trace command from unknown router %s", naddr_ntoa(FROM_NADDR)); return; } if (rip->rip_cmd == RIPCMD_TRACEON) { rip->rip_tracefile[cc-4] = '\0'; #ifndef __NetBSD__ set_tracefile((char*)rip->rip_tracefile, "trace command: %s\n", 0); #else msglog("RIP_TRACEON for `%s' from %s ignored", (char *) rip->rip_tracefile, naddr_ntoa(FROM_NADDR)); #endif } else { #ifndef __NetBSD__ trace_off("tracing turned off by %s", naddr_ntoa(FROM_NADDR)); #else msglog("RIP_TRACEOFF from %s ignored", naddr_ntoa(FROM_NADDR)); #endif } return; case RIPCMD_RESPONSE: if (cc%sizeof(*n) != sizeof(struct rip)%sizeof(*n)) { msglim(&bad_len, FROM_NADDR, "response of bad length (%d) from %s", cc, naddr_ntoa(FROM_NADDR)); } /* verify message came from a router */ if (from->sin_port != ntohs(RIP_PORT)) { msglim(&bad_router, FROM_NADDR, " discard RIP response from unknown port" " %d on %s", ntohs(from->sin_port), naddr_ntoa(FROM_NADDR)); return; } if (rip_sock < 0) { trace_pkt(" discard response while RIP off"); return; } /* Are we talking to ourself or a remote gateway? */ ifp1 = ifwithaddr(FROM_NADDR, 0, 1); if (ifp1) { if (ifp1->int_state & IS_REMOTE) { /* remote gateway */ aifp = ifp1; if (check_remote(aifp)) { aifp->int_act_time = now.tv_sec; (void)if_ok(aifp, "remote "); } } else { trace_pkt(" discard our own RIP response"); return; } } /* Accept routing packets from routers directly connected * via broadcast or point-to-point networks, and from * those listed in /etc/gateways. */ if (aifp == 0) { msglim(&unk_router, FROM_NADDR, " discard response from %s" " via unexpected interface", naddr_ntoa(FROM_NADDR)); return; } if (IS_RIP_IN_OFF(aifp->int_state)) { trace_pkt(" discard RIPv%d response" " via disabled interface %s", rip->rip_vers, aifp->int_name); return; } if (n >= lim) { msglim(&bad_len, FROM_NADDR, "empty response from %s", naddr_ntoa(FROM_NADDR)); return; } if (((aifp->int_state & IS_NO_RIPV1_IN) && rip->rip_vers == RIPv1) || ((aifp->int_state & IS_NO_RIPV2_IN) && rip->rip_vers != RIPv1)) { trace_pkt(" discard RIPv%d response", rip->rip_vers); return; } /* Ignore routes via dead interface. */ if (aifp->int_state & IS_BROKE) { trace_pkt("discard response via broken interface %s", aifp->int_name); return; } /* If the interface cares, ignore bad routers. * Trace but do not log this problem, because where it * happens, it happens frequently. */ if (aifp->int_state & IS_DISTRUST) { tg = tgates; while (tg->tgate_addr != FROM_NADDR) { tg = tg->tgate_next; if (tg == 0) { trace_pkt(" discard RIP response" " from untrusted router %s", naddr_ntoa(FROM_NADDR)); return; } } } /* Authenticate the packet if we have a secret. * If we do not have any secrets, ignore the error in * RFC 1723 and accept it regardless. */ if (aifp->int_auth[0].type != RIP_AUTH_NONE && rip->rip_vers != RIPv1 && !ck_passwd(aifp,rip,lim,FROM_NADDR,&use_auth)) return; do { if (n->n_family == RIP_AF_AUTH) continue; n->n_metric = ntohl(n->n_metric); dst = n->n_dst; if (n->n_family != RIP_AF_INET && (n->n_family != RIP_AF_UNSPEC || dst != RIP_DEFAULT)) { msglim(&bad_router, FROM_NADDR, "route from %s to unsupported" " address family=%d destination=%s", naddr_ntoa(FROM_NADDR), n->n_family, naddr_ntoa(dst)); continue; } if (!check_dst(dst)) { msglim(&bad_router, FROM_NADDR, "bad destination %s from %s", naddr_ntoa(dst), naddr_ntoa(FROM_NADDR)); return; } if (n->n_metric == 0 || n->n_metric > HOPCNT_INFINITY) { msglim(&bad_router, FROM_NADDR, "bad metric %d from %s" " for destination %s", n->n_metric, naddr_ntoa(FROM_NADDR), naddr_ntoa(dst)); return; } /* Notice the next-hop. */ gate = FROM_NADDR; if (n->n_nhop != 0) { if (rip->rip_vers == RIPv1) { n->n_nhop = 0; } else { /* Use it only if it is valid. */ if (on_net(n->n_nhop, aifp->int_net, aifp->int_mask) && check_dst(n->n_nhop)) { gate = n->n_nhop; } else { msglim(&bad_nhop, FROM_NADDR, "router %s to %s" " has bad next hop %s", naddr_ntoa(FROM_NADDR), naddr_ntoa(dst), naddr_ntoa(n->n_nhop)); n->n_nhop = 0; } } } if (rip->rip_vers == RIPv1 || 0 == (mask = ntohl(n->n_mask))) { mask = ripv1_mask_host(dst,aifp); } else if ((ntohl(dst) & ~mask) != 0) { msglim(&bad_mask, FROM_NADDR, "router %s sent bad netmask" " %#lx with %s", naddr_ntoa(FROM_NADDR), (u_long)mask, naddr_ntoa(dst)); continue; } if (rip->rip_vers == RIPv1) n->n_tag = 0; /* Adjust metric according to incoming interface.. */ n->n_metric += (aifp->int_metric + aifp->int_adj_inmetric); if (n->n_metric > HOPCNT_INFINITY) n->n_metric = HOPCNT_INFINITY; /* Should we trust this route from this router? */ if (tg && (tn = tg->tgate_nets)->mask != 0) { for (i = 0; i < MAX_TGATE_NETS; i++, tn++) { if (on_net(dst, tn->net, tn->mask) && tn->mask <= mask) break; } if (i >= MAX_TGATE_NETS || tn->mask == 0) { trace_pkt(" ignored unauthorized %s", addrname(dst,mask,0)); continue; } } /* Recognize and ignore a default route we faked * which is being sent back to us by a machine with * broken split-horizon. * Be a little more paranoid than that, and reject * default routes with the same metric we advertised. */ if (aifp->int_d_metric != 0 && dst == RIP_DEFAULT && (int)n->n_metric >= aifp->int_d_metric) continue; /* We can receive aggregated RIPv2 routes that must * be broken down before they are transmitted by * RIPv1 via an interface on a subnet. * We might also receive the same routes aggregated * via other RIPv2 interfaces. * This could cause duplicate routes to be sent on * the RIPv1 interfaces. "Longest matching variable * length netmasks" lets RIPv2 listeners understand, * but breaking down the aggregated routes for RIPv1 * listeners can produce duplicate routes. * * Breaking down aggregated routes here bloats * the daemon table, but does not hurt the kernel * table, since routes are always aggregated for * the kernel. * * Notice that this does not break down network * routes corresponding to subnets. This is part * of the defense against RS_NET_SYN. */ if (have_ripv1_out && (((rt = rtget(dst,mask)) == 0 || !(rt->rt_state & RS_NET_SYN))) && (v1_mask = ripv1_mask_net(dst,0)) > mask) { ddst_h = v1_mask & -v1_mask; i = (v1_mask & ~mask)/ddst_h; if (i >= 511) { /* Punt if we would have to generate * an unreasonable number of routes. */ if (TRACECONTENTS) trace_misc("accept %s-->%s as 1" " instead of %d routes", addrname(dst,mask,0), naddr_ntoa(FROM_NADDR), i+1); i = 0; } else { mask = v1_mask; } } else { i = 0; } new.rts_gate = gate; new.rts_router = FROM_NADDR; new.rts_metric = n->n_metric; new.rts_tag = n->n_tag; new.rts_time = now.tv_sec; new.rts_ifp = aifp; new.rts_de_ag = i; j = 0; for (;;) { input_route(dst, mask, &new, n); if (++j > i) break; dst = ntohl(dst) + ddst_h; dst = htonl(dst); } } while (++n < lim); break; } #undef FROM_NADDR } /* Process a single input route. */ static void input_route(naddr dst, /* network order */ naddr mask, struct rt_spare *new, struct netinfo *n) { int i; struct rt_entry *rt; struct rt_spare *rts, *rts0; struct interface *ifp1; /* See if the other guy is telling us to send our packets to him. * Sometimes network routes arrive over a point-to-point link for * the network containing the address(es) of the link. * * If our interface is broken, switch to using the other guy. */ ifp1 = ifwithaddr(dst, 1, 1); if (ifp1 != 0 && (!(ifp1->int_state & IS_BROKE) || (ifp1->int_state & IS_PASSIVE))) return; /* Look for the route in our table. */ rt = rtget(dst, mask); /* Consider adding the route if we do not already have it. */ if (rt == 0) { /* Ignore unknown routes being poisoned. */ if (new->rts_metric == HOPCNT_INFINITY) return; /* Ignore the route if it points to us */ if (n->n_nhop != 0 && 0 != ifwithaddr(n->n_nhop, 1, 0)) return; /* If something has not gone crazy and tried to fill * our memory, accept the new route. */ if (total_routes < MAX_ROUTES) rtadd(dst, mask, 0, new); return; } /* We already know about the route. Consider this update. * * If (rt->rt_state & RS_NET_SYN), then this route * is the same as a network route we have inferred * for subnets we know, in order to tell RIPv1 routers * about the subnets. * * It is impossible to tell if the route is coming * from a distant RIPv2 router with the standard * netmask because that router knows about the entire * network, or if it is a round-about echo of a * synthetic, RIPv1 network route of our own. * The worst is that both kinds of routes might be * received, and the bad one might have the smaller * metric. Partly solve this problem by never * aggregating into such a route. Also keep it * around as long as the interface exists. */ rts0 = rt->rt_spares; for (rts = rts0, i = NUM_SPARES; i != 0; i--, rts++) { if (rts->rts_router == new->rts_router) break; /* Note the worst slot to reuse, * other than the current slot. */ if (rts0 == rt->rt_spares || BETTER_LINK(rt, rts0, rts)) rts0 = rts; } if (i != 0) { /* Found a route from the router already in the table. */ /* If the new route is a route broken down from an * aggregated route, and if the previous route is either * not a broken down route or was broken down from a finer * netmask, and if the previous route is current, * then forget this one. */ if (new->rts_de_ag > rts->rts_de_ag && now_stale <= rts->rts_time) return; /* Keep poisoned routes around only long enough to pass * the poison on. Use a new timestamp for good routes. */ if (rts->rts_metric == HOPCNT_INFINITY && new->rts_metric == HOPCNT_INFINITY) new->rts_time = rts->rts_time; /* If this is an update for the router we currently prefer, * then note it. */ if (i == NUM_SPARES) { rtchange(rt, rt->rt_state, new, 0); /* If the route got worse, check for something better. */ if (new->rts_metric > rts->rts_metric) rtswitch(rt, 0); return; } /* This is an update for a spare route. * Finished if the route is unchanged. */ if (rts->rts_gate == new->rts_gate && rts->rts_metric == new->rts_metric && rts->rts_tag == new->rts_tag) { trace_upslot(rt, rts, new); *rts = *new; return; } /* Forget it if it has gone bad. */ if (new->rts_metric == HOPCNT_INFINITY) { rts_delete(rt, rts); return; } } else { /* The update is for a route we know about, * but not from a familiar router. * * Ignore the route if it points to us. */ if (n->n_nhop != 0 && 0 != ifwithaddr(n->n_nhop, 1, 0)) return; /* the loop above set rts0=worst spare */ rts = rts0; /* Save the route as a spare only if it has * a better metric than our worst spare. * This also ignores poisoned routes (those * received with metric HOPCNT_INFINITY). */ if (new->rts_metric >= rts->rts_metric) return; } trace_upslot(rt, rts, new); *rts = *new; /* try to switch to a better route */ rtswitch(rt, rts); } static int /* 0 if bad */ ck_passwd(struct interface *aifp, struct rip *rip, void *lim, naddr from, struct msg_limit *use_authp) { # define NA (rip->rip_auths) struct netauth *na2; struct auth *ap; MD5_CTX md5_ctx; u_char hash[RIP_AUTH_PW_LEN]; int i, len; if ((void *)NA >= lim || NA->a_family != RIP_AF_AUTH) { msglim(use_authp, from, "missing password from %s", naddr_ntoa(from)); return 0; } /* accept any current (+/- 24 hours) password */ for (ap = aifp->int_auth, i = 0; i < MAX_AUTH_KEYS; i++, ap++) { if (ap->type != NA->a_type || (u_long)ap->start > (u_long)clk.tv_sec+DAY || (u_long)ap->end+DAY < (u_long)clk.tv_sec) continue; if (NA->a_type == RIP_AUTH_PW) { if (!memcmp(NA->au.au_pw, ap->key, RIP_AUTH_PW_LEN)) return 1; } else { /* accept MD5 secret with the right key ID */ if (NA->au.a_md5.md5_keyid != ap->keyid) continue; len = ntohs(NA->au.a_md5.md5_pkt_len); if ((len-sizeof(*rip)) % sizeof(*NA) != 0 || len != (char *)lim-(char*)rip-(int)sizeof(*NA)) { msglim(use_authp, from, "wrong MD5 RIPv2 packet length of %d" " instead of %d from %s", len, (int)((char *)lim-(char *)rip -sizeof(*NA)), naddr_ntoa(from)); return 0; } na2 = (struct netauth *)((char *)rip+len); /* Given a good hash value, these are not security * problems so be generous and accept the routes, * after complaining. */ if (TRACEPACKETS) { if (NA->au.a_md5.md5_auth_len != RIP_AUTH_MD5_HASH_LEN) msglim(use_authp, from, "unknown MD5 RIPv2 auth len %#x" " instead of %#lx from %s", NA->au.a_md5.md5_auth_len, (unsigned long) RIP_AUTH_MD5_HASH_LEN, naddr_ntoa(from)); if (na2->a_family != RIP_AF_AUTH) msglim(use_authp, from, "unknown MD5 RIPv2 family %#x" " instead of %#x from %s", na2->a_family, RIP_AF_AUTH, naddr_ntoa(from)); if (na2->a_type != ntohs(1)) msglim(use_authp, from, "MD5 RIPv2 hash has %#x" " instead of %#x from %s", na2->a_type, ntohs(1), naddr_ntoa(from)); } MD5Init(&md5_ctx); MD5Update(&md5_ctx, (u_char *)rip, len + RIP_AUTH_MD5_HASH_XTRA); MD5Update(&md5_ctx, ap->key, RIP_AUTH_MD5_KEY_LEN); MD5Final(hash, &md5_ctx); if (!memcmp(hash, na2->au.au_pw, sizeof(hash))) return 1; } } msglim(use_authp, from, "bad password from %s", naddr_ntoa(from)); return 0; #undef NA }