diff --git a/lib/libwrap/fix_options.c b/lib/libwrap/fix_options.c index ea068028da60..91d111d7edb2 100644 --- a/lib/libwrap/fix_options.c +++ b/lib/libwrap/fix_options.c @@ -1,8 +1,8 @@ -/* $NetBSD: fix_options.c,v 1.3 1997/10/09 21:20:26 christos Exp $ */ +/* $NetBSD: fix_options.c,v 1.4 1999/08/27 16:06:17 itojun Exp $ */ /* * Routine to disable IP-level socket options. This code was taken from 4.4BSD - * rlogind source, but all mistakes in it are my fault. + * rlogind and kernel source, but all mistakes in it are my fault. * * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands. */ @@ -10,9 +10,9 @@ #include #ifndef lint #if 0 -static char sccsid[] = "@(#) fix_options.c 1.3 94/12/28 17:42:22"; +static char sccsid[] = "@(#) fix_options.c 1.6 97/04/08 02:29:19"; #else -__RCSID("$NetBSD: fix_options.c,v 1.3 1997/10/09 21:20:26 christos Exp $"); +__RCSID("$NetBSD: fix_options.c,v 1.4 1999/08/27 16:06:17 itojun Exp $"); #endif #endif @@ -20,13 +20,23 @@ __RCSID("$NetBSD: fix_options.c,v 1.3 1997/10/09 21:20:26 christos Exp $"); #include #include #include +#include +#include #include #include #include #include #include + +#ifndef IPOPT_OPTVAL +#define IPOPT_OPTVAL 0 +#define IPOPT_OLEN 1 +#endif + #include "tcpd.h" +#define BUFFER_SIZE 512 /* Was: BUFSIZ */ + /* fix_options - get rid of IP-level socket options */ void @@ -34,12 +44,15 @@ fix_options(request) struct request_info *request; { #ifdef IP_OPTIONS - unsigned char optbuf[BUFSIZ / 3], *cp; - char lbuf[BUFSIZ], *lp; + unsigned char optbuf[BUFFER_SIZE / 3], *cp; + char lbuf[BUFFER_SIZE], *lp; int optsize = sizeof(optbuf), ipproto; struct protoent *ip; int fd = request->fd; int len = sizeof lbuf; + unsigned int opt; + int optlen; + struct in_addr dummy; if ((ip = getprotobyname("ip")) != 0) ipproto = ip->p_proto; @@ -48,6 +61,51 @@ struct request_info *request; if (getsockopt(fd, ipproto, IP_OPTIONS, (char *) optbuf, &optsize) == 0 && optsize != 0) { + + /* + * Horror! 4.[34] BSD getsockopt() prepends the first-hop destination + * address to the result IP options list when source routing options + * are present (see ), but produces no output for + * other IP options. Solaris 2.x getsockopt() does produce output for + * non-routing IP options, and uses the same format as BSD even when + * the space for the destination address is unused. The code below + * does the right thing with 4.[34]BSD derivatives and Solaris 2, but + * may occasionally miss source routing options on incompatible + * systems such as Linux. Their choice. + * + * Look for source routing options. Drop the connection when one is + * found. Just wiping the IP options is insufficient: we would still + * help the attacker by providing a real TCP sequence number, and the + * attacker would still be able to send packets (blind spoofing). I + * discussed this attack with Niels Provos, half a year before the + * attack was described in open mailing lists. + * + * It would be cleaner to just return a yes/no reply and let the caller + * decide how to deal with it. Resident servers should not terminate. + * However I am not prepared to make changes to internal interfaces + * on short notice. + */ +#define ADDR_LEN sizeof(dummy.s_addr) + + for (cp = optbuf + ADDR_LEN; cp < optbuf + optsize; cp += optlen) { + opt = cp[IPOPT_OPTVAL]; + if (opt == IPOPT_LSRR || opt == IPOPT_SSRR) { + syslog(LOG_WARNING, + "refused connect from %s with IP source routing options", + eval_client(request)); + shutdown(fd, 2); + return; + } + if (opt == IPOPT_EOL) + break; + if (opt == IPOPT_NOP) { + optlen = 1; + } else { + optlen = cp[IPOPT_OLEN]; + if (optlen <= 0) /* Do not loop! */ + break; + } + } lp = lbuf; for (cp = optbuf; optsize > 0; cp++, optsize--, lp += 3) len -= snprintf(lp, len, " %2.2x", *cp); @@ -56,7 +114,7 @@ struct request_info *request; eval_client(request), lbuf); if (setsockopt(fd, ipproto, IP_OPTIONS, (char *) 0, optsize) != 0) { syslog(LOG_ERR, "setsockopt IP_OPTIONS NULL: %m"); - clean_exit(request); + shutdown(fd, 2); } } #endif diff --git a/lib/libwrap/hosts_access.c b/lib/libwrap/hosts_access.c index f3b2cc764561..f6725a73a5bb 100644 --- a/lib/libwrap/hosts_access.c +++ b/lib/libwrap/hosts_access.c @@ -1,4 +1,4 @@ -/* $NetBSD: hosts_access.c,v 1.8 1999/07/03 12:30:41 simonb Exp $ */ +/* $NetBSD: hosts_access.c,v 1.9 1999/08/27 16:06:17 itojun Exp $ */ /* * This module implements a simple access control language that is based on @@ -22,9 +22,9 @@ #include #ifndef lint #if 0 -static char sccsid[] = "@(#) hosts_access.c 1.20 96/02/11 17:01:27"; +static char sccsid[] = "@(#) hosts_access.c 1.21 97/02/12 02:13:22"; #else -__RCSID("$NetBSD: hosts_access.c,v 1.8 1999/07/03 12:30:41 simonb Exp $"); +__RCSID("$NetBSD: hosts_access.c,v 1.9 1999/08/27 16:06:17 itojun Exp $"); #endif #endif @@ -125,7 +125,8 @@ struct request_info *request; if (resident <= 0) resident++; - if ((verdict = setjmp(tcpd_buf)) != 0) + verdict = setjmp(tcpd_buf); + if (verdict != 0) return (verdict == AC_PERMIT); if (table_match(hosts_allow_table, request)) return (YES); diff --git a/lib/libwrap/socket.c b/lib/libwrap/socket.c index 097ad09eff7c..a69a6518ce82 100644 --- a/lib/libwrap/socket.c +++ b/lib/libwrap/socket.c @@ -1,4 +1,4 @@ -/* $NetBSD: socket.c,v 1.5 1999/07/03 12:30:42 simonb Exp $ */ +/* $NetBSD: socket.c,v 1.6 1999/08/27 16:06:17 itojun Exp $ */ /* * This module determines the type of socket (datagram, stream), the client @@ -20,9 +20,9 @@ #include #ifndef lint #if 0 -static char sccsid[] = "@(#) socket.c 1.14 95/01/30 19:51:50"; +static char sccsid[] = "@(#) socket.c 1.15 97/03/21 19:27:24"; #else -__RCSID("$NetBSD: socket.c,v 1.5 1999/07/03 12:30:42 simonb Exp $"); +__RCSID("$NetBSD: socket.c,v 1.6 1999/08/27 16:06:17 itojun Exp $"); #endif #endif @@ -192,8 +192,8 @@ struct host_info *host; * problem. It could also be that someone is trying to spoof us. */ - tcpd_warn("host name/name mismatch: %s != %s", - host->name, hp->h_name); + tcpd_warn("host name/name mismatch: %s != %.*s", + host->name, STRING_LENGTH, hp->h_name); } else { @@ -217,8 +217,8 @@ struct host_info *host; * server. */ - tcpd_warn("host name/address mismatch: %s != %s", - inet_ntoa(sin->sin_addr), hp->h_name); + tcpd_warn("host name/address mismatch: %s != %.*s", + inet_ntoa(sin->sin_addr), STRING_LENGTH, hp->h_name); } /* name is bad, clobber it */ (void)strncpy(host->name, paranoid, sizeof(host->name) - 1);