resolve conflicts on upgrade (to 7.6).
This commit is contained in:
parent
fa8f6ba80b
commit
b98c263379
|
@ -1,8 +1,8 @@
|
|||
/* $NetBSD: fix_options.c,v 1.3 1997/10/09 21:20:26 christos Exp $ */
|
||||
/* $NetBSD: fix_options.c,v 1.4 1999/08/27 16:06:17 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* Routine to disable IP-level socket options. This code was taken from 4.4BSD
|
||||
* rlogind source, but all mistakes in it are my fault.
|
||||
* rlogind and kernel source, but all mistakes in it are my fault.
|
||||
*
|
||||
* Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
|
||||
*/
|
||||
|
@ -10,9 +10,9 @@
|
|||
#include <sys/cdefs.h>
|
||||
#ifndef lint
|
||||
#if 0
|
||||
static char sccsid[] = "@(#) fix_options.c 1.3 94/12/28 17:42:22";
|
||||
static char sccsid[] = "@(#) fix_options.c 1.6 97/04/08 02:29:19";
|
||||
#else
|
||||
__RCSID("$NetBSD: fix_options.c,v 1.3 1997/10/09 21:20:26 christos Exp $");
|
||||
__RCSID("$NetBSD: fix_options.c,v 1.4 1999/08/27 16:06:17 itojun Exp $");
|
||||
#endif
|
||||
#endif
|
||||
|
||||
|
@ -20,13 +20,23 @@ __RCSID("$NetBSD: fix_options.c,v 1.3 1997/10/09 21:20:26 christos Exp $");
|
|||
#include <sys/param.h>
|
||||
#include <sys/socket.h>
|
||||
#include <netinet/in.h>
|
||||
#include <netinet/in_systm.h>
|
||||
#include <netinet/ip.h>
|
||||
#include <netdb.h>
|
||||
#include <stdio.h>
|
||||
#include <syslog.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#ifndef IPOPT_OPTVAL
|
||||
#define IPOPT_OPTVAL 0
|
||||
#define IPOPT_OLEN 1
|
||||
#endif
|
||||
|
||||
#include "tcpd.h"
|
||||
|
||||
#define BUFFER_SIZE 512 /* Was: BUFSIZ */
|
||||
|
||||
/* fix_options - get rid of IP-level socket options */
|
||||
|
||||
void
|
||||
|
@ -34,12 +44,15 @@ fix_options(request)
|
|||
struct request_info *request;
|
||||
{
|
||||
#ifdef IP_OPTIONS
|
||||
unsigned char optbuf[BUFSIZ / 3], *cp;
|
||||
char lbuf[BUFSIZ], *lp;
|
||||
unsigned char optbuf[BUFFER_SIZE / 3], *cp;
|
||||
char lbuf[BUFFER_SIZE], *lp;
|
||||
int optsize = sizeof(optbuf), ipproto;
|
||||
struct protoent *ip;
|
||||
int fd = request->fd;
|
||||
int len = sizeof lbuf;
|
||||
unsigned int opt;
|
||||
int optlen;
|
||||
struct in_addr dummy;
|
||||
|
||||
if ((ip = getprotobyname("ip")) != 0)
|
||||
ipproto = ip->p_proto;
|
||||
|
@ -48,6 +61,51 @@ struct request_info *request;
|
|||
|
||||
if (getsockopt(fd, ipproto, IP_OPTIONS, (char *) optbuf, &optsize) == 0
|
||||
&& optsize != 0) {
|
||||
|
||||
/*
|
||||
* Horror! 4.[34] BSD getsockopt() prepends the first-hop destination
|
||||
* address to the result IP options list when source routing options
|
||||
* are present (see <netinet/ip_var.h>), but produces no output for
|
||||
* other IP options. Solaris 2.x getsockopt() does produce output for
|
||||
* non-routing IP options, and uses the same format as BSD even when
|
||||
* the space for the destination address is unused. The code below
|
||||
* does the right thing with 4.[34]BSD derivatives and Solaris 2, but
|
||||
* may occasionally miss source routing options on incompatible
|
||||
* systems such as Linux. Their choice.
|
||||
*
|
||||
* Look for source routing options. Drop the connection when one is
|
||||
* found. Just wiping the IP options is insufficient: we would still
|
||||
* help the attacker by providing a real TCP sequence number, and the
|
||||
* attacker would still be able to send packets (blind spoofing). I
|
||||
* discussed this attack with Niels Provos, half a year before the
|
||||
* attack was described in open mailing lists.
|
||||
*
|
||||
* It would be cleaner to just return a yes/no reply and let the caller
|
||||
* decide how to deal with it. Resident servers should not terminate.
|
||||
* However I am not prepared to make changes to internal interfaces
|
||||
* on short notice.
|
||||
*/
|
||||
#define ADDR_LEN sizeof(dummy.s_addr)
|
||||
|
||||
for (cp = optbuf + ADDR_LEN; cp < optbuf + optsize; cp += optlen) {
|
||||
opt = cp[IPOPT_OPTVAL];
|
||||
if (opt == IPOPT_LSRR || opt == IPOPT_SSRR) {
|
||||
syslog(LOG_WARNING,
|
||||
"refused connect from %s with IP source routing options",
|
||||
eval_client(request));
|
||||
shutdown(fd, 2);
|
||||
return;
|
||||
}
|
||||
if (opt == IPOPT_EOL)
|
||||
break;
|
||||
if (opt == IPOPT_NOP) {
|
||||
optlen = 1;
|
||||
} else {
|
||||
optlen = cp[IPOPT_OLEN];
|
||||
if (optlen <= 0) /* Do not loop! */
|
||||
break;
|
||||
}
|
||||
}
|
||||
lp = lbuf;
|
||||
for (cp = optbuf; optsize > 0; cp++, optsize--, lp += 3)
|
||||
len -= snprintf(lp, len, " %2.2x", *cp);
|
||||
|
@ -56,7 +114,7 @@ struct request_info *request;
|
|||
eval_client(request), lbuf);
|
||||
if (setsockopt(fd, ipproto, IP_OPTIONS, (char *) 0, optsize) != 0) {
|
||||
syslog(LOG_ERR, "setsockopt IP_OPTIONS NULL: %m");
|
||||
clean_exit(request);
|
||||
shutdown(fd, 2);
|
||||
}
|
||||
}
|
||||
#endif
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: hosts_access.c,v 1.8 1999/07/03 12:30:41 simonb Exp $ */
|
||||
/* $NetBSD: hosts_access.c,v 1.9 1999/08/27 16:06:17 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* This module implements a simple access control language that is based on
|
||||
|
@ -22,9 +22,9 @@
|
|||
#include <sys/cdefs.h>
|
||||
#ifndef lint
|
||||
#if 0
|
||||
static char sccsid[] = "@(#) hosts_access.c 1.20 96/02/11 17:01:27";
|
||||
static char sccsid[] = "@(#) hosts_access.c 1.21 97/02/12 02:13:22";
|
||||
#else
|
||||
__RCSID("$NetBSD: hosts_access.c,v 1.8 1999/07/03 12:30:41 simonb Exp $");
|
||||
__RCSID("$NetBSD: hosts_access.c,v 1.9 1999/08/27 16:06:17 itojun Exp $");
|
||||
#endif
|
||||
#endif
|
||||
|
||||
|
@ -125,7 +125,8 @@ struct request_info *request;
|
|||
|
||||
if (resident <= 0)
|
||||
resident++;
|
||||
if ((verdict = setjmp(tcpd_buf)) != 0)
|
||||
verdict = setjmp(tcpd_buf);
|
||||
if (verdict != 0)
|
||||
return (verdict == AC_PERMIT);
|
||||
if (table_match(hosts_allow_table, request))
|
||||
return (YES);
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/* $NetBSD: socket.c,v 1.5 1999/07/03 12:30:42 simonb Exp $ */
|
||||
/* $NetBSD: socket.c,v 1.6 1999/08/27 16:06:17 itojun Exp $ */
|
||||
|
||||
/*
|
||||
* This module determines the type of socket (datagram, stream), the client
|
||||
|
@ -20,9 +20,9 @@
|
|||
#include <sys/cdefs.h>
|
||||
#ifndef lint
|
||||
#if 0
|
||||
static char sccsid[] = "@(#) socket.c 1.14 95/01/30 19:51:50";
|
||||
static char sccsid[] = "@(#) socket.c 1.15 97/03/21 19:27:24";
|
||||
#else
|
||||
__RCSID("$NetBSD: socket.c,v 1.5 1999/07/03 12:30:42 simonb Exp $");
|
||||
__RCSID("$NetBSD: socket.c,v 1.6 1999/08/27 16:06:17 itojun Exp $");
|
||||
#endif
|
||||
#endif
|
||||
|
||||
|
@ -192,8 +192,8 @@ struct host_info *host;
|
|||
* problem. It could also be that someone is trying to spoof us.
|
||||
*/
|
||||
|
||||
tcpd_warn("host name/name mismatch: %s != %s",
|
||||
host->name, hp->h_name);
|
||||
tcpd_warn("host name/name mismatch: %s != %.*s",
|
||||
host->name, STRING_LENGTH, hp->h_name);
|
||||
|
||||
} else {
|
||||
|
||||
|
@ -217,8 +217,8 @@ struct host_info *host;
|
|||
* server.
|
||||
*/
|
||||
|
||||
tcpd_warn("host name/address mismatch: %s != %s",
|
||||
inet_ntoa(sin->sin_addr), hp->h_name);
|
||||
tcpd_warn("host name/address mismatch: %s != %.*s",
|
||||
inet_ntoa(sin->sin_addr), STRING_LENGTH, hp->h_name);
|
||||
}
|
||||
/* name is bad, clobber it */
|
||||
(void)strncpy(host->name, paranoid, sizeof(host->name) - 1);
|
||||
|
|
Loading…
Reference in New Issue