MFC r271919:

  Fix a bug which could make routed(8) daemon exit by sending a special RIP
  query from a remote machine, and disable accepting it by default.  This
  requests a routed(8) daemon to dump routing information base for debugging
  purpose.  An -i flag to enable it has been added.

5 files changed, 35 insertions, 7 deletions

diff --git a/sbin/routed/defs.h b/sbin/routed/defs.h
index c42cd80..a31d6f5 100644
--- a/sbin/routed/defs.h
+++ b/sbin/routed/defs.h
@@ -462,6 +462,7 @@ extern int	ridhosts;		/* 1=reduce host routes */
 extern int	mhome;			/* 1=want multi-homed host route */
 extern int	advertise_mhome;	/* 1=must continue advertising it */
 extern int	auth_ok;		/* 1=ignore auth if we do not care */
+extern int	insecure;		/* Reply to special queries or not */
 
 extern struct timeval clk;		/* system clock's idea of time */
 extern struct timeval epoch;		/* system clock when started */
diff --git a/sbin/routed/input.c b/sbin/routed/input.c
index 8f8eefc..901c4f3 100644
--- a/sbin/routed/input.c
+++ b/sbin/routed/input.c
@@ -289,8 +289,19 @@ input(struct sockaddr_in *from,		/* received from this IP address */
 				 * with all we know.
 				 */
 				if (from->sin_port != htons(RIP_PORT)) {
-					supply(from, aifp, OUT_QUERY, 0,
-					       rip->rip_vers, ap != 0);
+					/*
+					 * insecure: query from non-router node
+					 *   > 1: allow from distant node
+					 *   > 0: allow from neighbor node
+					 *  == 0: deny
+					 */
+					if ((aifp != NULL && insecure > 0) ||
+					    (aifp == NULL && insecure > 1))
+						supply(from, aifp, OUT_QUERY, 0,
+						       rip->rip_vers, ap != 0);
+					else
+						trace_pkt("Warning: "
+						    "possible attack detected");
 					return;
 				}
 
diff --git a/sbin/routed/main.c b/sbin/routed/main.c
index 1658d2e..5ebd7ec 100644
--- a/sbin/routed/main.c
+++ b/sbin/routed/main.c
@@ -68,6 +68,7 @@ int	ridhosts;			/* 1=reduce host routes */
 int	mhome;				/* 1=want multi-homed host route */
 int	advertise_mhome;		/* 1=must continue advertising it */
 int	auth_ok = 1;			/* 1=ignore auth if we do not care */
+int	insecure;			/* Reply to special queries or not */
 
 struct timeval epoch;			/* when started */
 struct timeval clk;
@@ -136,8 +137,11 @@ main(int argc,
 	(void)gethostname(myname, sizeof(myname)-1);
 	(void)gethost(myname, &myaddr);
 
-	while ((n = getopt(argc, argv, "sqdghmAtvT:F:P:")) != -1) {
+	while ((n = getopt(argc, argv, "isqdghmAtvT:F:P:")) != -1) {
 		switch (n) {
+		case 'i':
+			insecure++;
+			break;
 		case 's':
 			supplier = 1;
 			supplier_set = 1;
diff --git a/sbin/routed/output.c b/sbin/routed/output.c
index 53eb4a5..c2ed468 100644
--- a/sbin/routed/output.c
+++ b/sbin/routed/output.c
@@ -673,8 +673,6 @@ supply(struct sockaddr_in *dst,
 	struct rt_entry *rt;
 	int def_metric;
 
-	assert(ifp != NULL);
-
 	ws.state = 0;
 	ws.gen_limit = 1024;
 
diff --git a/sbin/routed/routed.8 b/sbin/routed/routed.8
index 2f8a021..dfe39d0 100644
--- a/sbin/routed/routed.8
+++ b/sbin/routed/routed.8
@@ -30,7 +30,7 @@
 .\"     @(#)routed.8	8.2 (Berkeley) 12/11/93
 .\" $FreeBSD$
 .\"
-.Dd June 1, 1996
+.Dd August 26, 2014
 .Dt ROUTED 8
 .Os
 .Sh NAME
@@ -39,7 +39,7 @@
 .Nd network RIP and router discovery routing daemon
 .Sh SYNOPSIS
 .Nm
-.Op Fl sqdghmpAtv
+.Op Fl isqdghmpAtv
 .Op Fl T Ar tracefile
 .Oo
 .Fl F
@@ -250,6 +250,20 @@ to infer the netmask used by the remote system when RIPv1 is used.
 .Pp
 The following options are available:
 .Bl -tag -width indent
+.It Fl i
+allow
+.Nm
+to accept a RIP request from non-router node.
+When specified once, 
+.Nm
+replies to a route information query from neighbor nodes.
+When specified twice,
+it replies to a query from remote nodes in addition.
+.Xr rtquery 8
+utility can be used to send a request.
+.Pp
+This feature is disabled by default because of a risk of reflection attack
+though it useful for debugging purpose,
 .It Fl s
 force
 .Nm