From 50a24bc3c7c05248bce83f69a91a7d6bf7a7adc7 Mon Sep 17 00:00:00 2001 From: suz Date: Thu, 16 Nov 2006 19:03:03 +0000 Subject: implemented more validation checks about incoming responses per RFC2080, and one additional heuristic check for safer operation. Obtained from: KAME MFC after: 1 week --- usr.sbin/route6d/route6d.c | 82 +++++++++++++++++++++++++++++++++++++++++++--- 1 file changed, 78 insertions(+), 4 deletions(-) (limited to 'usr.sbin/route6d') diff --git a/usr.sbin/route6d/route6d.c b/usr.sbin/route6d/route6d.c index f62c7f1..69381d9 100644 --- a/usr.sbin/route6d/route6d.c +++ b/usr.sbin/route6d/route6d.c @@ -656,6 +656,20 @@ init() } #endif +#ifdef IPV6_RECVPKTINFO + if (setsockopt(ripsock, IPPROTO_IPV6, IPV6_RECVHOPLIMIT, + &int1, sizeof(int1)) < 0) { + fatal("rip IPV6_RECVHOPLIMIT"); + /*NOTREACHED*/ + } +#else /* old adv. API */ + if (setsockopt(ripsock, IPPROTO_IPV6, IPV6_HOPLIMIT, + &int1, sizeof(int1)) < 0) { + fatal("rip IPV6_HOPLIMIT"); + /*NOTREACHED*/ + } +#endif + memset(&hints, 0, sizeof(hints)); hints.ai_family = PF_INET6; hints.ai_socktype = SOCK_DGRAM; @@ -1082,7 +1096,8 @@ riprecv() struct cmsghdr *cm; struct iovec iov[2]; u_char cmsgbuf[256]; - struct in6_pktinfo *pi; + struct in6_pktinfo *pi = NULL; + int *hlimp = NULL; struct iff *iffp; struct in6_addr ia; int ok; @@ -1107,11 +1122,26 @@ riprecv() for (cm = (struct cmsghdr *)CMSG_FIRSTHDR(&m); cm; cm = (struct cmsghdr *)CMSG_NXTHDR(&m, cm)) { - if (cm->cmsg_level == IPPROTO_IPV6 && - cm->cmsg_type == IPV6_PKTINFO) { + if (cm->cmsg_level != IPPROTO_IPV6) + continue; + switch (cm->cmsg_type) { + case IPV6_PKTINFO: + if (cm->cmsg_len != CMSG_LEN(sizeof(*pi))) { + trace(1, + "invalid cmsg length for IPV6_PKTINFO\n"); + return; + } pi = (struct in6_pktinfo *)(CMSG_DATA(cm)); idx = pi->ipi6_ifindex; break; + case IPV6_HOPLIMIT: + if (cm->cmsg_len != CMSG_LEN(sizeof(int))) { + trace(1, + "invalid cmsg length for IPV6_HOPLIMIT\n"); + return; + } + hlimp = (int *)CMSG_DATA(cm); + break; } } if (idx && IN6_IS_ADDR_LINKLOCAL(&fsock.sin6_addr)) @@ -1122,6 +1152,18 @@ riprecv() return; } + if (pi == NULL || hlimp == NULL) { + /* + * This can happen when the kernel failed to allocate memory + * for the ancillary data. Although we might be able to handle + * some cases without this info, those are minor and not so + * important, so it's better to discard the packet for safer + * operation. + */ + trace(1, "IPv6 packet information cannot be retrieved\n"); + return; + } + nh = fsock.sin6_addr; nn = (len - sizeof(struct rip6) + sizeof(struct netinfo6)) / sizeof(struct netinfo6); @@ -1143,10 +1185,42 @@ riprecv() } if (!IN6_IS_ADDR_LINKLOCAL(&fsock.sin6_addr)) { - trace(1, "Packets from non-ll addr: %s\n", + trace(1, "Response from non-ll addr: %s\n", inet6_n2p(&fsock.sin6_addr)); return; /* Ignore packets from non-link-local addr */ } + if (ntohs(fsock.sin6_port) != RIP6_PORT) { + trace(1, "Response from non-rip port from %s\n", + inet6_n2p(&fsock.sin6_addr)); + return; + } + if (IN6_IS_ADDR_MULTICAST(&pi->ipi6_addr) && *hlimp != 255) { + trace(1, + "Response packet with a smaller hop limit (%d) from %s\n", + *hlimp, inet6_n2p(&fsock.sin6_addr)); + return; + } + /* + * Further validation: since this program does not send off-link + * requests, an incoming response must always come from an on-link + * node. Although this is normally ensured by the source address + * check above, it may not 100% be safe because there are router + * implementations that (invalidly) allow a packet with a link-local + * source address to be forwarded to a different link. + * So we also check whether the destination address is a link-local + * address or the hop limit is 255. Note that RFC2080 does not require + * the specific hop limit for a unicast response, so we cannot assume + * the limitation. + */ + if (!IN6_IS_ADDR_LINKLOCAL(&pi->ipi6_addr) && *hlimp != 255) { + trace(1, + "Response packet possibly from an off-link node: " + "from %s to %s hlim=%d\n", + inet6_n2p(&fsock.sin6_addr), + inet6_n2p(&pi->ipi6_addr), *hlimp); + return; + } + idx = IN6_LINKLOCAL_IFINDEX(fsock.sin6_addr); ifcp = (idx < nindex2ifc) ? index2ifc[idx] : NULL; if (!ifcp) { -- cgit v1.1