Date: Sun, 21 Sep 2014 04:00:29 +0000 (UTC) From: Hiroki Sato <hrs@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r271919 - head/sbin/routed Message-ID: <201409210400.s8L40Tu8017645@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: hrs Date: Sun Sep 21 04:00:28 2014 New Revision: 271919 URL: http://svnweb.freebsd.org/changeset/base/271919 Log: Fix a bug which could make routed(8) daemon exit by sending a special RIP query from a remote machine, and disable accepting it by default. This requests a routed(8) daemon to dump routing information base for debugging purpose. An -i flag to enable it has been added. Modified: head/sbin/routed/defs.h head/sbin/routed/input.c head/sbin/routed/main.c head/sbin/routed/output.c head/sbin/routed/routed.8 Modified: head/sbin/routed/defs.h ============================================================================== --- head/sbin/routed/defs.h Sun Sep 21 03:56:06 2014 (r271918) +++ head/sbin/routed/defs.h Sun Sep 21 04:00:28 2014 (r271919) @@ -462,6 +462,7 @@ extern int ridhosts; /* 1=reduce host r extern int mhome; /* 1=want multi-homed host route */ extern int advertise_mhome; /* 1=must continue advertising it */ extern int auth_ok; /* 1=ignore auth if we do not care */ +extern int insecure; /* Reply to special queries or not */ extern struct timeval clk; /* system clock's idea of time */ extern struct timeval epoch; /* system clock when started */ Modified: head/sbin/routed/input.c ============================================================================== --- head/sbin/routed/input.c Sun Sep 21 03:56:06 2014 (r271918) +++ head/sbin/routed/input.c Sun Sep 21 04:00:28 2014 (r271919) @@ -289,8 +289,19 @@ input(struct sockaddr_in *from, /* rece * with all we know. */ if (from->sin_port != htons(RIP_PORT)) { - supply(from, aifp, OUT_QUERY, 0, - rip->rip_vers, ap != 0); + /* + * insecure: query from non-router node + * > 1: allow from distant node + * > 0: allow from neighbor node + * == 0: deny + */ + if ((aifp != NULL && insecure > 0) || + (aifp == NULL && insecure > 1)) + supply(from, aifp, OUT_QUERY, 0, + rip->rip_vers, ap != 0); + else + trace_pkt("Warning: " + "possible attack detected"); return; } Modified: head/sbin/routed/main.c ============================================================================== --- head/sbin/routed/main.c Sun Sep 21 03:56:06 2014 (r271918) +++ head/sbin/routed/main.c Sun Sep 21 04:00:28 2014 (r271919) @@ -68,6 +68,7 @@ int ridhosts; /* 1=reduce host routes int mhome; /* 1=want multi-homed host route */ int advertise_mhome; /* 1=must continue advertising it */ int auth_ok = 1; /* 1=ignore auth if we do not care */ +int insecure; /* Reply to special queries or not */ struct timeval epoch; /* when started */ struct timeval clk; @@ -136,8 +137,11 @@ main(int argc, (void)gethostname(myname, sizeof(myname)-1); (void)gethost(myname, &myaddr); - while ((n = getopt(argc, argv, "sqdghmAtvT:F:P:")) != -1) { + while ((n = getopt(argc, argv, "isqdghmAtvT:F:P:")) != -1) { switch (n) { + case 'i': + insecure++; + break; case 's': supplier = 1; supplier_set = 1; Modified: head/sbin/routed/output.c ============================================================================== --- head/sbin/routed/output.c Sun Sep 21 03:56:06 2014 (r271918) +++ head/sbin/routed/output.c Sun Sep 21 04:00:28 2014 (r271919) @@ -673,8 +673,6 @@ supply(struct sockaddr_in *dst, struct rt_entry *rt; int def_metric; - assert(ifp != NULL); - ws.state = 0; ws.gen_limit = 1024; Modified: head/sbin/routed/routed.8 ============================================================================== --- head/sbin/routed/routed.8 Sun Sep 21 03:56:06 2014 (r271918) +++ head/sbin/routed/routed.8 Sun Sep 21 04:00:28 2014 (r271919) @@ -30,7 +30,7 @@ .\" @(#)routed.8 8.2 (Berkeley) 12/11/93 .\" $FreeBSD$ .\" -.Dd June 1, 1996 +.Dd August 26, 2014 .Dt ROUTED 8 .Os .Sh NAME @@ -39,7 +39,7 @@ .Nd network RIP and router discovery routing daemon .Sh SYNOPSIS .Nm -.Op Fl sqdghmpAtv +.Op Fl isqdghmpAtv .Op Fl T Ar tracefile .Oo .Fl F @@ -250,6 +250,20 @@ to infer the netmask used by the remote .Pp The following options are available: .Bl -tag -width indent +.It Fl i +allow +.Nm +to accept a RIP request from non-router node. +When specified once, +.Nm +replies to a route information query from neighbor nodes. +When specified twice, +it replies to a query from remote nodes in addition. +.Xr rtquery 8 +utility can be used to send a request. +.Pp +This feature is disabled by default because of a risk of reflection attack +though it useful for debugging purpose, .It Fl s force .Nm
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201409210400.s8L40Tu8017645>