Fix a bug which could make routed(8) daemon exit by sending a special RIP

query from a remote machine, and disable accepting it by default. This requests a routed(8) daemon to dump routing information base for debugging purpose. An -i flag to enable it has been added.
2014-09-21 04:00:28 +00:00 · 2014-09-21 04:00:28 +00:00 · b9f70ced25
commit b9f70ced25
parent 89c58b73e0
5 changed files with 35 additions and 7 deletions
--- a/sbin/routed/defs.h
+++ b/sbin/routed/defs.h
@ -462,6 +462,7 @@ extern int	ridhosts;		/* 1=reduce host routes */
 extern int	mhome;			/* 1=want multi-homed host route */
 extern int	advertise_mhome;	/* 1=must continue advertising it */
 extern int	auth_ok;		/* 1=ignore auth if we do not care */
+extern int	insecure;		/* Reply to special queries or not */

 extern struct timeval clk;		/* system clock's idea of time */
 extern struct timeval epoch;		/* system clock when started */
--- a/sbin/routed/input.c
+++ b/sbin/routed/input.c
@ -289,8 +289,19 @@ input(struct sockaddr_in *from,		/* received from this IP address */
 				 * with all we know.
 				 */
 				if (from->sin_port != htons(RIP_PORT)) {
-					supply(from, aifp, OUT_QUERY, 0,
-					       rip->rip_vers, ap != 0);
+					/*
+					 * insecure: query from non-router node
+					 *   > 1: allow from distant node
+					 *   > 0: allow from neighbor node
+					 *  == 0: deny
+					 */
+					if ((aifp != NULL && insecure > 0) ||
+					    (aifp == NULL && insecure > 1))
+						supply(from, aifp, OUT_QUERY, 0,
+						       rip->rip_vers, ap != 0);
+					else
+						trace_pkt("Warning: "
+						    "possible attack detected");
 					return;
 				}

--- a/sbin/routed/main.c
+++ b/sbin/routed/main.c
@ -68,6 +68,7 @@ int	ridhosts;			/* 1=reduce host routes */
 int	mhome;				/* 1=want multi-homed host route */
 int	advertise_mhome;		/* 1=must continue advertising it */
 int	auth_ok = 1;			/* 1=ignore auth if we do not care */
+int	insecure;			/* Reply to special queries or not */

 struct timeval epoch;			/* when started */
 struct timeval clk;
@ -136,8 +137,11 @@ main(int argc,
 	(void)gethostname(myname, sizeof(myname)-1);
 	(void)gethost(myname, &myaddr);

-	while ((n = getopt(argc, argv, "sqdghmAtvT:F:P:")) != -1) {
+	while ((n = getopt(argc, argv, "isqdghmAtvT:F:P:")) != -1) {
 		switch (n) {
+		case 'i':
+			insecure++;
+			break;
 		case 's':
 			supplier = 1;
 			supplier_set = 1;
--- a/sbin/routed/output.c
+++ b/sbin/routed/output.c
@ -673,8 +673,6 @@ supply(struct sockaddr_in *dst,
 	struct rt_entry *rt;
 	int def_metric;

-	assert(ifp != NULL);
-
 	ws.state = 0;
 	ws.gen_limit = 1024;

--- a/sbin/routed/routed.8
+++ b/sbin/routed/routed.8
@ -30,7 +30,7 @@
 .\"     @(#)routed.8	8.2 (Berkeley) 12/11/93
 .\" $FreeBSD$
 .\"
-.Dd June 1, 1996
+.Dd August 26, 2014
 .Dt ROUTED 8
 .Os
 .Sh NAME
@ -39,7 +39,7 @@
 .Nd network RIP and router discovery routing daemon
 .Sh SYNOPSIS
 .Nm
-.Op Fl sqdghmpAtv
+.Op Fl isqdghmpAtv
 .Op Fl T Ar tracefile
 .Oo
 .Fl F
@ -250,6 +250,20 @@ to infer the netmask used by the remote system when RIPv1 is used.
 .Pp
 The following options are available:
 .Bl -tag -width indent
+.It Fl i
+allow
+.Nm
+to accept a RIP request from non-router node.
+When specified once, 
+.Nm
+replies to a route information query from neighbor nodes.
+When specified twice,
+it replies to a query from remote nodes in addition.
+.Xr rtquery 8
+utility can be used to send a request.
+.Pp
+This feature is disabled by default because of a risk of reflection attack
+though it useful for debugging purpose,
 .It Fl s
 force
 .Nm