2 * Copyright (c) 1983, 1988, 1993
3 * The Regents of the University of California. All rights reserved.
5 * Redistribution and use in source and binary forms, with or without
6 * modification, are permitted provided that the following conditions
8 * 1. Redistributions of source code must retain the above copyright
9 * notice, this list of conditions and the following disclaimer.
10 * 2. Redistributions in binary form must reproduce the above copyright
11 * notice, this list of conditions and the following disclaimer in the
12 * documentation and/or other materials provided with the distribution.
13 * 4. Neither the name of the University nor the names of its contributors
14 * may be used to endorse or promote products derived from this software
15 * without specific prior written permission.
17 * THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
36 #elif defined(__FreeBSD__)
39 __RCSID("$Revision: 2.26 $");
40 #ident "$Revision: 2.26 $"
43 static void input(struct sockaddr_in *, struct interface *, struct interface *,
45 static void input_route(naddr, naddr, struct rt_spare *, struct netinfo *);
46 static int ck_passwd(struct interface *, struct rip *, void *,
47 naddr, struct msg_limit *);
54 struct interface *sifp)
56 struct sockaddr_in from;
57 struct interface *aifp;
61 static struct msg_limit bad_name;
63 char ifname[IFNAMSIZ];
74 fromlen = sizeof(from);
75 cc = recvfrom(sock, &inbuf, sizeof(inbuf), 0,
76 (struct sockaddr*)&from, &fromlen);
78 if (cc < 0 && errno != EWOULDBLOCK)
79 LOGERR("recvfrom(rip)");
82 if (fromlen != sizeof(struct sockaddr_in))
83 logbad(1,"impossible recvfrom(rip) fromlen=%d",
86 /* aifp is the "authenticated" interface via which the packet
87 * arrived. In fact, it is only the interface on which
88 * the packet should have arrived based on is source
90 * sifp is interface associated with the socket through which
91 * the packet was received.
94 if ((cc -= sizeof(inbuf.ifname)) < 0)
95 logbad(0,"missing USE_PASSIFNAME; only %d bytes",
96 cc+sizeof(inbuf.ifname));
98 /* check the remote interfaces first */
99 LIST_FOREACH(aifp, &remote_if, remote_list) {
100 if (aifp->int_addr == from.sin_addr.s_addr)
104 aifp = ifwithname(inbuf.ifname, 0);
106 msglim(&bad_name, from.sin_addr.s_addr,
107 "impossible interface name %.*s",
108 IFNAMSIZ, inbuf.ifname);
109 } else if (((aifp->int_if_flags & IFF_POINTOPOINT)
110 && aifp->int_dstaddr!=from.sin_addr.s_addr)
111 || (!(aifp->int_if_flags & IFF_POINTOPOINT)
112 && !on_net(from.sin_addr.s_addr,
115 /* If it came via the wrong interface, do not
122 aifp = iflookup(from.sin_addr.s_addr);
127 input(&from, sifp, aifp, &inbuf.pbuf.rip, cc);
132 /* Process a RIP packet
135 input(struct sockaddr_in *from, /* received from this IP address */
136 struct interface *sifp, /* interface of incoming socket */
137 struct interface *aifp, /* "authenticated" interface */
141 # define FROM_NADDR from->sin_addr.s_addr
142 static struct msg_limit use_auth, bad_len, bad_mask;
143 static struct msg_limit unk_router, bad_router, bad_nhop;
147 struct netinfo *n, *lim;
148 struct interface *ifp1;
149 naddr gate, mask, v1_mask, dst, ddst_h = 0;
151 struct tgate *tg = 0;
152 struct tgate_net *tn;
155 /* Notice when we hear from a remote gateway
158 && (aifp->int_state & IS_REMOTE))
159 aifp->int_act_time = now.tv_sec;
161 trace_rip("Recv", "from", from, sifp, rip, cc);
164 trace_pkt(" discard a request from an indirect router"
165 " (possibly an attack)");
169 if (rip->rip_vers == 0) {
170 msglim(&bad_router, FROM_NADDR,
171 "RIP version 0, cmd %d, packet received from %s",
172 rip->rip_cmd, naddr_ntoa(FROM_NADDR));
174 } else if (rip->rip_vers > RIPv2) {
175 rip->rip_vers = RIPv2;
177 if (cc > (int)OVER_MAXPACKETSIZE) {
178 msglim(&bad_router, FROM_NADDR,
179 "packet at least %d bytes too long received from %s",
180 cc-MAXPACKETSIZE, naddr_ntoa(FROM_NADDR));
185 lim = (struct netinfo *)((char*)rip + cc);
187 /* Notice authentication.
188 * As required by section 4.2 in RFC 1723, discard authenticated
189 * RIPv2 messages, but only if configured for that silliness.
191 * RIPv2 authentication is lame. Why authenticate queries?
192 * Why should a RIPv2 implementation with authentication disabled
193 * not be able to listen to RIPv2 packets with authentication, while
194 * RIPv1 systems will listen? Crazy!
197 && rip->rip_vers == RIPv2
198 && n < lim && n->n_family == RIP_AF_AUTH) {
199 msglim(&use_auth, FROM_NADDR,
200 "RIPv2 message with authentication from %s discarded",
201 naddr_ntoa(FROM_NADDR));
205 switch (rip->rip_cmd) {
207 /* For mere requests, be a little sloppy about the source
212 /* Are we talking to ourself or a remote gateway?
214 ifp1 = ifwithaddr(FROM_NADDR, 0, 1);
216 if (ifp1->int_state & IS_REMOTE) {
219 if (check_remote(aifp)) {
220 aifp->int_act_time = now.tv_sec;
221 (void)if_ok(aifp, "remote ");
223 } else if (from->sin_port == htons(RIP_PORT)) {
224 trace_pkt(" discard our own RIP request");
229 /* did the request come from a router?
231 if (from->sin_port == htons(RIP_PORT)) {
232 /* yes, ignore the request if RIP is off so that
233 * the router does not depend on us.
237 && IS_RIP_OUT_OFF(aifp->int_state))) {
238 trace_pkt(" discard request while RIP off");
243 /* According to RFC 1723, we should ignore unauthenticated
244 * queries. That is too silly to bother with. Sheesh!
245 * Are forwarding tables supposed to be secret, when
246 * a bad guy can infer them with test traffic? When RIP
247 * is still the most common router-discovery protocol
248 * and so hosts need to send queries that will be answered?
249 * What about `rtquery`?
250 * Maybe on firewalls you'd care, but not enough to
251 * give up the diagnostic facilities of remote probing.
255 msglim(&bad_len, FROM_NADDR, "empty request from %s",
256 naddr_ntoa(FROM_NADDR));
259 if (cc%sizeof(*n) != sizeof(struct rip)%sizeof(*n)) {
260 msglim(&bad_len, FROM_NADDR,
261 "request of bad length (%d) from %s",
262 cc, naddr_ntoa(FROM_NADDR));
265 if (rip->rip_vers == RIPv2
266 && (aifp == 0 || (aifp->int_state & IS_NO_RIPV1_OUT))) {
267 v12buf.buf->rip_vers = RIPv2;
268 /* If we have a secret but it is a cleartext secret,
269 * do not disclose our secret unless the other guy
272 ap = find_auth(aifp);
273 if (ap != 0 && ap->type == RIP_AUTH_PW
274 && n->n_family == RIP_AF_AUTH
275 && !ck_passwd(aifp,rip,lim,FROM_NADDR,&use_auth))
278 v12buf.buf->rip_vers = RIPv1;
281 clr_ws_buf(&v12buf, ap);
284 n->n_metric = ntohl(n->n_metric);
286 /* A single entry with family RIP_AF_UNSPEC and
287 * metric HOPCNT_INFINITY means "all routes".
288 * We respond to routers only if we are acting
289 * as a supplier, or to anyone other than a router
292 if (n->n_family == RIP_AF_UNSPEC
293 && n->n_metric == HOPCNT_INFINITY) {
294 /* Answer a query from a utility program
298 trace_pkt("ignore remote query");
301 if (from->sin_port != htons(RIP_PORT)) {
303 * insecure: query from non-router node
304 * > 1: allow from distant node
305 * > 0: allow from neighbor node
308 if ((aifp != NULL && insecure > 0) ||
309 (aifp == NULL && insecure > 1))
310 supply(from, aifp, OUT_QUERY, 0,
311 rip->rip_vers, ap != 0);
313 trace_pkt("Warning: "
314 "possible attack detected");
318 /* A router trying to prime its tables.
319 * Filter the answer in the about same way
320 * broadcasts are filtered.
322 * Only answer a router if we are a supplier
323 * to keep an unwary host that is just starting
324 * from picking us as a router.
327 trace_pkt("ignore distant router");
331 || IS_RIP_OFF(aifp->int_state)) {
332 trace_pkt("ignore; not supplying");
336 /* Do not answer a RIPv1 router if
337 * we are sending RIPv2. But do offer
338 * poor man's router discovery.
340 if ((aifp->int_state & IS_NO_RIPV1_OUT)
341 && rip->rip_vers == RIPv1) {
342 if (!(aifp->int_state & IS_PM_RDISC)) {
343 trace_pkt("ignore; sending RIPv2");
347 v12buf.n->n_family = RIP_AF_INET;
348 v12buf.n->n_dst = RIP_DEFAULT;
349 i = aifp->int_d_metric;
350 if (0 != (rt = rtget(RIP_DEFAULT, 0))) {
353 +aifp->int_adj_outmetric
358 v12buf.n->n_metric = htonl(i);
363 /* Respond with RIPv1 instead of RIPv2 if
364 * that is what we are broadcasting on the
365 * interface to keep the remote router from
366 * getting the wrong initial idea of the
369 supply(from, aifp, OUT_UNICAST, 0,
370 (aifp->int_state & IS_NO_RIPV1_OUT)
376 /* Ignore authentication */
377 if (n->n_family == RIP_AF_AUTH)
380 if (n->n_family != RIP_AF_INET) {
381 msglim(&bad_router, FROM_NADDR,
382 "request from %s for unsupported"
384 naddr_ntoa(FROM_NADDR),
386 naddr_ntoa(n->n_dst));
390 /* We are being asked about a specific destination.
393 if (!check_dst(dst)) {
394 msglim(&bad_router, FROM_NADDR,
395 "bad queried destination %s from %s",
397 naddr_ntoa(FROM_NADDR));
401 /* decide what mask was intended */
402 if (rip->rip_vers == RIPv1
403 || 0 == (mask = ntohl(n->n_mask))
404 || 0 != (ntohl(dst) & ~mask))
405 mask = ripv1_mask_host(dst, aifp);
407 /* try to find the answer */
408 rt = rtget(dst, mask);
409 if (!rt && dst != RIP_DEFAULT)
410 rt = rtfind(n->n_dst);
412 if (v12buf.buf->rip_vers != RIPv1)
413 v12buf.n->n_mask = mask;
415 /* we do not have the answer */
416 v12buf.n->n_metric = HOPCNT_INFINITY;
418 /* we have the answer, so compute the
419 * right metric and next hop.
421 v12buf.n->n_family = RIP_AF_INET;
422 v12buf.n->n_dst = dst;
427 j += (aifp->int_metric
428 + aifp->int_adj_outmetric);
429 if (j < HOPCNT_INFINITY)
430 v12buf.n->n_metric = j;
432 v12buf.n->n_metric = HOPCNT_INFINITY;
433 if (v12buf.buf->rip_vers != RIPv1) {
434 v12buf.n->n_tag = rt->rt_tag;
435 v12buf.n->n_mask = mask;
437 && on_net(rt->rt_gate,
440 && rt->rt_gate != aifp->int_addr)
441 v12buf.n->n_nhop = rt->rt_gate;
444 v12buf.n->n_metric = htonl(v12buf.n->n_metric);
446 /* Stop paying attention if we fill the output buffer.
448 if (++v12buf.n >= v12buf.lim)
452 /* Send the answer about specific routes.
454 if (ap != 0 && ap->type == RIP_AUTH_MD5)
455 end_md5_auth(&v12buf, ap);
457 if (from->sin_port != htons(RIP_PORT)) {
459 (void)output(OUT_QUERY, from, aifp,
461 ((char *)v12buf.n - (char*)v12buf.buf));
462 } else if (supplier) {
463 (void)output(OUT_UNICAST, from, aifp,
465 ((char *)v12buf.n - (char*)v12buf.buf));
467 /* Only answer a router if we are a supplier
468 * to keep an unwary host that is just starting
469 * from picking us an a router.
476 case RIPCMD_TRACEOFF:
477 /* Notice that trace messages are turned off for all possible
478 * abuse if _PATH_TRACE is undefined in pathnames.h.
479 * Notice also that because of the way the trace file is
480 * handled in trace.c, no abuse is plausible even if
481 * _PATH_TRACE_ is defined.
483 * First verify message came from a privileged port. */
484 if (ntohs(from->sin_port) > IPPORT_RESERVED) {
485 msglog("trace command from untrusted port on %s",
486 naddr_ntoa(FROM_NADDR));
490 msglog("trace command from unknown router %s",
491 naddr_ntoa(FROM_NADDR));
494 if (rip->rip_cmd == RIPCMD_TRACEON) {
495 rip->rip_tracefile[cc-4] = '\0';
496 set_tracefile((char*)rip->rip_tracefile,
497 "trace command: %s\n", 0);
499 trace_off("tracing turned off by %s",
500 naddr_ntoa(FROM_NADDR));
504 case RIPCMD_RESPONSE:
505 if (cc%sizeof(*n) != sizeof(struct rip)%sizeof(*n)) {
506 msglim(&bad_len, FROM_NADDR,
507 "response of bad length (%d) from %s",
508 cc, naddr_ntoa(FROM_NADDR));
511 /* verify message came from a router */
512 if (from->sin_port != ntohs(RIP_PORT)) {
513 msglim(&bad_router, FROM_NADDR,
514 " discard RIP response from unknown port"
516 ntohs(from->sin_port), naddr_ntoa(FROM_NADDR));
521 trace_pkt(" discard response while RIP off");
525 /* Are we talking to ourself or a remote gateway?
527 ifp1 = ifwithaddr(FROM_NADDR, 0, 1);
529 if (ifp1->int_state & IS_REMOTE) {
532 if (check_remote(aifp)) {
533 aifp->int_act_time = now.tv_sec;
534 (void)if_ok(aifp, "remote ");
537 trace_pkt(" discard our own RIP response");
542 /* Accept routing packets from routers directly connected
543 * via broadcast or point-to-point networks, and from
544 * those listed in /etc/gateways.
547 msglim(&unk_router, FROM_NADDR,
548 " discard response from %s"
549 " via unexpected interface",
550 naddr_ntoa(FROM_NADDR));
553 if (IS_RIP_IN_OFF(aifp->int_state)) {
554 trace_pkt(" discard RIPv%d response"
555 " via disabled interface %s",
556 rip->rip_vers, aifp->int_name);
561 msglim(&bad_len, FROM_NADDR, "empty response from %s",
562 naddr_ntoa(FROM_NADDR));
566 if (((aifp->int_state & IS_NO_RIPV1_IN)
567 && rip->rip_vers == RIPv1)
568 || ((aifp->int_state & IS_NO_RIPV2_IN)
569 && rip->rip_vers != RIPv1)) {
570 trace_pkt(" discard RIPv%d response",
575 /* Ignore routes via dead interface.
577 if (aifp->int_state & IS_BROKE) {
578 trace_pkt("discard response via broken interface %s",
583 /* If the interface cares, ignore bad routers.
584 * Trace but do not log this problem, because where it
585 * happens, it happens frequently.
587 if (aifp->int_state & IS_DISTRUST) {
589 while (tg->tgate_addr != FROM_NADDR) {
592 trace_pkt(" discard RIP response"
593 " from untrusted router %s",
594 naddr_ntoa(FROM_NADDR));
600 /* Authenticate the packet if we have a secret.
601 * If we do not have any secrets, ignore the error in
602 * RFC 1723 and accept it regardless.
604 if (aifp->int_auth[0].type != RIP_AUTH_NONE
605 && rip->rip_vers != RIPv1
606 && !ck_passwd(aifp,rip,lim,FROM_NADDR,&use_auth))
610 if (n->n_family == RIP_AF_AUTH)
613 n->n_metric = ntohl(n->n_metric);
615 if (n->n_family != RIP_AF_INET
616 && (n->n_family != RIP_AF_UNSPEC
617 || dst != RIP_DEFAULT)) {
618 msglim(&bad_router, FROM_NADDR,
619 "route from %s to unsupported"
620 " address family=%d destination=%s",
621 naddr_ntoa(FROM_NADDR),
626 if (!check_dst(dst)) {
627 msglim(&bad_router, FROM_NADDR,
628 "bad destination %s from %s",
630 naddr_ntoa(FROM_NADDR));
634 || n->n_metric > HOPCNT_INFINITY) {
635 msglim(&bad_router, FROM_NADDR,
636 "bad metric %d from %s"
637 " for destination %s",
639 naddr_ntoa(FROM_NADDR),
644 /* Notice the next-hop.
647 if (n->n_nhop != 0) {
648 if (rip->rip_vers == RIPv1) {
651 /* Use it only if it is valid. */
652 if (on_net(n->n_nhop,
653 aifp->int_net, aifp->int_mask)
654 && check_dst(n->n_nhop)) {
657 msglim(&bad_nhop, FROM_NADDR,
659 " has bad next hop %s",
660 naddr_ntoa(FROM_NADDR),
662 naddr_ntoa(n->n_nhop));
668 if (rip->rip_vers == RIPv1
669 || 0 == (mask = ntohl(n->n_mask))) {
670 mask = ripv1_mask_host(dst,aifp);
671 } else if ((ntohl(dst) & ~mask) != 0) {
672 msglim(&bad_mask, FROM_NADDR,
673 "router %s sent bad netmask"
675 naddr_ntoa(FROM_NADDR),
680 if (rip->rip_vers == RIPv1)
683 /* Adjust metric according to incoming interface..
685 n->n_metric += (aifp->int_metric
686 + aifp->int_adj_inmetric);
687 if (n->n_metric > HOPCNT_INFINITY)
688 n->n_metric = HOPCNT_INFINITY;
690 /* Should we trust this route from this router? */
691 if (tg && (tn = tg->tgate_nets)->mask != 0) {
692 for (i = 0; i < MAX_TGATE_NETS; i++, tn++) {
693 if (on_net(dst, tn->net, tn->mask)
697 if (i >= MAX_TGATE_NETS || tn->mask == 0) {
698 trace_pkt(" ignored unauthorized %s",
699 addrname(dst,mask,0));
704 /* Recognize and ignore a default route we faked
705 * which is being sent back to us by a machine with
706 * broken split-horizon.
707 * Be a little more paranoid than that, and reject
708 * default routes with the same metric we advertised.
710 if (aifp->int_d_metric != 0
711 && dst == RIP_DEFAULT
712 && (int)n->n_metric >= aifp->int_d_metric)
715 /* We can receive aggregated RIPv2 routes that must
716 * be broken down before they are transmitted by
717 * RIPv1 via an interface on a subnet.
718 * We might also receive the same routes aggregated
719 * via other RIPv2 interfaces.
720 * This could cause duplicate routes to be sent on
721 * the RIPv1 interfaces. "Longest matching variable
722 * length netmasks" lets RIPv2 listeners understand,
723 * but breaking down the aggregated routes for RIPv1
724 * listeners can produce duplicate routes.
726 * Breaking down aggregated routes here bloats
727 * the daemon table, but does not hurt the kernel
728 * table, since routes are always aggregated for
731 * Notice that this does not break down network
732 * routes corresponding to subnets. This is part
733 * of the defense against RS_NET_SYN.
736 && (((rt = rtget(dst,mask)) == 0
737 || !(rt->rt_state & RS_NET_SYN)))
738 && (v1_mask = ripv1_mask_net(dst,0)) > mask) {
739 ddst_h = v1_mask & -v1_mask;
740 i = (v1_mask & ~mask)/ddst_h;
742 /* Punt if we would have to generate
743 * an unreasonable number of routes.
746 trace_misc("accept %s-->%s as 1"
747 " instead of %d routes",
748 addrname(dst,mask,0),
749 naddr_ntoa(FROM_NADDR),
760 new.rts_router = FROM_NADDR;
761 new.rts_metric = n->n_metric;
762 new.rts_tag = n->n_tag;
763 new.rts_time = now.tv_sec;
768 input_route(dst, mask, &new, n);
771 dst = htonl(ntohl(dst) + ddst_h);
780 /* Process a single input route.
783 input_route(naddr dst, /* network order */
785 struct rt_spare *new,
790 struct rt_spare *rts, *rts0;
791 struct interface *ifp1;
794 /* See if the other guy is telling us to send our packets to him.
795 * Sometimes network routes arrive over a point-to-point link for
796 * the network containing the address(es) of the link.
798 * If our interface is broken, switch to using the other guy.
800 ifp1 = ifwithaddr(dst, 1, 1);
802 && (!(ifp1->int_state & IS_BROKE)
803 || (ifp1->int_state & IS_PASSIVE)))
806 /* Look for the route in our table.
808 rt = rtget(dst, mask);
810 /* Consider adding the route if we do not already have it.
813 /* Ignore unknown routes being poisoned.
815 if (new->rts_metric == HOPCNT_INFINITY)
818 /* Ignore the route if it points to us */
820 && 0 != ifwithaddr(n->n_nhop, 1, 0))
823 /* If something has not gone crazy and tried to fill
824 * our memory, accept the new route.
826 if (total_routes < MAX_ROUTES)
827 rtadd(dst, mask, 0, new);
831 /* We already know about the route. Consider this update.
833 * If (rt->rt_state & RS_NET_SYN), then this route
834 * is the same as a network route we have inferred
835 * for subnets we know, in order to tell RIPv1 routers
838 * It is impossible to tell if the route is coming
839 * from a distant RIPv2 router with the standard
840 * netmask because that router knows about the entire
841 * network, or if it is a round-about echo of a
842 * synthetic, RIPv1 network route of our own.
843 * The worst is that both kinds of routes might be
844 * received, and the bad one might have the smaller
845 * metric. Partly solve this problem by never
846 * aggregating into such a route. Also keep it
847 * around as long as the interface exists.
850 rts0 = rt->rt_spares;
851 for (rts = rts0, i = NUM_SPARES; i != 0; i--, rts++) {
852 if (rts->rts_router == new->rts_router)
854 /* Note the worst slot to reuse,
855 * other than the current slot.
857 if (rts0 == rt->rt_spares
858 || BETTER_LINK(rt, rts0, rts))
862 /* Found a route from the router already in the table.
865 /* If the new route is a route broken down from an
866 * aggregated route, and if the previous route is either
867 * not a broken down route or was broken down from a finer
868 * netmask, and if the previous route is current,
869 * then forget this one.
871 if (new->rts_de_ag > rts->rts_de_ag
872 && now_stale <= rts->rts_time)
875 /* Keep poisoned routes around only long enough to pass
876 * the poison on. Use a new timestamp for good routes.
878 if (rts->rts_metric == HOPCNT_INFINITY
879 && new->rts_metric == HOPCNT_INFINITY)
880 new->rts_time = rts->rts_time;
882 /* If this is an update for the router we currently prefer,
885 if (i == NUM_SPARES) {
886 rtchange(rt, rt->rt_state, new, 0);
887 /* If the route got worse, check for something better.
889 if (new->rts_metric > rts->rts_metric)
894 /* This is an update for a spare route.
895 * Finished if the route is unchanged.
897 if (rts->rts_gate == new->rts_gate
898 && rts->rts_metric == new->rts_metric
899 && rts->rts_tag == new->rts_tag) {
900 trace_upslot(rt, rts, new);
904 /* Forget it if it has gone bad.
906 if (new->rts_metric == HOPCNT_INFINITY) {
912 /* The update is for a route we know about,
913 * but not from a familiar router.
915 * Ignore the route if it points to us.
918 && 0 != ifwithaddr(n->n_nhop, 1, 0))
921 /* the loop above set rts0=worst spare */
924 /* Save the route as a spare only if it has
925 * a better metric than our worst spare.
926 * This also ignores poisoned routes (those
927 * received with metric HOPCNT_INFINITY).
929 if (new->rts_metric >= rts->rts_metric)
933 trace_upslot(rt, rts, new);
936 /* try to switch to a better route */
941 static int /* 0 if bad */
942 ck_passwd(struct interface *aifp,
946 struct msg_limit *use_authp)
948 # define NA (rip->rip_auths)
952 u_char hash[RIP_AUTH_PW_LEN];
955 assert(aifp != NULL);
956 if ((void *)NA >= lim || NA->a_family != RIP_AF_AUTH) {
957 msglim(use_authp, from, "missing password from %s",
962 /* accept any current (+/- 24 hours) password
964 for (ap = aifp->int_auth, i = 0; i < MAX_AUTH_KEYS; i++, ap++) {
965 if (ap->type != NA->a_type
966 || (u_long)ap->start > (u_long)clk.tv_sec+DAY
967 || (u_long)ap->end+DAY < (u_long)clk.tv_sec)
970 if (NA->a_type == RIP_AUTH_PW) {
971 if (!memcmp(NA->au.au_pw, ap->key, RIP_AUTH_PW_LEN))
975 /* accept MD5 secret with the right key ID
977 if (NA->au.a_md5.md5_keyid != ap->keyid)
980 len = ntohs(NA->au.a_md5.md5_pkt_len);
981 if ((len-sizeof(*rip)) % sizeof(*NA) != 0
982 || len != (char *)lim-(char*)rip-(int)sizeof(*NA)) {
983 msglim(use_authp, from,
984 "wrong MD5 RIPv2 packet length of %d"
985 " instead of %d from %s",
986 len, (int)((char *)lim-(char *)rip
991 na2 = (struct netauth *)((char *)rip+len);
993 /* Given a good hash value, these are not security
994 * problems so be generous and accept the routes,
998 if (NA->au.a_md5.md5_auth_len
999 != RIP_AUTH_MD5_HASH_LEN)
1000 msglim(use_authp, from,
1001 "unknown MD5 RIPv2 auth len %#x"
1002 " instead of %#x from %s",
1003 NA->au.a_md5.md5_auth_len,
1004 (unsigned)RIP_AUTH_MD5_HASH_LEN,
1006 if (na2->a_family != RIP_AF_AUTH)
1007 msglim(use_authp, from,
1008 "unknown MD5 RIPv2 family %#x"
1009 " instead of %#x from %s",
1010 na2->a_family, RIP_AF_AUTH,
1012 if (na2->a_type != ntohs(1))
1013 msglim(use_authp, from,
1014 "MD5 RIPv2 hash has %#x"
1015 " instead of %#x from %s",
1016 na2->a_type, ntohs(1),
1021 MD5Update(&md5_ctx, (u_char *)rip,
1022 len + RIP_AUTH_MD5_HASH_XTRA);
1023 MD5Update(&md5_ctx, ap->key, RIP_AUTH_MD5_KEY_LEN);
1024 MD5Final(hash, &md5_ctx);
1025 if (!memcmp(hash, na2->au.au_pw, sizeof(hash)))
1030 msglim(use_authp, from, "bad password from %s",