File Manager

003 File Manager

Current Path: /usr/src/contrib/tcp_wrappers

📁 ..
📄 BLURB(1.7 KB)
📄 Banners.Makefile(2.17 KB)
📄 CHANGES(18.75 KB)
📄 DISCLAIMER(1.21 KB)
📄 Makefile(32.68 KB)
📄 README(47.08 KB)
📄 README.IRIX(2.57 KB)
📄 README.NIS(6.52 KB)
📄 clean_exit.c(1.07 KB)
📄 diag.c(1.44 KB)
📄 environ.c(4.75 KB)
📄 eval.c(3.59 KB)
📄 fakelog.c(1012 B)
📄 fix_options.c(3.7 KB)
📄 fromhost.c(1.37 KB)
📄 hosts_access.3(3.52 KB)
📄 hosts_access.5(15.97 KB)
📄 hosts_access.c(14.13 KB)
📄 hosts_ctl.c(1.08 KB)
📄 hosts_options.5(6.5 KB)
📄 inetcf.c(8.03 KB)
📄 inetcf.h(516 B)
📄 misc.c(1.9 KB)
📄 miscd.c(3.07 KB)
📄 mystdarg.h(571 B)
📄 myvsyslog.c(766 B)
📄 ncr.c(2.52 KB)
📄 options.c(13.85 KB)
📄 patchlevel.h(88 B)
📄 percent_m.c(797 B)
📄 percent_x.c(2.37 KB)
📄 printf.ck(39 B)
📄 ptx.c(2.65 KB)
📄 refuse.c(911 B)
📄 rfc931.c(5.95 KB)
📄 safe_finger.c(4.98 KB)
📄 scaffold.c(6.38 KB)
📄 scaffold.h(370 B)
📄 setenv.c(931 B)
📄 shell_cmd.c(2.13 KB)
📄 socket.c(12.06 KB)
📄 strcasecmp.c(3.78 KB)
📄 tcpd.8(6.86 KB)
📄 tcpd.c(3.49 KB)
📄 tcpd.h(8.18 KB)
📄 tcpdchk.8(2.51 KB)
📄 tcpdchk.c(12.84 KB)
📄 tcpdmatch.8(3.18 KB)
📄 tcpdmatch.c(10.69 KB)
📄 tli-sequent.c(4.85 KB)
📄 tli-sequent.h(411 B)
📄 tli.c(10.34 KB)
📄 try-from.c(2.01 KB)
📄 update.c(3.05 KB)
📄 vfprintf.c(3.12 KB)
📄 workarounds.c(7.57 KB)

Editing: fix_options.c

/*
  * Routine to disable IP-level socket options. This code was taken from 4.4BSD
  * rlogind and kernel source, but all mistakes in it are my fault.
  *
  * Author: Wietse Venema, Eindhoven University of Technology, The Netherlands.
  *
  * $FreeBSD$
  */

#ifndef lint
static char sccsid[] = "@(#) fix_options.c 1.6 97/04/08 02:29:19";
#endif

#include <sys/types.h>
#include <sys/param.h>
#ifdef INET6
#include <sys/socket.h>
#endif
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <stdio.h>
#include <syslog.h>

#ifndef IPOPT_OPTVAL
#define IPOPT_OPTVAL	0
#define IPOPT_OLEN	1
#endif

#include "tcpd.h"

#define BUFFER_SIZE	512		/* Was: BUFSIZ */

/* fix_options - get rid of IP-level socket options */

void
fix_options(request)
struct request_info *request;
{
#ifdef IP_OPTIONS
    unsigned char optbuf[BUFFER_SIZE / 3], *cp;
    char    lbuf[BUFFER_SIZE], *lp;
    int     optsize = sizeof(optbuf), ipproto;
    struct protoent *ip;
    int     fd = request->fd;
    unsigned int opt;
    int     optlen;
    struct in_addr dummy;
#ifdef INET6
    struct sockaddr_storage ss;
    int sslen;

/*
     * check if this is AF_INET socket
     * XXX IPv6 support?
     */
    sslen = sizeof(ss);
    if (getsockname(fd, (struct sockaddr *)&ss, &sslen) < 0) {
	syslog(LOG_ERR, "getpeername: %m");
	clean_exit(request);
    }
    if (ss.ss_family != AF_INET)
	return;
#endif

if ((ip = getprotobyname("ip")) != 0)
	ipproto = ip->p_proto;
    else
	ipproto = IPPROTO_IP;

if (getsockopt(fd, ipproto, IP_OPTIONS, (char *) optbuf, &optsize) == 0
	&& optsize != 0) {

/*
	 * Horror! 4.[34] BSD getsockopt() prepends the first-hop destination
	 * address to the result IP options list when source routing options
	 * are present (see <netinet/ip_var.h>), but produces no output for
	 * other IP options. Solaris 2.x getsockopt() does produce output for
	 * non-routing IP options, and uses the same format as BSD even when
	 * the space for the destination address is unused. The code below
	 * does the right thing with 4.[34]BSD derivatives and Solaris 2, but
	 * may occasionally miss source routing options on incompatible
	 * systems such as Linux. Their choice.
	 * 
	 * Look for source routing options. Drop the connection when one is
	 * found. Just wiping the IP options is insufficient: we would still
	 * help the attacker by providing a real TCP sequence number, and the
	 * attacker would still be able to send packets (blind spoofing). I
	 * discussed this attack with Niels Provos, half a year before the
	 * attack was described in open mailing lists.
	 * 
	 * It would be cleaner to just return a yes/no reply and let the caller
	 * decide how to deal with it. Resident servers should not terminate.
	 * However I am not prepared to make changes to internal interfaces
	 * on short notice.
	 */
#define ADDR_LEN sizeof(dummy.s_addr)

for (cp = optbuf + ADDR_LEN; cp < optbuf + optsize; cp += optlen) {
	    opt = cp[IPOPT_OPTVAL];
	    if (opt == IPOPT_LSRR || opt == IPOPT_SSRR) {
		syslog(LOG_WARNING,
		   "refused connect from %s with IP source routing options",
		       eval_client(request));
		shutdown(fd, 2);
		return;
	    }
	    if (opt == IPOPT_EOL)
		break;
	    if (opt == IPOPT_NOP) {
		optlen = 1;
	    } else {
		optlen = cp[IPOPT_OLEN];
		if (optlen <= 0)		/* Do not loop! */
		    break;
	    }
	}
	lp = lbuf;
	for (cp = optbuf; optsize > 0; cp++, optsize--, lp += 3)
	    sprintf(lp, " %2.2x", *cp);
	syslog(LOG_NOTICE,
	       "connect from %s with IP options (ignored):%s",
	       eval_client(request), lbuf);
	if (setsockopt(fd, ipproto, IP_OPTIONS, (char *) 0, optsize) != 0) {
	    syslog(LOG_ERR, "setsockopt IP_OPTIONS NULL: %m");
	    shutdown(fd, 2);
	}
    }
#endif
}

003 File Manager

Editing: fix_options.c

Upload File

Create Folder