Annotation of embedaddon/rsync/clientname.c, revision 1.1.1.1
1.1 misho 1: /*
2: * Functions for looking up the remote name or addr of a socket.
3: *
4: * Copyright (C) 1992-2001 Andrew Tridgell <tridge@samba.org>
5: * Copyright (C) 2001, 2002 Martin Pool <mbp@samba.org>
6: * Copyright (C) 2002-2009 Wayne Davison
7: *
8: * This program is free software; you can redistribute it and/or modify
9: * it under the terms of the GNU General Public License as published by
10: * the Free Software Foundation; either version 3 of the License, or
11: * (at your option) any later version.
12: *
13: * This program is distributed in the hope that it will be useful,
14: * but WITHOUT ANY WARRANTY; without even the implied warranty of
15: * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
16: * GNU General Public License for more details.
17: *
18: * You should have received a copy of the GNU General Public License along
19: * with this program; if not, visit the http://fsf.org website.
20: */
21:
22: /*
23: * This file is now converted to use the new-style getaddrinfo()
24: * interface, which supports IPv6 but is also supported on recent
25: * IPv4-only machines. On systems that don't have that interface, we
26: * emulate it using the KAME implementation.
27: */
28:
29: #include "rsync.h"
30:
31: static const char default_name[] = "UNKNOWN";
32: extern int am_server;
33:
34:
35: /**
36: * Return the IP addr of the client as a string
37: **/
38: char *client_addr(int fd)
39: {
40: static char addr_buf[100];
41: static int initialised;
42: struct sockaddr_storage ss;
43: socklen_t length = sizeof ss;
44: char *ssh_info, *p;
45:
46: if (initialised)
47: return addr_buf;
48:
49: initialised = 1;
50:
51: if (am_server) { /* daemon over --rsh mode */
52: strlcpy(addr_buf, "0.0.0.0", sizeof addr_buf);
53: if ((ssh_info = getenv("SSH_CONNECTION")) != NULL
54: || (ssh_info = getenv("SSH_CLIENT")) != NULL
55: || (ssh_info = getenv("SSH2_CLIENT")) != NULL) {
56: strlcpy(addr_buf, ssh_info, sizeof addr_buf);
57: /* Truncate the value to just the IP address. */
58: if ((p = strchr(addr_buf, ' ')) != NULL)
59: *p = '\0';
60: }
61: } else {
62: client_sockaddr(fd, &ss, &length);
63: getnameinfo((struct sockaddr *)&ss, length,
64: addr_buf, sizeof addr_buf, NULL, 0, NI_NUMERICHOST);
65: }
66:
67: return addr_buf;
68: }
69:
70:
71: static int get_sockaddr_family(const struct sockaddr_storage *ss)
72: {
73: return ((struct sockaddr *) ss)->sa_family;
74: }
75:
76:
77: /**
78: * Return the DNS name of the client.
79: *
80: * The name is statically cached so that repeated lookups are quick,
81: * so there is a limit of one lookup per customer.
82: *
83: * If anything goes wrong, including the name->addr->name check, then
84: * we just use "UNKNOWN", so you can use that value in hosts allow
85: * lines.
86: *
87: * After translation from sockaddr to name we do a forward lookup to
88: * make sure nobody is spoofing PTR records.
89: **/
90: char *client_name(int fd)
91: {
92: static char name_buf[100];
93: static char port_buf[100];
94: static int initialised;
95: struct sockaddr_storage ss;
96: socklen_t ss_len;
97:
98: if (initialised)
99: return name_buf;
100:
101: strlcpy(name_buf, default_name, sizeof name_buf);
102: initialised = 1;
103:
104: memset(&ss, 0, sizeof ss);
105:
106: if (am_server) { /* daemon over --rsh mode */
107: char *addr = client_addr(fd);
108: struct addrinfo hint, *answer;
109: int err;
110:
111: if (strcmp(addr, "0.0.0.0") == 0)
112: return name_buf;
113:
114: memset(&hint, 0, sizeof hint);
115:
116: #ifdef AI_NUMERICHOST
117: hint.ai_flags = AI_NUMERICHOST;
118: #endif
119: hint.ai_socktype = SOCK_STREAM;
120:
121: if ((err = getaddrinfo(addr, NULL, &hint, &answer)) != 0) {
122: rprintf(FLOG, "malformed address %s: %s\n",
123: addr, gai_strerror(err));
124: return name_buf;
125: }
126:
127: switch (answer->ai_family) {
128: case AF_INET:
129: ss_len = sizeof (struct sockaddr_in);
130: memcpy(&ss, answer->ai_addr, ss_len);
131: break;
132: #ifdef INET6
133: case AF_INET6:
134: ss_len = sizeof (struct sockaddr_in6);
135: memcpy(&ss, answer->ai_addr, ss_len);
136: break;
137: #endif
138: default:
139: exit_cleanup(RERR_SOCKETIO);
140: }
141: freeaddrinfo(answer);
142: } else {
143: ss_len = sizeof ss;
144: client_sockaddr(fd, &ss, &ss_len);
145: }
146:
147: if (lookup_name(fd, &ss, ss_len, name_buf, sizeof name_buf,
148: port_buf, sizeof port_buf) == 0)
149: check_name(fd, &ss, name_buf, sizeof name_buf);
150:
151: return name_buf;
152: }
153:
154:
155:
156: /**
157: * Get the sockaddr for the client.
158: *
159: * If it comes in as an ipv4 address mapped into IPv6 format then we
160: * convert it back to a regular IPv4.
161: **/
162: void client_sockaddr(int fd,
163: struct sockaddr_storage *ss,
164: socklen_t *ss_len)
165: {
166: memset(ss, 0, sizeof *ss);
167:
168: if (getpeername(fd, (struct sockaddr *) ss, ss_len)) {
169: /* FIXME: Can we really not continue? */
170: rsyserr(FLOG, errno, "getpeername on fd%d failed", fd);
171: exit_cleanup(RERR_SOCKETIO);
172: }
173:
174: #ifdef INET6
175: if (get_sockaddr_family(ss) == AF_INET6 &&
176: IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)ss)->sin6_addr)) {
177: /* OK, so ss is in the IPv6 family, but it is really
178: * an IPv4 address: something like
179: * "::ffff:10.130.1.2". If we use it as-is, then the
180: * reverse lookup might fail or perhaps something else
181: * bad might happen. So instead we convert it to an
182: * equivalent address in the IPv4 address family. */
183: struct sockaddr_in6 sin6;
184: struct sockaddr_in *sin;
185:
186: memcpy(&sin6, ss, sizeof sin6);
187: sin = (struct sockaddr_in *)ss;
188: memset(sin, 0, sizeof *sin);
189: sin->sin_family = AF_INET;
190: *ss_len = sizeof (struct sockaddr_in);
191: #ifdef HAVE_SOCKADDR_IN_LEN
192: sin->sin_len = *ss_len;
193: #endif
194: sin->sin_port = sin6.sin6_port;
195:
196: /* There is a macro to extract the mapped part
197: * (IN6_V4MAPPED_TO_SINADDR ?), but it does not seem
198: * to be present in the Linux headers. */
199: memcpy(&sin->sin_addr, &sin6.sin6_addr.s6_addr[12],
200: sizeof sin->sin_addr);
201: }
202: #endif
203: }
204:
205:
206: /**
207: * Look up a name from @p ss into @p name_buf.
208: *
209: * @param fd file descriptor for client socket.
210: **/
211: int lookup_name(int fd, const struct sockaddr_storage *ss,
212: socklen_t ss_len,
213: char *name_buf, size_t name_buf_size,
214: char *port_buf, size_t port_buf_size)
215: {
216: int name_err;
217:
218: /* reverse lookup */
219: name_err = getnameinfo((struct sockaddr *) ss, ss_len,
220: name_buf, name_buf_size,
221: port_buf, port_buf_size,
222: NI_NAMEREQD | NI_NUMERICSERV);
223: if (name_err != 0) {
224: strlcpy(name_buf, default_name, name_buf_size);
225: rprintf(FLOG, "name lookup failed for %s: %s\n",
226: client_addr(fd), gai_strerror(name_err));
227: return name_err;
228: }
229:
230: return 0;
231: }
232:
233:
234:
235: /**
236: * Compare an addrinfo from the resolver to a sockinfo.
237: *
238: * Like strcmp, returns 0 for identical.
239: **/
240: int compare_addrinfo_sockaddr(const struct addrinfo *ai,
241: const struct sockaddr_storage *ss)
242: {
243: int ss_family = get_sockaddr_family(ss);
244: const char fn[] = "compare_addrinfo_sockaddr";
245:
246: if (ai->ai_family != ss_family) {
247: rprintf(FLOG, "%s: response family %d != %d\n",
248: fn, ai->ai_family, ss_family);
249: return 1;
250: }
251:
252: /* The comparison method depends on the particular AF. */
253: if (ss_family == AF_INET) {
254: const struct sockaddr_in *sin1, *sin2;
255:
256: sin1 = (const struct sockaddr_in *) ss;
257: sin2 = (const struct sockaddr_in *) ai->ai_addr;
258:
259: return memcmp(&sin1->sin_addr, &sin2->sin_addr,
260: sizeof sin1->sin_addr);
261: }
262:
263: #ifdef INET6
264: if (ss_family == AF_INET6) {
265: const struct sockaddr_in6 *sin1, *sin2;
266:
267: sin1 = (const struct sockaddr_in6 *) ss;
268: sin2 = (const struct sockaddr_in6 *) ai->ai_addr;
269:
270: if (ai->ai_addrlen < sizeof (struct sockaddr_in6)) {
271: rprintf(FLOG, "%s: too short sockaddr_in6; length=%d\n",
272: fn, (int)ai->ai_addrlen);
273: return 1;
274: }
275:
276: if (memcmp(&sin1->sin6_addr, &sin2->sin6_addr,
277: sizeof sin1->sin6_addr))
278: return 1;
279:
280: #ifdef HAVE_SOCKADDR_IN6_SCOPE_ID
281: if (sin1->sin6_scope_id != sin2->sin6_scope_id)
282: return 1;
283: #endif
284: return 0;
285: }
286: #endif /* INET6 */
287:
288: /* don't know */
289: return 1;
290: }
291:
292:
293: /**
294: * Do a forward lookup on @p name_buf and make sure it corresponds to
295: * @p ss -- otherwise we may be being spoofed. If we suspect we are,
296: * then we don't abort the connection but just emit a warning, and
297: * change @p name_buf to be "UNKNOWN".
298: *
299: * We don't do anything with the service when checking the name,
300: * because it doesn't seem that it could be spoofed in any way, and
301: * getaddrinfo on random service names seems to cause problems on AIX.
302: **/
303: int check_name(int fd,
304: const struct sockaddr_storage *ss,
305: char *name_buf, size_t name_buf_size)
306: {
307: struct addrinfo hints, *res, *res0;
308: int error;
309: int ss_family = get_sockaddr_family(ss);
310:
311: memset(&hints, 0, sizeof hints);
312: hints.ai_family = ss_family;
313: hints.ai_flags = AI_CANONNAME;
314: hints.ai_socktype = SOCK_STREAM;
315: error = getaddrinfo(name_buf, NULL, &hints, &res0);
316: if (error) {
317: rprintf(FLOG, "forward name lookup for %s failed: %s\n",
318: name_buf, gai_strerror(error));
319: strlcpy(name_buf, default_name, name_buf_size);
320: return error;
321: }
322:
323: /* Given all these results, we expect that one of them will be
324: * the same as ss. The comparison is a bit complicated. */
325: for (res = res0; res; res = res->ai_next) {
326: if (!compare_addrinfo_sockaddr(res, ss))
327: break; /* OK, identical */
328: }
329:
330: if (!res0) {
331: /* We hit the end of the list without finding an
332: * address that was the same as ss. */
333: rprintf(FLOG, "no known address for \"%s\": "
334: "spoofed address?\n", name_buf);
335: strlcpy(name_buf, default_name, name_buf_size);
336: } else if (res == NULL) {
337: /* We hit the end of the list without finding an
338: * address that was the same as ss. */
339: rprintf(FLOG, "%s is not a known address for \"%s\": "
340: "spoofed address?\n", client_addr(fd), name_buf);
341: strlcpy(name_buf, default_name, name_buf_size);
342: }
343:
344: freeaddrinfo(res0);
345: return 0;
346: }
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to clientname.c CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / rsync