Fix for a DoS attack:

[tinc] / src / netutl.c

diff --git a/src/netutl.c b/src/netutl.c
index 1d07daa..5b4badf 100644 (file)
--- a/src/netutl.c
+++ b/src/netutl.c
@@ -1,6 +1,6 @@
 /*
     netutl.c -- some supporting network utility code
-    Copyright (C) 1998,99 Ivo Timmermans <zarq@iname.com>
+    Copyright (C) 1998,1999,2000 Ivo Timmermans <zarq@iname.com>
 
     This program is free software; you can redistribute it and/or modify
     it under the terms of the GNU General Public License as published by
@@ -37,20 +37,21 @@
 
 /*
   look for a connection associated with the given vpn ip,
-  return its connection structure
+  return its connection structure.
+  Skips connections that are not activated!
 */
 conn_list_t *lookup_conn(ip_t ip)
 {
   conn_list_t *p = conn_list;
-
+cp
   /* Exact match suggested by James B. MacLean */
   for(p = conn_list; p != NULL; p = p->next)
-    if(ip  == p->vpn_ip)
+    if((ip  == p->vpn_ip) && p->active)
       return p;
   for(p = conn_list; p != NULL; p = p->next)
-    if((ip & p->vpn_mask) == (p->vpn_ip & p->vpn_mask))
+    if(((ip & p->vpn_mask) == (p->vpn_ip & p->vpn_mask)) && p->active)
       return p;
-
+cp
   return NULL;
 }
 
@@ -60,7 +61,7 @@ conn_list_t *lookup_conn(ip_t ip)
 void destroy_queue(packet_queue_t *pq)
 {
   queue_element_t *p, *q;
-
+cp
   for(p = pq->head; p != NULL; p = q)
     {
       q = p->next;
@@ -70,6 +71,7 @@ void destroy_queue(packet_queue_t *pq)
     }
 
   free(pq);
+cp
 }
 
 /*
@@ -77,10 +79,9 @@ void destroy_queue(packet_queue_t *pq)
 */
 void free_conn_element(conn_list_t *p)
 {
+cp
   if(p->hostname)
     free(p->hostname);
-  if(p->pp)
-    free(p->pp);
   if(p->sq)
     destroy_queue(p->sq);
   if(p->rq)
@@ -88,6 +89,7 @@ void free_conn_element(conn_list_t *p)
   free_key(p->public_key);
   free_key(p->key);
   free(p);
+cp
 }
 
 /*
@@ -96,7 +98,7 @@ void free_conn_element(conn_list_t *p)
 void prune_conn_list(void)
 {
   conn_list_t *p, *prev = NULL, *next = NULL;
-
+cp
   for(p = conn_list; p != NULL; )
     {
       next = p->next;
@@ -115,6 +117,7 @@ void prune_conn_list(void)
 
       p = next;
     }
+cp
 }
 
 /*
@@ -122,11 +125,15 @@ void prune_conn_list(void)
 */
 conn_list_t *new_conn_list(void)
 {
-  conn_list_t *p = xmalloc(sizeof(conn_list_t));
-
+  conn_list_t *p = xmalloc(sizeof(*p));
+cp
   /* initialise all those stupid pointers at once */
-  memset(p, '\0', sizeof(conn_list_t));
+  memset(p, '\0', sizeof(*p));
+  p->vpn_mask = (ip_t)(~0L); /* If this isn't done, it would be a
+                                wastebucket for all packets with
+                                unknown destination. */
   p->nexthop = p;
+cp
   return p;
 }
 
@@ -137,16 +144,15 @@ void destroy_conn_list(void)
 {
   conn_list_t *p, *next;
 cp
-
   for(p = conn_list; p != NULL; )
     {
       next = p->next;
       free_conn_element(p);
       p = next;
     }
-cp
 
   conn_list = NULL;
+cp
 }
 
 /*
@@ -158,7 +164,7 @@ char *hostlookup(unsigned long addr)
   char *name;
   struct hostent *host = NULL;
   struct in_addr in;
-
+cp
   in.s_addr = addr;
 
   host = gethostbyaddr((char *)&in, sizeof(in), AF_INET);
@@ -173,7 +179,7 @@ char *hostlookup(unsigned long addr)
       name = xmalloc(20);
       sprintf(name, "%s", inet_ntoa(in));
     }
-
+cp
   return name;
 }
 
@@ -187,7 +193,7 @@ ip_mask_t *strtoip(char *str)
   int masker;
   char *q, *p;
   struct hostent *h;
-
+cp
   p = str;
   if((q = strchr(p, '/')))
     {
@@ -209,18 +215,18 @@ ip_mask_t *strtoip(char *str)
        return NULL;
     }
 
-  ip = xmalloc(sizeof(ip_mask_t));
+  ip = xmalloc(sizeof(*ip));
   ip->ip = ntohl(*((ip_t*)(h->h_addr_list[0])));
 
   ip->mask = masker ? ~((1 << (32 - masker)) - 1) : 0;
-
+cp
   return ip;
 }
 
 void dump_conn_list(void)
 {
   conn_list_t *p;
-
+cp
   syslog(LOG_DEBUG, "Connection list:");
 
   for(p = conn_list; p != NULL; p = p->next)
@@ -229,4 +235,5 @@ void dump_conn_list(void)
             IP_ADDR_V(p->vpn_ip), IP_ADDR_V(p->vpn_mask), p->status,
             p->socket, p->meta_socket);
     }
+cp
 }