X-Git-Url: https://mattmccutchen.net/rsync/rsync.git/blobdiff_plain/f8be7d42193dd3a0c4327d928e60f382a2c2ea8b..9a5a86734fdebb816d81b3276a82b8befc65a740:/socket.c diff --git a/socket.c b/socket.c index bf69c0be..137d4800 100644 --- a/socket.c +++ b/socket.c @@ -1,7 +1,9 @@ /* -*- c-file-style: "linux" -*- + rsync -- fast file replication program + Copyright (C) 1992-2001 by Andrew Tridgell - Copyright (C) 2001 by Martin Pool + Copyright (C) 2001, 2002 by Martin Pool This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by @@ -22,10 +24,25 @@ * @file socket.c * * Socket functions used in rsync. + * + * This file is now converted to use the new-style getaddrinfo() + * interface, which supports IPv6 but is also supported on recent + * IPv4-only machines. On systems that don't have that interface, we + * emulate it using the KAME implementation. **/ #include "rsync.h" +static int lookup_name(const struct sockaddr_storage *ss, + socklen_t ss_len, + char *name_buf, size_t name_buf_len, + char *port_buf, size_t port_buf_len); + +static int check_name(const struct sockaddr_storage *ss, + socklen_t ss_len, + const char *name_buf, + const char *port_buf); + /* Establish a proxy connection on an open socket to a web roxy by * using the CONNECT method. */ static int establish_proxy_connection(int fd, char *host, int port) @@ -105,14 +122,14 @@ int try_bind_local(int s, bhints.ai_family = ai_family; bhints.ai_socktype = ai_socktype; bhints.ai_flags = AI_PASSIVE; - if (getaddrinfo(bind_address, NULL, &bhints, &bres_all) == -1) { + if ((error = getaddrinfo(bind_address, NULL, &bhints, &bres_all))) { rprintf(FERROR, RSYNC_NAME ": getaddrinfo %s: %s\n", bind_address, gai_strerror(error)); return -1; } for (r = bres_all; r; r = r->ai_next) { - if (bind(s, bres->ai_addr, bres->ai_addrlen) == -1) + if (bind(s, r->ai_addr, r->ai_addrlen) == -1) continue; return s; } @@ -150,7 +167,6 @@ int open_socket_out(char *host, int port, const char *bind_address, int type = SOCK_STREAM; int error; int s; - int result; struct addrinfo hints, *res0, *res; char portbuf[10]; char *h; @@ -382,7 +398,7 @@ void start_accept_loop(int port, int (*fn)(int )) fd_set fds; int fd; struct sockaddr_storage addr; - int addrlen = sizeof(addr); + socklen_t addrlen = sizeof addr; /* close log file before the potentially very long select so file can be trimmed by another process instead of growing @@ -565,7 +581,7 @@ void become_daemon(void) char *client_addr(int fd) { struct sockaddr_storage ss; - int length = sizeof(ss); + socklen_t length = sizeof ss; static char addr_buf[100]; static int initialised; @@ -590,96 +606,140 @@ static int get_sockaddr_family(const struct sockaddr_storage *ss) /** - * Return the DNS name of the client + * Return the DNS name of the client. + * + * The name is statically cached so that repeated lookups are quick, + * so there is a limit of one lookup per customer. **/ char *client_name(int fd) { struct sockaddr_storage ss; - int length = sizeof(ss); + socklen_t ss_len = sizeof ss; static char name_buf[100]; static char port_buf[100]; - char *def = "UNKNOWN"; static int initialised; - struct addrinfo hints, *res, *res0; - int error; if (initialised) return name_buf; initialised = 1; - strcpy(name_buf,def); - - if (getpeername(fd, (struct sockaddr *)&ss, &length)) { + if (getpeername(fd, (struct sockaddr *)&ss, &ss_len)) { /* FIXME: Can we really not continue? */ rprintf(FERROR, RSYNC_NAME ": getpeername on fd%d failed: %s\n", fd, strerror(errno)); exit_cleanup(RERR_SOCKETIO); } + if (!lookup_name(&ss, ss_len, name_buf, sizeof name_buf, port_buf, sizeof port_buf)) + check_name(&ss, ss_len, name_buf, port_buf); + + return name_buf; +} + + +/** + * Look up a name from @p ss into @p name_buf. + **/ +static int lookup_name(const struct sockaddr_storage *ss, + socklen_t ss_len, + char *name_buf, size_t name_buf_len, + char *port_buf, size_t port_buf_len) +{ + int name_err; + const char *def = "UNKNOWN"; + #ifdef INET6 - if (get_sockaddr_family(&ss) == AF_INET6 && - IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)&ss)->sin6_addr)) { + if (get_sockaddr_family(ss) == AF_INET6 && + IN6_IS_ADDR_V4MAPPED(&((struct sockaddr_in6 *)ss)->sin6_addr)) { + /* OK, so ss is in the IPv6 family, but it is really + * an IPv4 address: something like + * "::ffff:10.130.1.2". If we use it as-is, then the + * reverse lookup might fail or perhaps something else + * bad might happen. So instead we convert it to an + * equivalent address in the IPv4 address family. */ struct sockaddr_in6 sin6; struct sockaddr_in *sin; - memcpy(&sin6, &ss, sizeof(sin6)); - sin = (struct sockaddr_in *)&ss; + memcpy(&sin6, ss, sizeof(sin6)); + sin = (struct sockaddr_in *)ss; memset(sin, 0, sizeof(*sin)); sin->sin_family = AF_INET; - length = sizeof(struct sockaddr_in); + ss_len = sizeof(struct sockaddr_in); #ifdef HAVE_SOCKADDR_LEN - sin->sin_len = length; + sin->sin_len = ss_len; #endif sin->sin_port = sin6.sin6_port; + /* FIXME: Isn't there a macro we can use here rather + * than grovelling through the struct? It might be + * wrong on some systems. */ memcpy(&sin->sin_addr, &sin6.sin6_addr.s6_addr[12], sizeof(sin->sin_addr)); } #endif /* reverse lookup */ - if (getnameinfo((struct sockaddr *)&ss, length, - name_buf, sizeof(name_buf), port_buf, sizeof(port_buf), - NI_NAMEREQD | NI_NUMERICSERV) != 0) { + if (!(name_err = getnameinfo((struct sockaddr *) ss, ss_len, + name_buf, name_buf_len, + port_buf, port_buf_len, + NI_NAMEREQD | NI_NUMERICSERV))) { strcpy(name_buf, def); - rprintf(FERROR, "reverse name lookup failed\n"); + rprintf(FERROR, RSYNC_NAME ": reverse name lookup failed: %s\n", + gai_strerror(name_err)); + return name_err; } - /* forward lookup */ + return 0; +} + + + +/* Do a forward lookup on name_buf and make sure it corresponds to ss + * -- otherwise we may be being spoofed. If we suspect we are, then + * we don't abort the connection but just emit a warning. */ +static int check_name(const struct sockaddr_storage *ss, + socklen_t ss_len, + const char *name_buf, + const char *port_buf) +{ + struct addrinfo hints, *res, *res0; + int error; + memset(&hints, 0, sizeof(hints)); hints.ai_family = PF_UNSPEC; hints.ai_flags = AI_CANONNAME; hints.ai_socktype = SOCK_STREAM; error = getaddrinfo(name_buf, port_buf, &hints, &res0); if (error) { - strcpy(name_buf, def); + /* We still use the name found by the reverse lookup, + * but emit a warning. */ rprintf(FERROR, - RSYNC_NAME ": forward name lookup for %s failed: %s\n", - port_buf, + RSYNC_NAME ": forward name lookup for %s:%s failed: %s\n", + name_buf, port_buf, gai_strerror(error)); - return name_buf; + return error; } - /* XXX sin6_flowinfo and other fields */ + + /* We expect that one of the results will be the same as ss. */ for (res = res0; res; res = res->ai_next) { - if (res->ai_family != get_sockaddr_family(&ss)) + if (res->ai_family != get_sockaddr_family(ss)) continue; - if (res->ai_addrlen != length) + if (res->ai_addrlen != ss_len) continue; - if (memcmp(res->ai_addr, &ss, res->ai_addrlen) == 0) + if (memcmp(res->ai_addr, ss, res->ai_addrlen) == 0) break; } - /* TODO: Do a forward lookup as well to prevent spoofing */ - if (res == NULL) { - strcpy(name_buf, def); - rprintf(FERROR, RSYNC_NAME ": " - "reverse name lookup mismatch on fd%d - spoofed address?\n", - fd); + /* We hit the end of the list without finding an + * address that was the same as ss. */ + rprintf(FERROR, RSYNC_NAME + ": no address record for \"%s\" corresponds to peer name: spoofed address?\n", + name_buf); } freeaddrinfo(res0); - return name_buf; + return 0; }