Enhanced checks on incoming queries, check user exists and is active
This commit is contained in:
parent
bd1a8443d1
commit
78d324a6b4
|
@ -24,6 +24,7 @@ CHANGES:
|
||||||
This fixes #27.
|
This fixes #27.
|
||||||
- Downstream data is now fragmented, and the fragment size is auto-
|
- Downstream data is now fragmented, and the fragment size is auto-
|
||||||
probed after login. Fixes #7. It only took a few years :)
|
probed after login. Fixes #7. It only took a few years :)
|
||||||
|
- Enhanced the checks that validates incoming packets
|
||||||
|
|
||||||
2008-08-06: 0.4.2 "Opened Zone"
|
2008-08-06: 0.4.2 "Opened Zone"
|
||||||
- Applied a few small patches from Maxim Bourmistrov and Gregor Herrmann
|
- Applied a few small patches from Maxim Bourmistrov and Gregor Herrmann
|
||||||
|
|
|
@ -82,10 +82,22 @@ sigint(int sig)
|
||||||
}
|
}
|
||||||
|
|
||||||
static int
|
static int
|
||||||
ip_cmp(int userid, struct query *q)
|
check_user_and_ip(int userid, struct query *q)
|
||||||
{
|
{
|
||||||
struct sockaddr_in *tempin;
|
struct sockaddr_in *tempin;
|
||||||
|
|
||||||
|
if (userid < 0 || userid >= created_users ) {
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
if (!users[userid].active) {
|
||||||
|
return 1;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* return early if IP checking is disabled */
|
||||||
|
if (!check_ip) {
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
tempin = (struct sockaddr_in *) &(q->from);
|
tempin = (struct sockaddr_in *) &(q->from);
|
||||||
return memcmp(&(users[userid].host), &(tempin->sin_addr), sizeof(struct in_addr));
|
return memcmp(&(users[userid].host), &(tempin->sin_addr), sizeof(struct in_addr));
|
||||||
}
|
}
|
||||||
|
@ -307,16 +319,14 @@ handle_null_request(int tun_fd, int dns_fd, struct query *q, int domain_len)
|
||||||
read = unpack_data(unpacked, sizeof(unpacked), &(in[1]), domain_len - 1, b32);
|
read = unpack_data(unpacked, sizeof(unpacked), &(in[1]), domain_len - 1, b32);
|
||||||
/* Login phase, handle auth */
|
/* Login phase, handle auth */
|
||||||
userid = unpacked[0];
|
userid = unpacked[0];
|
||||||
if (userid < 0 || userid >= USERS) {
|
|
||||||
write_dns(dns_fd, q, "BADIP", 5);
|
|
||||||
return; /* illegal id */
|
|
||||||
}
|
|
||||||
users[userid].last_pkt = time(NULL);
|
|
||||||
login_calculate(logindata, 16, password, users[userid].seed);
|
|
||||||
|
|
||||||
if (check_ip && ip_cmp(userid, q) != 0) {
|
if (check_user_and_ip(userid, q) != 0) {
|
||||||
write_dns(dns_fd, q, "BADIP", 5);
|
write_dns(dns_fd, q, "BADIP", 5);
|
||||||
|
return;
|
||||||
} else {
|
} else {
|
||||||
|
users[userid].last_pkt = time(NULL);
|
||||||
|
login_calculate(logindata, 16, password, users[userid].seed);
|
||||||
|
|
||||||
if (read >= 18 && (memcmp(logindata, unpacked+1, 16) == 0)) {
|
if (read >= 18 && (memcmp(logindata, unpacked+1, 16) == 0)) {
|
||||||
/* Login ok, send ip/mtu/netmask info */
|
/* Login ok, send ip/mtu/netmask info */
|
||||||
|
|
||||||
|
@ -354,7 +364,7 @@ handle_null_request(int tun_fd, int dns_fd, struct query *q, int domain_len)
|
||||||
|
|
||||||
userid = b32_8to5(in[1]);
|
userid = b32_8to5(in[1]);
|
||||||
|
|
||||||
if (ip_cmp(userid, q) != 0) {
|
if (check_user_and_ip(userid, q) != 0) {
|
||||||
write_dns(dns_fd, q, "BADIP", 5);
|
write_dns(dns_fd, q, "BADIP", 5);
|
||||||
return; /* illegal id */
|
return; /* illegal id */
|
||||||
}
|
}
|
||||||
|
@ -382,7 +392,7 @@ handle_null_request(int tun_fd, int dns_fd, struct query *q, int domain_len)
|
||||||
|
|
||||||
/* Downstream fragsize probe packet */
|
/* Downstream fragsize probe packet */
|
||||||
userid = (b32_8to5(in[1]) >> 1) & 15;
|
userid = (b32_8to5(in[1]) >> 1) & 15;
|
||||||
if (userid < 0 || userid >= USERS || ip_cmp(userid, q) != 0) {
|
if (check_user_and_ip(userid, q) != 0) {
|
||||||
write_dns(dns_fd, q, "BADIP", 5);
|
write_dns(dns_fd, q, "BADIP", 5);
|
||||||
return; /* illegal id */
|
return; /* illegal id */
|
||||||
}
|
}
|
||||||
|
@ -405,7 +415,7 @@ handle_null_request(int tun_fd, int dns_fd, struct query *q, int domain_len)
|
||||||
read = unpack_data(unpacked, sizeof(unpacked), &(in[1]), domain_len - 1, b32);
|
read = unpack_data(unpacked, sizeof(unpacked), &(in[1]), domain_len - 1, b32);
|
||||||
/* Downstream fragsize packet */
|
/* Downstream fragsize packet */
|
||||||
userid = unpacked[0];
|
userid = unpacked[0];
|
||||||
if (userid < 0 || userid >= USERS || ip_cmp(userid, q) != 0) {
|
if (check_user_and_ip(userid, q) != 0) {
|
||||||
write_dns(dns_fd, q, "BADIP", 5);
|
write_dns(dns_fd, q, "BADIP", 5);
|
||||||
return; /* illegal id */
|
return; /* illegal id */
|
||||||
}
|
}
|
||||||
|
@ -425,7 +435,7 @@ handle_null_request(int tun_fd, int dns_fd, struct query *q, int domain_len)
|
||||||
read = unpack_data(unpacked, sizeof(unpacked), &(in[1]), domain_len - 1, b32);
|
read = unpack_data(unpacked, sizeof(unpacked), &(in[1]), domain_len - 1, b32);
|
||||||
/* Ping packet, store userid */
|
/* Ping packet, store userid */
|
||||||
userid = unpacked[0];
|
userid = unpacked[0];
|
||||||
if (userid < 0 || userid >= USERS || ip_cmp(userid, q) != 0) {
|
if (check_user_and_ip(userid, q) != 0) {
|
||||||
write_dns(dns_fd, q, "BADIP", 5);
|
write_dns(dns_fd, q, "BADIP", 5);
|
||||||
return; /* illegal id */
|
return; /* illegal id */
|
||||||
}
|
}
|
||||||
|
@ -457,13 +467,8 @@ handle_null_request(int tun_fd, int dns_fd, struct query *q, int domain_len)
|
||||||
code = in[0] - 'A' + 10;
|
code = in[0] - 'A' + 10;
|
||||||
|
|
||||||
userid = code;
|
userid = code;
|
||||||
if (userid < 0 || userid >= USERS) {
|
/* Check user and sending ip number */
|
||||||
write_dns(dns_fd, q, "BADIP", 5);
|
if (check_user_and_ip(userid, q) != 0) {
|
||||||
return; /* illegal id */
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Check sending ip number */
|
|
||||||
if (check_ip && ip_cmp(userid, q) != 0) {
|
|
||||||
write_dns(dns_fd, q, "BADIP", 5);
|
write_dns(dns_fd, q, "BADIP", 5);
|
||||||
} else {
|
} else {
|
||||||
/* Decode data header */
|
/* Decode data header */
|
||||||
|
|
Loading…
Reference in New Issue