Commit d5af5bb3 authored by Mark Andrews's avatar Mark Andrews
Browse files

1820. [bug] Gracefully handle acl loops. [RT #13659]

parent 24efdccd
......@@ -34,7 +34,7 @@
1821. [placeholder]
1820. [placeholder] rt13659
1820. [bug] Gracefully handle acl loops. [RT #13659]
1819. [bug] The validator needed to check both the algorithm and
digest types of the DS to determine if it could be
......
......@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE.
*/
/* $Id: aclconf.c,v 1.3 2005/01/12 01:56:12 marka Exp $ */
/* $Id: aclconf.c,v 1.4 2005/03/16 03:34:45 marka Exp $ */
#include <config.h>
......@@ -30,6 +30,7 @@
#include <dns/fixedname.h>
#include <dns/log.h>
#define LOOP_MAGIC ISC_MAGIC('L','O','O','P')
void
cfg_aclconfctx_init(cfg_aclconfctx_t *ctx) {
......@@ -81,6 +82,7 @@ convert_named_acl(cfg_obj_t *nameobj, cfg_obj_t *cctx,
isc_result_t result;
cfg_obj_t *cacl = NULL;
dns_acl_t *dacl;
dns_acl_t loop;
char *aclname = cfg_obj_asstring(nameobj);
/* Look for an already-converted version. */
......@@ -89,6 +91,11 @@ convert_named_acl(cfg_obj_t *nameobj, cfg_obj_t *cctx,
dacl = ISC_LIST_NEXT(dacl, nextincache))
{
if (strcasecmp(aclname, dacl->name) == 0) {
if (ISC_MAGIC_VALID(dacl, LOOP_MAGIC)) {
cfg_obj_log(nameobj, lctx, ISC_LOG_ERROR,
"acl loop detected: %s", aclname);
return (ISC_R_FAILURE);
}
dns_acl_attach(dacl, target);
return (ISC_R_SUCCESS);
}
......@@ -100,7 +107,18 @@ convert_named_acl(cfg_obj_t *nameobj, cfg_obj_t *cctx,
"undefined ACL '%s'", aclname);
return (result);
}
/*
* Add a loop detection element.
*/
memset(&loop, 0, sizeof(loop));
ISC_LINK_INIT(&loop, nextincache);
loop.name = aclname;
loop.magic = LOOP_MAGIC;
ISC_LIST_APPEND(ctx->named_acl_cache, &loop, nextincache);
result = cfg_acl_fromconfig(cacl, cctx, lctx, ctx, mctx, &dacl);
ISC_LIST_UNLINK(ctx->named_acl_cache, &loop, nextincache);
loop.magic = 0;
loop.name = NULL;
if (result != ISC_R_SUCCESS)
return (result);
dacl->name = isc_mem_strdup(dacl->mctx, aclname);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment