Commit d5af5bb3 authored by Mark Andrews's avatar Mark Andrews
Browse files

1820. [bug] Gracefully handle acl loops. [RT #13659]

parent 24efdccd
...@@ -34,7 +34,7 @@ ...@@ -34,7 +34,7 @@
1821. [placeholder] 1821. [placeholder]
1820. [placeholder] rt13659 1820. [bug] Gracefully handle acl loops. [RT #13659]
1819. [bug] The validator needed to check both the algorithm and 1819. [bug] The validator needed to check both the algorithm and
digest types of the DS to determine if it could be digest types of the DS to determine if it could be
......
...@@ -15,7 +15,7 @@ ...@@ -15,7 +15,7 @@
* PERFORMANCE OF THIS SOFTWARE. * PERFORMANCE OF THIS SOFTWARE.
*/ */
/* $Id: aclconf.c,v 1.3 2005/01/12 01:56:12 marka Exp $ */ /* $Id: aclconf.c,v 1.4 2005/03/16 03:34:45 marka Exp $ */
#include <config.h> #include <config.h>
...@@ -30,6 +30,7 @@ ...@@ -30,6 +30,7 @@
#include <dns/fixedname.h> #include <dns/fixedname.h>
#include <dns/log.h> #include <dns/log.h>
#define LOOP_MAGIC ISC_MAGIC('L','O','O','P')
void void
cfg_aclconfctx_init(cfg_aclconfctx_t *ctx) { cfg_aclconfctx_init(cfg_aclconfctx_t *ctx) {
...@@ -81,6 +82,7 @@ convert_named_acl(cfg_obj_t *nameobj, cfg_obj_t *cctx, ...@@ -81,6 +82,7 @@ convert_named_acl(cfg_obj_t *nameobj, cfg_obj_t *cctx,
isc_result_t result; isc_result_t result;
cfg_obj_t *cacl = NULL; cfg_obj_t *cacl = NULL;
dns_acl_t *dacl; dns_acl_t *dacl;
dns_acl_t loop;
char *aclname = cfg_obj_asstring(nameobj); char *aclname = cfg_obj_asstring(nameobj);
/* Look for an already-converted version. */ /* Look for an already-converted version. */
...@@ -89,6 +91,11 @@ convert_named_acl(cfg_obj_t *nameobj, cfg_obj_t *cctx, ...@@ -89,6 +91,11 @@ convert_named_acl(cfg_obj_t *nameobj, cfg_obj_t *cctx,
dacl = ISC_LIST_NEXT(dacl, nextincache)) dacl = ISC_LIST_NEXT(dacl, nextincache))
{ {
if (strcasecmp(aclname, dacl->name) == 0) { if (strcasecmp(aclname, dacl->name) == 0) {
if (ISC_MAGIC_VALID(dacl, LOOP_MAGIC)) {
cfg_obj_log(nameobj, lctx, ISC_LOG_ERROR,
"acl loop detected: %s", aclname);
return (ISC_R_FAILURE);
}
dns_acl_attach(dacl, target); dns_acl_attach(dacl, target);
return (ISC_R_SUCCESS); return (ISC_R_SUCCESS);
} }
...@@ -100,7 +107,18 @@ convert_named_acl(cfg_obj_t *nameobj, cfg_obj_t *cctx, ...@@ -100,7 +107,18 @@ convert_named_acl(cfg_obj_t *nameobj, cfg_obj_t *cctx,
"undefined ACL '%s'", aclname); "undefined ACL '%s'", aclname);
return (result); return (result);
} }
/*
* Add a loop detection element.
*/
memset(&loop, 0, sizeof(loop));
ISC_LINK_INIT(&loop, nextincache);
loop.name = aclname;
loop.magic = LOOP_MAGIC;
ISC_LIST_APPEND(ctx->named_acl_cache, &loop, nextincache);
result = cfg_acl_fromconfig(cacl, cctx, lctx, ctx, mctx, &dacl); result = cfg_acl_fromconfig(cacl, cctx, lctx, ctx, mctx, &dacl);
ISC_LIST_UNLINK(ctx->named_acl_cache, &loop, nextincache);
loop.magic = 0;
loop.name = NULL;
if (result != ISC_R_SUCCESS) if (result != ISC_R_SUCCESS)
return (result); return (result);
dacl->name = isc_mem_strdup(dacl->mctx, aclname); dacl->name = isc_mem_strdup(dacl->mctx, aclname);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment