Commit fb87e669 authored by Mark Andrews's avatar Mark Andrews
Browse files

Detect partial prefixes / incomplete IPv4 address in acls.

parent 67cb24b9
Pipeline #23162 passed with stages
in 39 minutes and 33 seconds
5301. [bug] Detect partial prefixes / incomplete IPv4 address in
acls. [GL #1143]
5300. [bug] dig/mdig/delv: Add a colon after EDNS option names,
even when the option is empty, to improve
readability and allow correct parsing of YAML
......
acl myacl {
127.1; /* Incomplete dotted IPv4 address / prefix */
};
acl myacl {
127.1/8; /* No-zero bits */
};
acl myacl {
127; /* Non-dotted quad IPv4 address (0.0.0.127) / prefix without length. */
};
......@@ -88,9 +88,10 @@
#define ISC_R_DISCQUOTA 66 /*%< disc quota */
#define ISC_R_DISCFULL 67 /*%< disc full */
#define ISC_R_DEFAULT 68 /*%< default */
#define ISC_R_IPV4PREFIX 69 /*%< IPv4 prefix */
/*% Not a result code: the number of results. */
#define ISC_R_NRESULTS 69
#define ISC_R_NRESULTS 70
ISC_LANG_BEGINDECLS
......
......@@ -100,6 +100,7 @@ static const char *description[ISC_R_NRESULTS] = {
"disc quota", /*%< 66 */
"disc full", /*%< 67 */
"default", /*%< 68 */
"IPv4 prefix", /*%< 69 */
};
static const char *identifier[ISC_R_NRESULTS] = {
......@@ -172,6 +173,7 @@ static const char *identifier[ISC_R_NRESULTS] = {
"ISC_R_DISCQUOTA",
"ISC_R_DISCFULL",
"ISC_R_DEFAULT",
"ISC_R_IPV4PREFIX",
};
#define ISC_RESULT_RESULTSET 2
......
......@@ -2618,7 +2618,7 @@ token_addr(cfg_parser_t *pctx, unsigned int flags, isc_netaddr_t *na) {
strlcat(buf, ".0", sizeof(buf));
if (inet_pton(AF_INET, buf, &in4a) == 1) {
isc_netaddr_fromin(na, &in4a);
return (ISC_R_SUCCESS);
return (ISC_R_IPV4PREFIX);
}
}
}
......@@ -2694,7 +2694,7 @@ cfg_lookingat_netaddr(cfg_parser_t *pctx, unsigned int flags) {
REQUIRE(pctx != NULL);
result = token_addr(pctx, flags, &na_dummy);
return (result == ISC_R_SUCCESS);
return (result == ISC_R_SUCCESS || result == ISC_R_IPV4PREFIX);
}
isc_result_t
......@@ -2858,14 +2858,18 @@ cfg_parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type,
isc_result_t result;
isc_netaddr_t netaddr;
unsigned int addrlen = 0, prefixlen;
bool expectprefix;
REQUIRE(pctx != NULL);
REQUIRE(ret != NULL && *ret == NULL);
UNUSED(type);
CHECK(cfg_parse_rawaddr(pctx, CFG_ADDR_V4OK | CFG_ADDR_V4PREFIXOK |
CFG_ADDR_V6OK, &netaddr));
result = cfg_parse_rawaddr(pctx, CFG_ADDR_V4OK | CFG_ADDR_V4PREFIXOK |
CFG_ADDR_V6OK, &netaddr);
if (result != ISC_R_SUCCESS && result != ISC_R_IPV4PREFIX) {
CHECK(result);
}
switch (netaddr.family) {
case AF_INET:
addrlen = 32;
......@@ -2877,6 +2881,7 @@ cfg_parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type,
INSIST(0);
ISC_UNREACHABLE();
}
expectprefix = (result == ISC_R_IPV4PREFIX);
CHECK(cfg_peektoken(pctx, 0));
if (pctx->token.type == isc_tokentype_special &&
pctx->token.value.as_char == '/') {
......@@ -2884,16 +2889,30 @@ cfg_parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type,
CHECK(cfg_gettoken(pctx, ISC_LEXOPT_NUMBER));
if (pctx->token.type != isc_tokentype_number) {
cfg_parser_error(pctx, CFG_LOG_NEAR,
"expected prefix length");
"expected prefix length");
return (ISC_R_UNEXPECTEDTOKEN);
}
prefixlen = pctx->token.value.as_ulong;
if (prefixlen > addrlen) {
cfg_parser_error(pctx, CFG_LOG_NOPREP,
"invalid prefix length");
"invalid prefix length");
return (ISC_R_RANGE);
}
result = isc_netaddr_prefixok(&netaddr, prefixlen);
if (result != ISC_R_SUCCESS) {
char buf[ISC_NETADDR_FORMATSIZE + 1];
isc_netaddr_format(&netaddr, buf, sizeof(buf));
cfg_parser_error(pctx, CFG_LOG_NOPREP,
"'%s/%u': address/prefix length "
"mismatch", buf, prefixlen);
return (ISC_R_FAILURE);
}
} else {
if (expectprefix) {
cfg_parser_error(pctx, CFG_LOG_NEAR,
"incomplete IPv4 address or prefix");
return (ISC_R_FAILURE);
}
prefixlen = addrlen;
}
CHECK(cfg_create_obj(pctx, &cfg_type_netprefix, &obj));
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment