Commit 24d15905 authored by Thomas Markwalder's avatar Thomas Markwalder
Browse files

[v4_1_esv] Added subnet address validation checks

    Merges in rt32453.
parent 7b709fa9
......@@ -79,6 +79,11 @@ by Eric Young (eay@cryptsoft.com).
- Server now supports a failover split value of 256.
[ISC-Bugs] #36664]
- Added checks in range6 and prefix6 statement parsing to ensure addresses
are within the declared. Thanks to Jiri Popelka at Red Hat for the bug
report and patch.
[ISC-Bugs #32453]
Changes since 4.1-ESV-R10rc1
- None
......
......@@ -3775,6 +3775,14 @@ parse_address_range6(struct parse *cfile, struct group *group) {
return;
}
/* Make sure starting address is within the subnet */
if (!addr_eq(group->subnet->net,
subnet_number(lo, group->subnet->netmask))) {
parse_warn(cfile, "range6 start address is outside the subnet");
skip_to_semi(cfile);
return;
}
/*
* See if we we're using range or CIDR notation or TEMPORARY
*/
......@@ -3796,12 +3804,17 @@ parse_address_range6(struct parse *cfile, struct group *group) {
skip_to_semi(cfile);
return;
}
if (bits < group->subnet->prefix_len) {
parse_warn(cfile,
"network mask smaller than subnet mask");
skip_to_semi(cfile);
return;
}
if (!is_cidr_mask_valid(&lo, bits)) {
parse_warn(cfile, "network mask too short");
skip_to_semi(cfile);
return;
}
/*
* can be temporary (RFC 4941 like)
*/
......@@ -3842,6 +3855,15 @@ parse_address_range6(struct parse *cfile, struct group *group) {
return;
}
/* Make sure ending address is within the subnet */
if (!addr_eq(group->subnet->net,
subnet_number(hi, group->subnet->netmask))) {
parse_warn(cfile,
"range6 end address is outside the subnet");
skip_to_semi(cfile);
return;
}
/*
* Convert our range to a set of CIDR networks.
*/
......@@ -3895,10 +3917,29 @@ parse_prefix6(struct parse *cfile, struct group *group) {
if (!parse_ip6_addr(cfile, &lo)) {
return;
}
/* Make sure starting prefix is within the subnet */
if (!addr_eq(group->subnet->net,
subnet_number(lo, group->subnet->netmask))) {
parse_warn(cfile, "prefix6 start prefix"
" is outside the subnet");
skip_to_semi(cfile);
return;
}
if (!parse_ip6_addr(cfile, &hi)) {
return;
}
/* Make sure ending prefix is within the subnet */
if (!addr_eq(group->subnet->net,
subnet_number(hi, group->subnet->netmask))) {
parse_warn(cfile, "prefix6 end prefix"
" is outside the subnet");
skip_to_semi(cfile);
return;
}
/*
* Next is '/' number ';'.
*/
......@@ -3921,9 +3962,15 @@ parse_prefix6(struct parse *cfile, struct group *group) {
parse_warn(cfile, "networks have 0 to 128 bits (exclusive)");
return;
}
if (bits < group->subnet->prefix_len) {
parse_warn(cfile, "network mask smaller than subnet mask");
skip_to_semi(cfile);
return;
}
if (!is_cidr_mask_valid(&lo, bits) ||
!is_cidr_mask_valid(&hi, bits)) {
parse_warn(cfile, "network mask too short");
skip_to_semi(cfile);
return;
}
token = next_token(NULL, NULL, cfile);
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment