[BB#90]: Fix bug in ACL netmask generation
Thanks to John Horne who diagnosed this issue and found the problem.
This commit is contained in:
Mukund Sivaraman
parent
95a6f8259c
commit
1db982793d
25
src/acl.c
25
src/acl.c
@ -66,8 +66,8 @@ struct acl_s {
|
|||||||
*
|
*
|
||||||
*/
|
*/
|
||||||
static int
|
static int
|
||||||
fill_netmask_array (char *bitmask_string, unsigned char array[],
|
fill_netmask_array (char *bitmask_string, int v6,
|
||||||
size_t len)
|
unsigned char array[], size_t len)
|
||||||
{
|
{
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
unsigned long int mask;
|
unsigned long int mask;
|
||||||
@ -81,7 +81,14 @@ fill_netmask_array (char *bitmask_string, unsigned char array[],
|
|||||||
|| (errno != 0 && mask == 0) || (endptr == bitmask_string))
|
|| (errno != 0 && mask == 0) || (endptr == bitmask_string))
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
/* valid range for a bit mask */
|
if (v6 == 0) {
|
||||||
|
/* The mask comparison is done as an IPv6 address, so
|
||||||
|
* convert to a longer mask in the case of IPv4
|
||||||
|
* addresses. */
|
||||||
|
mask += 12 * 8;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* check valid range for a bit mask */
|
||||||
if (mask > (8 * len))
|
if (mask > (8 * len))
|
||||||
return -1;
|
return -1;
|
||||||
|
|
||||||
@ -160,6 +167,9 @@ int insert_acl (char *location, acl_access_t access_type, vector_t *access_list)
|
|||||||
*/
|
*/
|
||||||
p = strchr (location, '/');
|
p = strchr (location, '/');
|
||||||
if (p != NULL) {
|
if (p != NULL) {
|
||||||
|
char dst[sizeof(struct in6_addr)];
|
||||||
|
int v6;
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* We have a slash, so it's intended to be an
|
* We have a slash, so it's intended to be an
|
||||||
* IP address with mask
|
* IP address with mask
|
||||||
@ -171,8 +181,15 @@ int insert_acl (char *location, acl_access_t access_type, vector_t *access_list)
|
|||||||
acl.type = ACL_NUMERIC;
|
acl.type = ACL_NUMERIC;
|
||||||
memcpy (acl.address.ip.octet, ip_dst, IPV6_LEN);
|
memcpy (acl.address.ip.octet, ip_dst, IPV6_LEN);
|
||||||
|
|
||||||
|
/* Check if the IP address before the netmask is
|
||||||
|
* an IPv6 address */
|
||||||
|
if (inet_pton(AF_INET6, location, dst) > 0)
|
||||||
|
v6 = 1;
|
||||||
|
else
|
||||||
|
v6 = 0;
|
||||||
|
|
||||||
if (fill_netmask_array
|
if (fill_netmask_array
|
||||||
(p + 1, &(acl.address.ip.mask[0]), IPV6_LEN)
|
(p + 1, v6, &(acl.address.ip.mask[0]), IPV6_LEN)
|
||||||
< 0)
|
< 0)
|
||||||
return -1;
|
return -1;
|
||||||
} else {
|
} else {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user