Refactored netmask array fill with range check
When building a numeric ACL with netmask, range check the supplied value. In addition, the code to walk the array has been extracted and "simplified". Signed-off-by: Robert James Kaes <rjk@wormbytes.ca>
This commit is contained in:
Robert James Kaes
Mukund Sivaraman
parent
95c1f39f60
commit
51fb15be2c
47
src/acl.c
47
src/acl.c
@ -57,6 +57,41 @@ struct acl_s {
|
|||||||
*/
|
*/
|
||||||
static vector_t access_list = NULL;
|
static vector_t access_list = NULL;
|
||||||
|
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Fills in the netmask array given a numeric value.
|
||||||
|
*
|
||||||
|
* Returns:
|
||||||
|
* 0 on success
|
||||||
|
* -1 on failure (invalid mask value)
|
||||||
|
*
|
||||||
|
*/
|
||||||
|
inline static int
|
||||||
|
fill_netmask_array(long int mask, unsigned char array[], unsigned int len)
|
||||||
|
{
|
||||||
|
unsigned int i;
|
||||||
|
|
||||||
|
if (mask < 0 || mask > (8 * len))
|
||||||
|
return -1;
|
||||||
|
|
||||||
|
for (i = 0; i != len; ++i) {
|
||||||
|
if (mask >= 8) {
|
||||||
|
array[i] = 0xff;
|
||||||
|
mask -= 8;
|
||||||
|
}
|
||||||
|
else if (mask > 0) {
|
||||||
|
array[i] = (unsigned char)(0xff << (8 - mask));
|
||||||
|
mask = 0;
|
||||||
|
}
|
||||||
|
else {
|
||||||
|
array[i] = 0;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Inserts a new access control into the list. The function will figure out
|
* Inserts a new access control into the list. The function will figure out
|
||||||
* whether the location is an IP address (with optional netmask) or a
|
* whether the location is an IP address (with optional netmask) or a
|
||||||
@ -70,7 +105,8 @@ int
|
|||||||
insert_acl(char *location, acl_access_t access_type)
|
insert_acl(char *location, acl_access_t access_type)
|
||||||
{
|
{
|
||||||
struct acl_s acl;
|
struct acl_s acl;
|
||||||
int i, ret, mask;
|
int ret;
|
||||||
|
long int mask;
|
||||||
char *p, ip_dst[IPV6_LEN];
|
char *p, ip_dst[IPV6_LEN];
|
||||||
|
|
||||||
assert(location != NULL);
|
assert(location != NULL);
|
||||||
@ -119,13 +155,8 @@ insert_acl(char *location, acl_access_t access_type)
|
|||||||
memcpy(acl.address.ip.octet, ip_dst, IPV6_LEN);
|
memcpy(acl.address.ip.octet, ip_dst, IPV6_LEN);
|
||||||
|
|
||||||
mask = strtol(p + 1, NULL, 10);
|
mask = strtol(p + 1, NULL, 10);
|
||||||
for (i = 0; i != IPV6_LEN; ++i) {
|
if (fill_netmask_array(mask, &(acl.address.ip.mask[0]), IPV6_LEN) < 0)
|
||||||
if (mask >= ((i + 1) * 8))
|
return -1;
|
||||||
acl.address.ip.mask[i] = 0xff;
|
|
||||||
else
|
|
||||||
acl.address.ip.mask[i] =
|
|
||||||
0xff << (8 - (mask - i * 8));
|
|
||||||
}
|
|
||||||
} else {
|
} else {
|
||||||
/* In all likelihood a string */
|
/* In all likelihood a string */
|
||||||
acl.type = ACL_STRING;
|
acl.type = ACL_STRING;
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user