bughz/tinyproxy
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

acl: fix regression using ipv6 with netmask

Browse Source 
introduced in 0ad8904b40

closes #327
This commit is contained in:
rofl0r 2020-09-30 19:23:34 +01:00
parent 3950a606a4
commit 8d27503cc3
1 changed files with 25 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
src/acl.c
View File

@ -138,15 +138,12 @@ int
insert_acl (char *location, acl_access_t access_type, acl_list_t *access_list) insert_acl (char *location, acl_access_t access_type, acl_list_t *access_list)
{ {
struct acl_s acl; struct acl_s acl;
int ret; char *mask, ip_dst[IPV6_LEN];
char *p, ip_dst[IPV6_LEN];
assert (location != NULL); assert (location != NULL);
ret = init_access_list(access_list); if (init_access_list(access_list) != 0)
if (ret != 0) {
return -1; return -1;
}
/* /*
* Start populating the access control structure. * Start populating the access control structure.
@ -154,38 +151,19 @@ insert_acl (char *location, acl_access_t access_type, acl_list_t *access_list)
memset (&acl, 0, sizeof (struct acl_s)); memset (&acl, 0, sizeof (struct acl_s));
acl.access = access_type; acl.access = access_type;
if ((mask = strrchr(location, '/')))
*(mask++) = 0;
/* /*
* Check for a valid IP address (the simplest case) first. * Check for a valid IP address (the simplest case) first.
*/ */
if (full_inet_pton (location, ip_dst) > 0) { if (full_inet_pton (location, ip_dst) > 0) {
acl.type = ACL_NUMERIC; acl.type = ACL_NUMERIC;
memcpy (acl.address.ip.network, ip_dst, IPV6_LEN); memcpy (acl.address.ip.network, ip_dst, IPV6_LEN);
memset (acl.address.ip.mask, 0xff, IPV6_LEN); if(!mask) memset (acl.address.ip.mask, 0xff, IPV6_LEN);
} else { else {
int i;
/* bogus ipv6 ? */
if (strchr (location, ':'))
return -1;
/*
* At this point we're either a hostname or an
* IP address with a slash.
*/
p = strchr (location, '/');
if (p != NULL) {
char dst[sizeof(struct in6_addr)]; char dst[sizeof(struct in6_addr)];
int v6; int v6, i;
/*
* We have a slash, so it's intended to be an
* IP address with mask
*/
*p = '\0';
if (full_inet_pton (location, ip_dst) <= 0)
return -1;
acl.type = ACL_NUMERIC;
/* Check if the IP address before the netmask is /* Check if the IP address before the netmask is
* an IPv6 address */ * an IPv6 address */
if (inet_pton(AF_INET6, location, dst) > 0) if (inet_pton(AF_INET6, location, dst) > 0)
@ -194,24 +172,33 @@ insert_acl (char *location, acl_access_t access_type, acl_list_t *access_list)
v6 = 0; v6 = 0;
if (fill_netmask_array if (fill_netmask_array
(p + 1, v6, &(acl.address.ip.mask[0]), IPV6_LEN) (mask, v6, &(acl.address.ip.mask[0]), IPV6_LEN)
< 0) < 0)
return -1; goto err;
for (i = 0; i < IPV6_LEN; i++) for (i = 0; i < IPV6_LEN; i++)
acl.address.ip.network[i] = ip_dst[i] & acl.address.ip.network[i] = ip_dst[i] &
acl.address.ip.mask[i]; acl.address.ip.mask[i];
} else {
/* In all likelihood a string */
acl.type = ACL_STRING;
acl.address.string = safestrdup (location);
if (!acl.address.string)
return -1;
} }
} else {
/* either bogus IP or hostname */
/* bogus ipv6 ? */
if (mask || strchr (location, ':'))
goto err;
/* In all likelihood a string */
acl.type = ACL_STRING;
acl.address.string = safestrdup (location);
if (!acl.address.string)
goto err;
} }
if(!sblist_add(*access_list, &acl)) return -1; if(!sblist_add(*access_list, &acl)) return -1;
return 0; return 0;
err:;
/* restore mask for proper error message */
if(mask) *(--mask) = '/';
return -1;
} }
/* /*