summaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorrofl0r <rofl0r@users.noreply.github.com>2020-09-30 19:23:34 +0100
committerrofl0r <rofl0r@users.noreply.github.com>2020-09-30 19:23:34 +0100
commit8d27503cc365dccdd65fef7fcb63d36eda717443 (patch)
tree3a20de7d9c00233b98667957823ad36780f663cf
parent3950a606a47fa62b46ecfa0ac45dbb7e1fa3bb8a (diff)
acl: fix regression using ipv6 with netmask
introduced in 0ad8904b40d699405f60655606db42475c011b67 closes #327
-rw-r--r--src/acl.c63
1 files changed, 25 insertions, 38 deletions
diff --git a/src/acl.c b/src/acl.c
index 261b7dd..b989219 100644
--- a/src/acl.c
+++ b/src/acl.c
@@ -138,15 +138,12 @@ int
insert_acl (char *location, acl_access_t access_type, acl_list_t *access_list)
{
struct acl_s acl;
- int ret;
- char *p, ip_dst[IPV6_LEN];
+ char *mask, ip_dst[IPV6_LEN];
assert (location != NULL);
- ret = init_access_list(access_list);
- if (ret != 0) {
+ if (init_access_list(access_list) != 0)
return -1;
- }
/*
* Start populating the access control structure.
@@ -154,38 +151,19 @@ insert_acl (char *location, acl_access_t access_type, acl_list_t *access_list)
memset (&acl, 0, sizeof (struct acl_s));
acl.access = access_type;
+ if ((mask = strrchr(location, '/')))
+ *(mask++) = 0;
+
/*
* Check for a valid IP address (the simplest case) first.
*/
if (full_inet_pton (location, ip_dst) > 0) {
acl.type = ACL_NUMERIC;
memcpy (acl.address.ip.network, ip_dst, IPV6_LEN);
- memset (acl.address.ip.mask, 0xff, IPV6_LEN);
- } else {
- int i;
- /* bogus ipv6 ? */
- if (strchr (location, ':'))
- return -1;
-
- /*
- * At this point we're either a hostname or an
- * IP address with a slash.
- */
- p = strchr (location, '/');
- if (p != NULL) {
+ if(!mask) memset (acl.address.ip.mask, 0xff, IPV6_LEN);
+ else {
char dst[sizeof(struct in6_addr)];
- int v6;
-
- /*
- * We have a slash, so it's intended to be an
- * IP address with mask
- */
- *p = '\0';
- if (full_inet_pton (location, ip_dst) <= 0)
- return -1;
-
- acl.type = ACL_NUMERIC;
-
+ int v6, i;
/* Check if the IP address before the netmask is
* an IPv6 address */
if (inet_pton(AF_INET6, location, dst) > 0)
@@ -194,24 +172,33 @@ insert_acl (char *location, acl_access_t access_type, acl_list_t *access_list)
v6 = 0;
if (fill_netmask_array
- (p + 1, v6, &(acl.address.ip.mask[0]), IPV6_LEN)
+ (mask, v6, &(acl.address.ip.mask[0]), IPV6_LEN)
< 0)
- return -1;
+ goto err;
for (i = 0; i < IPV6_LEN; i++)
acl.address.ip.network[i] = ip_dst[i] &
acl.address.ip.mask[i];
- } else {
- /* In all likelihood a string */
- acl.type = ACL_STRING;
- acl.address.string = safestrdup (location);
- if (!acl.address.string)
- return -1;
}
+ } else {
+ /* either bogus IP or hostname */
+ /* bogus ipv6 ? */
+ if (mask || strchr (location, ':'))
+ goto err;
+
+ /* In all likelihood a string */
+ acl.type = ACL_STRING;
+ acl.address.string = safestrdup (location);
+ if (!acl.address.string)
+ goto err;
}
if(!sblist_add(*access_list, &acl)) return -1;
return 0;
+err:;
+ /* restore mask for proper error message */
+ if(mask) *(--mask) = '/';
+ return -1;
}
/*