Date: Fri, 8 Apr 2011 00:04:42 GMT From: Roger Marquis <marquis@roble.com> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/156264: [maintainer update] ACL lists allow all clients to connect when an IP range is used Message-ID: <201104080004.p3804gsY034111@red.freebsd.org> Resent-Message-ID: <201104080010.p380A81P056536@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 156264 >Category: ports >Synopsis: [maintainer update] ACL lists allow all clients to connect when an IP range is used >Confidential: no >Severity: serious >Priority: low >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: maintainer-update >Submitter-Id: current-users >Arrival-Date: Fri Apr 08 00:10:08 UTC 2011 >Closed-Date: >Last-Modified: >Originator: Roger Marquis >Release: 8.1-RELEASE >Organization: Roble Systems >Environment: 8.1-RELEASE-p2 FreeBSD >Description: Quoting <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=621493>: When including a line like Allow 192.168.0.0/16 to allow a network of ip addresses instead of only one ip address per line the access to tinyproxy is actually allowed for all ip addresses. -- Fixed per testing of patch described at <https://banu.com/bugzilla/show_bug.cgi?id=90>. >How-To-Repeat: >Fix: Patch attached. Patch attached with submission follows: --- src/acl.c.orig +++ src/acl.c @@ -66,8 +66,8 @@ struct acl_s { * */ static int -fill_netmask_array (char *bitmask_string, unsigned char array[], - size_t len) +fill_netmask_array (char *bitmask_string, int v6, + unsigned char array[], size_t len) { unsigned int i; unsigned long int mask; @@ -81,7 +81,14 @@ fill_netmask_array (char *bitmask_string, unsigned char array[], || (errno != 0 && mask == 0) || (endptr == bitmask_string)) return -1; - /* valid range for a bit mask */ + if (v6 == 0) { + /* The mask comparison is done as an IPv6 address, so + * convert to a longer mask in the case of IPv4 + * addresses. */ + mask += 12 * 8; + } + + /* check valid range for a bit mask */ if (mask > (8 * len)) return -1; @@ -163,6 +170,9 @@ insert_acl (char *location, acl_access_t access_type, vector_t *access_list) */ p = strchr (location, '/'); if (p != NULL) { + char dst[sizeof(struct in6_addr)]; + int v6; + /* * We have a slash, so it's intended to be an * IP address with mask @@ -173,8 +183,15 @@ insert_acl (char *location, acl_access_t access_type, vector_t *access_list) acl.type = ACL_NUMERIC; + /* Check if the IP address before the netmask is + * an IPv6 address */ + if (inet_pton(AF_INET6, location, dst) > 0) + v6 = 1; + else + v6 = 0; + if (fill_netmask_array - (p + 1, &(acl.address.ip.mask[0]), IPV6_LEN) + (p + 1, v6, &(acl.address.ip.mask[0]), IPV6_LEN) < 0) return -1; >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201104080004.p3804gsY034111>