ports/156264: [maintainer update] ACL lists allow all clients to connect when an IP range is used

Roger Marquis marquis at roble.com
Fri Apr 8 00:10:09 UTC 2011 

>Number:         156264
>Category:       ports
>Synopsis:       [maintainer update] ACL lists allow all clients to connect when an IP range is used
>Confidential:   no
>Severity:       serious
>Priority:       low
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          maintainer-update
>Submitter-Id:   current-users
>Arrival-Date:   Fri Apr 08 00:10:08 UTC 2011
>Closed-Date:
>Last-Modified:
>Originator:     Roger Marquis
>Release:        8.1-RELEASE
>Organization:
Roble Systems
>Environment:
8.1-RELEASE-p2 FreeBSD 
>Description:
Quoting <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=621493>:
When including a line like

Allow 192.168.0.0/16

to allow a network of ip addresses instead of only one ip 
address per line the access to tinyproxy
is actually allowed for all ip addresses.

--

Fixed per testing of patch described at <https://banu.com/bugzilla/show_bug.cgi?id=90>.
>How-To-Repeat:

>Fix:
Patch attached.

Patch attached with submission follows:

--- src/acl.c.orig
+++ src/acl.c
@@ -66,8 +66,8 @@ struct acl_s {
  *
  */
 static int
-fill_netmask_array (char *bitmask_string, unsigned char array[],
-                    size_t len)
+fill_netmask_array (char *bitmask_string, int v6,
+                    unsigned char array[], size_t len)
 {
         unsigned int i;
         unsigned long int mask;
@@ -81,7 +81,14 @@ fill_netmask_array (char *bitmask_string, unsigned char array[],
             || (errno != 0 && mask == 0) || (endptr == bitmask_string))
                 return -1;
 
-        /* valid range for a bit mask */
+        if (v6 == 0) {
+                /* The mask comparison is done as an IPv6 address, so
+                 * convert to a longer mask in the case of IPv4
+                 * addresses. */
+                mask += 12 * 8;
+        }
+
+        /* check valid range for a bit mask */
         if (mask > (8 * len))
                 return -1;
 
@@ -163,6 +170,9 @@ insert_acl (char *location, acl_access_t access_type, vector_t *access_list)
                  */
                 p = strchr (location, '/');
                 if (p != NULL) {
+                        char dst[sizeof(struct in6_addr)];
+                        int v6;
+
                         /*
                          * We have a slash, so it's intended to be an
                          * IP address with mask
@@ -173,8 +183,15 @@ insert_acl (char *location, acl_access_t access_type, vector_t *access_list)
 
                         acl.type = ACL_NUMERIC;
 
+                        /* Check if the IP address before the netmask is
+                         * an IPv6 address */
+                        if (inet_pton(AF_INET6, location, dst) > 0)
+                                v6 = 1;
+                        else
+                                v6 = 0;
+
                         if (fill_netmask_array
-                            (p + 1, &(acl.address.ip.mask[0]), IPV6_LEN)
+                            (p + 1, v6, &(acl.address.ip.mask[0]), IPV6_LEN)
                             < 0)
                                 return -1;


>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list