git: 2d5a980f43e5 - stable/13 - tcp_wrappers: recognize IPv6 addresses/prefixes
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Thu, 21 Dec 2023 14:24:22 UTC
The branch stable/13 has been updated by emaste: URL: https://cgit.FreeBSD.org/src/commit/?id=2d5a980f43e565355d5d174ac4737b0ca080dda2 commit 2d5a980f43e565355d5d174ac4737b0ca080dda2 Author: Gleb Smirnoff <glebius@FreeBSD.org> AuthorDate: 2023-07-20 21:56:20 +0000 Commit: Ed Maste <emaste@FreeBSD.org> CommitDate: 2023-12-21 14:23:40 +0000 tcp_wrappers: recognize IPv6 addresses/prefixes Intentionally or not, but the libwrap was written in such manner that if your /etc/hosts.allow doesn't have any domain names, neither smart keywords like LOCAL or KNOWN, then it will not try to resolve the client address during the hosts check. This was achieved with the NOT_INADDR() check that matched IPv4 addresses/prefixes. Extend this to also skip resolve if client list token looks like IPv6. Reviewed by: philip, emaste PR: 269456 Differential revision: https://reviews.freebsd.org/D40070 (cherry picked from commit 1d9722de6f90c3edf286b077938bfa696e728d6c) --- contrib/tcp_wrappers/hosts_access.c | 3 ++- contrib/tcp_wrappers/tcpd.h | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/contrib/tcp_wrappers/hosts_access.c b/contrib/tcp_wrappers/hosts_access.c index 05c62d194091..e55f3f34dd20 100644 --- a/contrib/tcp_wrappers/hosts_access.c +++ b/contrib/tcp_wrappers/hosts_access.c @@ -315,7 +315,8 @@ static int host_match(char *tok, struct host_info *host) return (masked_match(tok, mask, eval_hostaddr(host))); } else { /* anything else */ return (string_match(tok, eval_hostaddr(host)) - || (NOT_INADDR(tok) && string_match(tok, eval_hostname(host)))); + || (NOT_INADDR(tok) && NOT_INADDR6(tok) + && string_match(tok, eval_hostname(host)))); } } diff --git a/contrib/tcp_wrappers/tcpd.h b/contrib/tcp_wrappers/tcpd.h index 1078073c8e3a..194cde378c1c 100644 --- a/contrib/tcp_wrappers/tcpd.h +++ b/contrib/tcp_wrappers/tcpd.h @@ -70,6 +70,7 @@ extern char paranoid[]; #define HOSTNAME_KNOWN(s) (STR_NE((s),unknown) && STR_NE((s),paranoid)) #define NOT_INADDR(s) (s[strspn(s,"01234567890./")] != 0) +#define NOT_INADDR6(s) (strchr(s, ':') == NULL) /* Global functions. */