From: Mukund Sivaraman Subject: Fix bug in ACL netmask generation This is CVE-2011-1499. Origin: https://banu.com/cgit/tinyproxy/commit/?h=1.8&id=1db982793d315d8460aefbacb26ce86bc2824861 Forwarded: not-needed --- diff --git a/src/acl.c b/src/acl.c index 6fa70e9..9ee6747 100644 --- a/src/acl.c +++ b/src/acl.c @@ -66,8 +66,8 @@ struct acl_s { * */ static int -fill_netmask_array (char *bitmask_string, unsigned char array[], - size_t len) +fill_netmask_array (char *bitmask_string, int v6, + unsigned char array[], size_t len) { unsigned int i; unsigned long int mask; @@ -81,7 +81,14 @@ fill_netmask_array (char *bitmask_string, unsigned char array[], || (errno != 0 && mask == 0) || (endptr == bitmask_string)) return -1; - /* valid range for a bit mask */ + if (v6 == 0) { + /* The mask comparison is done as an IPv6 address, so + * convert to a longer mask in the case of IPv4 + * addresses. */ + mask += 12 * 8; + } + + /* check valid range for a bit mask */ if (mask > (8 * len)) return -1; @@ -160,6 +167,9 @@ int insert_acl (char *location, acl_access_t access_type, vector_t *access_list) */ p = strchr (location, '/'); if (p != NULL) { + char dst[sizeof(struct in6_addr)]; + int v6; + /* * We have a slash, so it's intended to be an * IP address with mask @@ -171,8 +181,15 @@ int insert_acl (char *location, acl_access_t access_type, vector_t *access_list) acl.type = ACL_NUMERIC; memcpy (acl.address.ip.octet, ip_dst, IPV6_LEN); + /* Check if the IP address before the netmask is + * an IPv6 address */ + if (inet_pton(AF_INET6, location, dst) > 0) + v6 = 1; + else + v6 = 0; + if (fill_netmask_array - (p + 1, &(acl.address.ip.mask[0]), IPV6_LEN) + (p + 1, v6, &(acl.address.ip.mask[0]), IPV6_LEN) < 0) return -1; } else { -- cgit