1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
|
From: Mukund Sivaraman <muks@banu.com>
Subject: Fix bug in ACL netmask generation
This is CVE-2011-1499.
Origin: https://banu.com/cgit/tinyproxy/commit/?h=1.8&id=1db982793d315d8460aefbacb26ce86bc2824861
Forwarded: not-needed
---
diff --git a/src/acl.c b/src/acl.c
index 6fa70e9..9ee6747 100644
--- a/src/acl.c
+++ b/src/acl.c
@@ -66,8 +66,8 @@ struct acl_s {
*
*/
static int
-fill_netmask_array (char *bitmask_string, unsigned char array[],
- size_t len)
+fill_netmask_array (char *bitmask_string, int v6,
+ unsigned char array[], size_t len)
{
unsigned int i;
unsigned long int mask;
@@ -81,7 +81,14 @@ fill_netmask_array (char *bitmask_string, unsigned char array[],
|| (errno != 0 && mask == 0) || (endptr == bitmask_string))
return -1;
- /* valid range for a bit mask */
+ if (v6 == 0) {
+ /* The mask comparison is done as an IPv6 address, so
+ * convert to a longer mask in the case of IPv4
+ * addresses. */
+ mask += 12 * 8;
+ }
+
+ /* check valid range for a bit mask */
if (mask > (8 * len))
return -1;
@@ -160,6 +167,9 @@ int insert_acl (char *location, acl_access_t access_type, vector_t *access_list)
*/
p = strchr (location, '/');
if (p != NULL) {
+ char dst[sizeof(struct in6_addr)];
+ int v6;
+
/*
* We have a slash, so it's intended to be an
* IP address with mask
@@ -171,8 +181,15 @@ int insert_acl (char *location, acl_access_t access_type, vector_t *access_list)
acl.type = ACL_NUMERIC;
memcpy (acl.address.ip.octet, ip_dst, IPV6_LEN);
+ /* Check if the IP address before the netmask is
+ * an IPv6 address */
+ if (inet_pton(AF_INET6, location, dst) > 0)
+ v6 = 1;
+ else
+ v6 = 0;
+
if (fill_netmask_array
- (p + 1, &(acl.address.ip.mask[0]), IPV6_LEN)
+ (p + 1, v6, &(acl.address.ip.mask[0]), IPV6_LEN)
< 0)
return -1;
} else {
--
cgit
|
