From: Cyril Bonté <cyril.bonte@free.fr>
Date: Tue, 23 Oct 2012 19:28:31 +0000 (+0200)
Subject: BUG/MEDIUM: acls using IPv6 subnets patterns incorrectly match IPs
X-Git-Tag: v1.5-dev13~123
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4c01beb64bd5fc96952f4d31660080aedb9eda7b;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: acls using IPv6 subnets patterns incorrectly match IPs

Some tests revealed that IPs not in the range of IPv6 subnets incorrectly
matched (for example "acl BUG src 2804::/16" applied to a src IP "127.0.0.1").

This is caused by the acl_match_ip() function applies a mask in host byte
order, whereas it should be in network byte order.
---

diff --git a/src/acl.c b/src/acl.c
index d0ea731d28..ef9630c89d 100644
--- a/src/acl.c
+++ b/src/acl.c
@@ -776,7 +776,7 @@ int acl_match_ip(struct sample *smp, struct acl_pattern *pattern)
 		for (pos = 0; bits > 0; pos += 4, bits -= 32) {
 			v4 = *(uint32_t*)&v6->s6_addr[pos] ^ *(uint32_t*)&pattern->val.ipv6.addr.s6_addr[pos];
 			if (bits < 32)
-				v4 &= (~0U) << (32-bits);
+				v4 &= htonl((~0U) << (32-bits));
 			if (v4)
 				return ACL_PAT_FAIL;
 		}