From: Vladimír Čunát <vladimir.cunat@nic.cz>
Date: Mon, 12 Feb 2018 14:36:49 +0000 (+0100)
Subject: policy.TLS_FORWARD: refusal when configuring with multiple IPs
X-Git-Tag: v2.1.0~7^2~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=c0d327d74d1e56fdfedef702c8d3fe1123dedd0f;p=thirdparty%2Fknot-resolver.git

policy.TLS_FORWARD: refusal when configuring with multiple IPs

Fixes https://gitlab.labs.nic.cz/knot/knot-resolver/issues/306
---

diff --git a/NEWS b/NEWS
index 90056c18a..9549b7aa4 100644
--- a/NEWS
+++ b/NEWS
@@ -1,6 +1,11 @@
+Knot Resolver 2.X.Y (2018-0M-DD)
+================================
 
+Bugfixes
+--------
 - detect_time_jump module: don't clear cache on suspend-resume (#284)
 - stats module: fix stats.list() returning nothing, regressed in 2.0.0
+- policy.TLS_FORWARD: refusal when configuring with multiple IPs (#306)
 
 
 Knot Resolver 2.0.0 (2018-01-31)
diff --git a/daemon/lua/kres-gen.lua b/daemon/lua/kres-gen.lua
index 8fdd010ac..11d176dec 100644
--- a/daemon/lua/kres-gen.lua
+++ b/daemon/lua/kres-gen.lua
@@ -276,6 +276,7 @@ int kr_pkt_clear_payload(knot_pkt_t *);
 const char *kr_inaddr(const struct sockaddr *);
 int kr_inaddr_family(const struct sockaddr *);
 int kr_inaddr_len(const struct sockaddr *);
+int kr_sockaddr_len(const struct sockaddr *);
 uint16_t kr_inaddr_port(const struct sockaddr *);
 int kr_straddr_family(const char *);
 int kr_straddr_subnet(void *, const char *);
diff --git a/daemon/lua/kres-gen.sh b/daemon/lua/kres-gen.sh
index 59fafce76..caf4383cd 100755
--- a/daemon/lua/kres-gen.sh
+++ b/daemon/lua/kres-gen.sh
@@ -143,6 +143,7 @@ EOF
 	kr_inaddr
 	kr_inaddr_family
 	kr_inaddr_len
+	kr_sockaddr_len
 	kr_inaddr_port
 	kr_straddr_family
 	kr_straddr_subnet
diff --git a/lib/utils.c b/lib/utils.c
index 6b1c2eac5..9438fd474 100644
--- a/lib/utils.c
+++ b/lib/utils.c
@@ -337,6 +337,18 @@ int kr_inaddr_len(const struct sockaddr *addr)
 	return kr_family_len(addr->sa_family);
 }
 
+int kr_sockaddr_len(const struct sockaddr *addr)
+{
+	if (!addr) {
+		return kr_error(EINVAL);
+	}
+	switch (addr->sa_family) {
+	case AF_INET:  return sizeof(struct sockaddr_in);
+	case AF_INET6: return sizeof(struct sockaddr_in6);
+	default:       return kr_error(EINVAL);
+	}
+}
+
 uint16_t kr_inaddr_port(const struct sockaddr *addr)
 {
 	if (!addr) {
@@ -972,4 +984,4 @@ finish:
 	*d = 0; /* the final zero */
 	++d;
 	return d - dst;
-}
\ No newline at end of file
+}
diff --git a/lib/utils.h b/lib/utils.h
index 8d210728a..dba71d664 100644
--- a/lib/utils.h
+++ b/lib/utils.h
@@ -216,9 +216,12 @@ const char *kr_inaddr(const struct sockaddr *addr);
 /** Address family. */
 KR_EXPORT KR_PURE
 int kr_inaddr_family(const struct sockaddr *addr);
-/** Address length for given family. */
+/** Address length for given family, i.e. sizeof(struct in*_addr). */
 KR_EXPORT KR_PURE
 int kr_inaddr_len(const struct sockaddr *addr);
+/** Sockaddr length for given family, i.e. sizeof(struct sockaddr_in*). */
+KR_EXPORT KR_PURE
+int kr_sockaddr_len(const struct sockaddr *addr);
 /** Port. */
 KR_EXPORT KR_PURE
 uint16_t kr_inaddr_port(const struct sockaddr *addr);
diff --git a/modules/policy/policy.lua b/modules/policy/policy.lua
index 21209b88a..954b53347 100644
--- a/modules/policy/policy.lua
+++ b/modules/policy/policy.lua
@@ -209,7 +209,7 @@ function policy.TLS_FORWARD(target)
 		local auth_type = tls_forward_target_authtype(idx, upstream_list_entry)
 		local string_addr = upstream_list_entry[1]
 		local sockaddr_c = addr2sock(string_addr, 853)
-		local sockaddr_lua = ffi.string(sockaddr_c, ffi.C.kr_inaddr_len(sockaddr_c))
+		local sockaddr_lua = ffi.string(sockaddr_c, ffi.C.kr_sockaddr_len(sockaddr_c))
 		if sockaddr_config[sockaddr_lua] then
 			error('TLS_FORWARD configuration cannot declare two configs for IP address ' .. string_addr)
 		end