From: Nick Mathewson Date: Wed, 12 Feb 2014 20:59:04 +0000 (-0500) Subject: Disallow "*/maskbits" as an address pattern. X-Git-Tag: tor-0.2.6.2-alpha~89^2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ecd16edafe5afbf00c5775d9f41457d4b015dc2c;p=thirdparty%2Ftor.git Disallow "*/maskbits" as an address pattern. Fixes bug 7484. We've had this bug back in a8eaa79e031ee04d44 in 0.0.2pre14, when we first started allowing address masks. --- diff --git a/changes/bug7484 b/changes/bug7484 new file mode 100644 index 0000000000..647992af05 --- /dev/null +++ b/changes/bug7484 @@ -0,0 +1,4 @@ + o Minor bugfixes: + - Stop allowing invalid address patterns containing both a wildcard + address and a bit prefix length. This affects all our + address-range parsing code. Fixes bug 7484; bugfix on 0.0.2pre14. diff --git a/src/common/address.c b/src/common/address.c index b9f2d93154..be41cc73ac 100644 --- a/src/common/address.c +++ b/src/common/address.c @@ -714,6 +714,11 @@ tor_addr_parse_mask_ports(const char *s, /* XXXX_IP6 is this really what we want? */ bits = 96 + bits%32; /* map v4-mapped masks onto 96-128 bits */ } + if (any_flag) { + log_warn(LD_GENERAL, + "Found bit prefix with wildcard address; rejecting"); + goto err; + } } else { /* pick an appropriate mask, as none was given */ if (any_flag) bits = 0; /* This is okay whether it's V6 or V4 (FIX V4-mapped V6!) */ diff --git a/src/test/test_addr.c b/src/test/test_addr.c index 79ddd95090..7c289c371a 100644 --- a/src/test/test_addr.c +++ b/src/test/test_addr.c @@ -646,7 +646,6 @@ test_addr_ip6_helpers(void) test_assert(r == -1); r=tor_addr_parse_mask_ports("*6",0,&t1, &mask, NULL, NULL); test_assert(r == -1); -#if 0 /* Try a mask with a wildcard. */ r=tor_addr_parse_mask_ports("*/16",0,&t1, &mask, NULL, NULL); test_assert(r == -1); @@ -656,7 +655,6 @@ test_addr_ip6_helpers(void) r=tor_addr_parse_mask_ports("*6/30",TAPMP_EXTENDED_STAR, &t1, &mask, NULL, NULL); test_assert(r == -1); -#endif /* Basic mask tests*/ r=tor_addr_parse_mask_ports("1.1.2.2/31",0,&t1, &mask, NULL, NULL); test_assert(r == AF_INET);