Fixed proper handling of IPv6 net masks

Reported by Pasan Meemaduma. Fixes #1336 (cherry picked from commit 86d3b84)
OpenSIPS · Apr 24, 2018 · 1f4f3f0 · 1f4f3f0
1 parent 8856acf
commit 1f4f3f0
Show file tree

Hide file tree

Showing 2 changed files with 28 additions and 9 deletions.
diff --git a/modules/permissions/address.c b/modules/permissions/address.c
@@ -135,17 +135,19 @@ int reload_address_table(struct pm_part_struct *part_struct)
 			LM_ERR("invalid IP column type on row %d, skipping..\n", i);
 			continue;
 		}
-		if ((VAL_TYPE(val + 1) != DB_INT && VAL_TYPE(val + 1) != DB_BIGINT) || VAL_NULL(val + 1) ||
+		if ((VAL_TYPE(val + 1) != DB_INT && VAL_TYPE(val + 1) != DB_BIGINT) ||
+		VAL_NULL(val + 1) ||
 					VAL_INT(val + 1) < 0) {
 			LM_ERR("invalid group column type on row %d, skipping..\n", i);
 			continue;
 		}
-		if ((VAL_TYPE(val + 2) != DB_INT && VAL_TYPE(val + 2) != DB_BIGINT) || VAL_NULL(val + 2) ||
-					VAL_INT(val + 2) < 0 || VAL_INT(val + 2) > 32) {
+		if ((VAL_TYPE(val + 2) != DB_INT && VAL_TYPE(val + 2) != DB_BIGINT) ||
+		VAL_NULL(val + 2) || VAL_INT(val + 2) < 0) {
 			LM_ERR("invalid mask column type on row %d, skipping..\n", i);
 			continue;
 		}
-		if ((VAL_TYPE(val + 3) != DB_INT && VAL_TYPE(val + 3) != DB_BIGINT) || VAL_NULL(val + 3)) {
+		if ((VAL_TYPE(val + 3) != DB_INT && VAL_TYPE(val + 3) != DB_BIGINT) ||
+		VAL_NULL(val + 3)) {
 			LM_ERR("invalid port column type on row %d, skipping..\n", i);
 			continue;
 		}
@@ -184,6 +186,14 @@ int reload_address_table(struct pm_part_struct *part_struct)
 			continue;
 		}
 
+		/* now that we know the AF family, we can validate the mask len */
+		if ( (ip_addr->af==AF_INET && VAL_INT(val + 2)>32) ||
+		(ip_addr->af==AF_INET6 && VAL_INT(val + 2)>128) ) {
+			LM_DBG("netmask size %d too large of IP's AF %d, ignoring entry"
+				" number %d\n", VAL_INT(val + 2), ip_addr->af, i);
+			continue;
+		}
+
 		/* proto string */
 		if (VAL_TYPE(val+4)==DB_STRING) {
 			str_proto.s = (char*)VAL_STRING(val+4);
@@ -235,7 +245,8 @@ int reload_address_table(struct pm_part_struct *part_struct)
 		port = (unsigned int) VAL_INT(val + 3);
 		mask = (unsigned int) VAL_INT(val + 2);
 
-		if (mask == 32) {
+		if ( (mask == 32 && ip_addr->af==AF_INET) ||
+		(mask == 128 && ip_addr->af==AF_INET6) ) {
 			if (hash_insert(new_hash_table, ip_addr, group, port, proto,
 				&str_pattern, &str_info) == -1) {
 					LM_ERR("hash table insert error\n");

diff --git a/modules/permissions/hash.c b/modules/permissions/hash.c
@@ -250,11 +250,11 @@ int find_group_in_hash_table(struct address_list** table,
 int hash_mi_print(struct address_list **table, struct mi_node* rpl,
 		struct pm_part_struct *pm) {
 	int i, len;
-    struct address_list *node;
+	struct address_list *node;
 	struct mi_node *dst;
 	char *p, prbuf[PROTO_NAME_MAX_SIZE];
 
-    for (i = 0; i < PERM_HASH_SIZE; i++) {
+	for (i = 0; i < PERM_HASH_SIZE; i++) {
 		for (node = table[i]; node; node=node->next) {
 
 			dst = add_mi_node_child(rpl, 0, MI_SSTR("dest"), NULL, 0);
@@ -273,8 +273,16 @@ int hash_mi_print(struct address_list **table, struct mi_node* rpl,
 				goto out_free;
 			}
 
-			if (!add_mi_attr(dst, MI_DUP_VALUE, MI_SSTR("mask"), MI_SSTR("32"))) {
-				goto out_free;
+			if (node->ip->af==AF_INET) {
+				if (!add_mi_attr(dst, MI_DUP_VALUE, MI_SSTR("mask"),
+				MI_SSTR("32"))) {
+					goto out_free;
+				}
+			} else {
+				if (!add_mi_attr(dst, MI_DUP_VALUE, MI_SSTR("mask"),
+				MI_SSTR("128"))) {
+					goto out_free;
+				}
 			}
 
 			p = int2str(node->port, &len);