Fixed proper handling of IPv6 net masks

Reported by Pasan Meemaduma. Fixes #1336 (cherry picked from commit 86d3b84)
OpenSIPS · Apr 24, 2018 · 345fbbb · 345fbbb
1 parent 03e24c2
commit 345fbbb
Show file tree

Hide file tree

Showing 2 changed files with 18 additions and 7 deletions.
diff --git a/modules/permissions/address.c b/modules/permissions/address.c
@@ -135,17 +135,19 @@ int reload_address_table(struct pm_part_struct *part_struct)
 			LM_ERR("invalid IP column type on row %d, skipping..\n", i);
 			continue;
 		}
-		if ((VAL_TYPE(val + 1) != DB_INT && VAL_TYPE(val + 1) != DB_BIGINT) || VAL_NULL(val + 1) ||
+		if ((VAL_TYPE(val + 1) != DB_INT && VAL_TYPE(val + 1) != DB_BIGINT) ||
+		VAL_NULL(val + 1) ||
 					VAL_INT(val + 1) < 0) {
 			LM_ERR("invalid group column type on row %d, skipping..\n", i);
 			continue;
 		}
-		if ((VAL_TYPE(val + 2) != DB_INT && VAL_TYPE(val + 2) != DB_BIGINT) || VAL_NULL(val + 2) ||
-					VAL_INT(val + 2) < 0 || VAL_INT(val + 2) > 32) {
+		if ((VAL_TYPE(val + 2) != DB_INT && VAL_TYPE(val + 2) != DB_BIGINT) ||
+		VAL_NULL(val + 2) || VAL_INT(val + 2) < 0) {
 			LM_ERR("invalid mask column type on row %d, skipping..\n", i);
 			continue;
 		}
-		if ((VAL_TYPE(val + 3) != DB_INT && VAL_TYPE(val + 3) != DB_BIGINT) || VAL_NULL(val + 3)) {
+		if ((VAL_TYPE(val + 3) != DB_INT && VAL_TYPE(val + 3) != DB_BIGINT) ||
+		VAL_NULL(val + 3)) {
 			LM_ERR("invalid port column type on row %d, skipping..\n", i);
 			continue;
 		}
@@ -184,6 +186,14 @@ int reload_address_table(struct pm_part_struct *part_struct)
 			continue;
 		}
 
+		/* now that we know the AF family, we can validate the mask len */
+		if ( (ip_addr->af==AF_INET && VAL_INT(val + 2)>32) ||
+		(ip_addr->af==AF_INET6 && VAL_INT(val + 2)>128) ) {
+			LM_DBG("netmask size %d too large of IP's AF %d, ignoring entry"
+				" number %d\n", VAL_INT(val + 2), ip_addr->af, i);
+			continue;
+		}
+
 		/* proto string */
 		if (VAL_TYPE(val+4)==DB_STRING) {
 			str_proto.s = (char*)VAL_STRING(val+4);
@@ -235,7 +245,8 @@ int reload_address_table(struct pm_part_struct *part_struct)
 		port = (unsigned int) VAL_INT(val + 3);
 		mask = (unsigned int) VAL_INT(val + 2);
 
-		if (mask == 32) {
+		if ( (mask == 32 && ip_addr->af==AF_INET) ||
+		(mask == 128 && ip_addr->af==AF_INET6) ) {
 			if (hash_insert(new_hash_table, ip_addr, group, port, proto,
 				&str_pattern, &str_info) == -1) {
 					LM_ERR("hash table insert error\n");

diff --git a/modules/permissions/hash.c b/modules/permissions/hash.c
@@ -249,9 +249,9 @@ int find_group_in_hash_table(struct address_list** table,
 int hash_mi_print(struct address_list **table, struct mi_node* rpl,
 		struct pm_part_struct *pm) {
 	int i;
-    struct address_list *node;
+	struct address_list *node;
 
-    for (i = 0; i < PERM_HASH_SIZE; i++) {
+	for (i = 0; i < PERM_HASH_SIZE; i++) {
 		for (node = table[i]; node; node=node->next) {
 			if (addf_mi_node_child(rpl, 0, "dest", 4,
 				   "%d <%s,%u, %u, %d, %s, %s>",