added inet_aton() call for IP strong IP validation (credit: Fernando Arnaboldi)

2012-09-03 00:21:32 -04:00 · 2012-09-03 00:21:32 -04:00 · 263fa01f2a
commit 263fa01f2a
parent ffe4d3b162
5 changed files with 42 additions and 5 deletions
--- a/lib/fko_message.c
+++ b/lib/fko_message.c
@ -29,6 +29,7 @@
 *
 *****************************************************************************
 */
+#include "fko_message.h"
 #include "fko_common.h"
 #include "fko.h"

@ -265,12 +266,17 @@ validate_nat_access_msg(const char *msg)
 int
 got_allow_ip(const char *msg)
 {
-    const char *ndx     = msg;
-    int         dot_ctr = 0, char_ctr = 0;
-    int         res     = FKO_SUCCESS;
+    const char         *ndx     = msg;
+    char                ip_str[MAX_IPV4_STR_LEN];
+    int                 dot_ctr = 0, char_ctr = 0;
+    int                 res     = FKO_SUCCESS;
+#if HAVE_SYS_SOCKET_H
+    struct in_addr      in;
+#endif

    while(*ndx != ',' && *ndx != '\0')
    {
+        ip_str[char_ctr] = *ndx;
        char_ctr++;
        if(char_ctr >= MAX_IPV4_STR_LEN)
        {
@ -287,12 +293,25 @@ got_allow_ip(const char *msg)
        ndx++;
    }

-    if (char_ctr < MIN_IPV4_STR_LEN)
+    if(char_ctr < MAX_IPV4_STR_LEN)
+        ip_str[char_ctr] = '\0';
+    else
        res = FKO_ERROR_INVALID_ALLOW_IP;

-    if(dot_ctr != 3)
+    if ((res == FKO_SUCCESS) && (char_ctr < MIN_IPV4_STR_LEN))
        res = FKO_ERROR_INVALID_ALLOW_IP;

+    if((res == FKO_SUCCESS) && dot_ctr != 3)
+        res = FKO_ERROR_INVALID_ALLOW_IP;
+
+#if HAVE_SYS_SOCKET_H
+    /* Stronger IP validation now that we have a candidate that looks
+     * close enough
+    */
+    if((res == FKO_SUCCESS) && (inet_aton(ip_str, &in) == 0))
+        res = FKO_ERROR_INVALID_ALLOW_IP;
+#endif
+
    return(res);
 }

--- a/lib/fko_message.h
+++ b/lib/fko_message.h
@ -32,6 +32,11 @@
 #ifndef FKO_MESSAGE_H
 #define FKO_MESSAGE_H 1

+#if HAVE_SYS_SOCKET_H
+  #include <sys/socket.h>
+#endif
+#include <arpa/inet.h>
+
 #define MAX_PROTO_STR_LEN   4  /* tcp, udp, icmp for now */
 #define MAX_PORT_STR_LEN    5

--- a/test/conf/fuzzing_open_ports_access.conf
+++ b/test/conf/fuzzing_open_ports_access.conf
@ -0,0 +1,4 @@
+SOURCE: 4.3.2.0/24, 127.0.0.0/24, 123.123.123.123/24, 23.43.0.0/16, 10.10.10.10;
+OPEN_PORTS: udp/6001, tcp/22, tcp/80, tcp/123453;
+KEY: fwknoptest;
+FW_ACCESS_TIMEOUT:  3;
--- a/test/conf/fuzzing_restrict_ports_access.conf
+++ b/test/conf/fuzzing_restrict_ports_access.conf
@ -0,0 +1,5 @@
+SOURCE: 4.3.2.0/24, 127.0.0.0/24, 123.123.123.123/24, 23.43.0.0/16, 10.10.10.10;
+OPEN_PORTS: udp/6001, tcp/22, tcp/80, tcp/12345;
+RESTRICT_PORTS: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
+KEY: fwknoptest;
+FW_ACCESS_TIMEOUT:  3;
--- a/test/conf/fuzzing_source_access.conf
+++ b/test/conf/fuzzing_source_access.conf
@ -0,0 +1,4 @@
+SOURCE: 4.3.2.0/24, 127.0.0.0/24, 123.123.123.1234/24, 23.43.0.0/16, A0.10.10.10;
+OPEN_PORTS: udp/6001, tcp/22, tcp/80, tcp/12345;
+KEY: fwknoptest;
+FW_ACCESS_TIMEOUT:  3;