DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

Adds a length modifier to is_valid_ipv4_addr

Browse Source
This commit is contained in:
Jonathan Bennett 2016-05-07 21:15:54 -05:00
parent d4ec9a0755
commit dc9ad5de4a
10 changed files with 41 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
client/config_init.c
View File

@ -982,7 +982,7 @@ parse_rc_param(fko_cli_options_t *options, const char *var_name, char * val)
else /* Assume IP address and validate */
{
strlcpy(options->allow_ip_str, val, sizeof(options->allow_ip_str));
if(! is_valid_ipv4_addr(options->allow_ip_str))
if(! is_valid_ipv4_addr(options->allow_ip_str, strlen(options->allow_ip_str)))
parse_error = -1;
}
}
@ -1882,7 +1882,7 @@ validate_options(fko_cli_options_t *options)
{
options->resolve_ip_http_https = 0;
if(! is_valid_ipv4_addr(options->allow_ip_str))
if(! is_valid_ipv4_addr(options->allow_ip_str, strlen(options->allow_ip_str)))
{
log_msg(LOG_VERBOSITY_ERROR,
"Invalid allow IP specified for SPA access");
@ -1892,7 +1892,7 @@ validate_options(fko_cli_options_t *options)
if (options->spoof_ip_src_str[0] != 0x00)
{
if(! is_valid_ipv4_addr(options->spoof_ip_src_str))
if(! is_valid_ipv4_addr(options->spoof_ip_src_str, strlen(options->spoof_ip_src_str)))
{
log_msg(LOG_VERBOSITY_ERROR, "Invalid spoof IP");
exit(EXIT_FAILURE);

2
client/fwknop.c
View File

@ -124,7 +124,7 @@ is_hostname_str_with_port(const char *str)
/* If the string does not match an ipv4 or ipv6 address we assume this
* is an hostname. We make sure the port is in the good range too */
if ( (is_valid_ipv4_addr(buf) == 0)
if ( (is_valid_ipv4_addr(buf, strlen(buf)) == 0)
&& (is_ipv6_str(buf) == 0)
&& ((port > 0) && (port < 65536)) )
{

34
common/fko_util.c
View File

@ -122,9 +122,10 @@ is_valid_encoded_msg_len(const int len)
/* Validate an IPv4 address
*/
int
is_valid_ipv4_addr(const char * const ip_str)
is_valid_ipv4_addr(const char * const ip_str, const int len)
{
const char *ndx = ip_str;
char tmp_ip_str[MAX_IPV4_STR_LEN + 1]={0};
int dot_ctr = 0, char_ctr = 0;
int res = 1;
#if HAVE_SYS_SOCKET_H
@ -134,14 +135,18 @@ is_valid_ipv4_addr(const char * const ip_str)
if(ip_str == NULL)
return 0;
while(*ndx != '\0')
if((len > MAX_IPV4_STR_LEN) || (len < MIN_IPV4_STR_LEN))
return 0;
while(char_ctr < len)
{
/* If we've hit a null within the given length, then not valid regardless*/
if(*ndx == '\0')
return 0;
char_ctr++;
if(char_ctr >= MAX_IPV4_STR_LEN)
{
res = 0;
break;
}
if(*ndx == '.')
dot_ctr++;
else if(isdigit(*ndx) == 0)
@ -151,23 +156,22 @@ is_valid_ipv4_addr(const char * const ip_str)
}
ndx++;
}
if(char_ctr >= MAX_IPV4_STR_LEN)
res = 0;
if ((res == 1) && (char_ctr < MIN_IPV4_STR_LEN))
res = 0;
if((res == 1) && dot_ctr != 3)
if((res == 1) && (dot_ctr != 3))
res = 0;
#if HAVE_SYS_SOCKET_H
/* Stronger IP validation now that we have a candidate that looks
* close enough
*/
if((res == 1) && (inet_aton(ip_str, &in) == 0))
res = 0;
if(res == 1) {
strncpy(tmp_ip_str, ip_str, len);
if (inet_aton(tmp_ip_str, &in) == 0)
res = 0;
}
#endif
return(res);
}

2
common/fko_util.h
View File

@ -40,7 +40,7 @@
*/
int is_valid_encoded_msg_len(const int len);
int is_valid_pt_msg_len(const int len);
int is_valid_ipv4_addr(const char * const ip_str);
int is_valid_ipv4_addr(const char * const ip_str, const int len);
int is_base64(const unsigned char * const buf, const unsigned short int len);
void hex_dump(const unsigned char *data, const int size);
int enc_mode_strtoint(const char *enc_mode_str);

2
lib/fko_message.c
View File

@ -64,7 +64,7 @@ have_allow_ip(const char *msg)
res = FKO_ERROR_INVALID_ALLOW_IP;
if(res == FKO_SUCCESS)
if (! is_valid_ipv4_addr(ip_str))
if (! is_valid_ipv4_addr(ip_str, strlen(ip_str)))
res = FKO_ERROR_INVALID_ALLOW_IP;
return(res);

4
server/access.c
View File

@ -297,7 +297,7 @@ add_acc_force_nat(fko_srv_options_t *opts, acc_stanza_t *curr_acc,
clean_exit(opts, NO_FW_CLEANUP, EXIT_FAILURE);
}
if(! is_valid_ipv4_addr(ip_str))
if(! is_valid_ipv4_addr(ip_str, strlen(ip_str)))
{
log_msg(LOG_ERR,
"[*] Fatal: invalid FORCE_NAT IP '%s'", ip_str);
@ -327,7 +327,7 @@ add_acc_force_snat(fko_srv_options_t *opts, acc_stanza_t *curr_acc,
clean_exit(opts, NO_FW_CLEANUP, EXIT_FAILURE);
}
if(! is_valid_ipv4_addr(ip_str))
if(! is_valid_ipv4_addr(ip_str, strlen(ip_str)))
{
log_msg(LOG_ERR,
"[*] Fatal: invalid FORCE_SNAT IP '%s'", ip_str);

4
server/config_init.c
View File

@ -554,7 +554,7 @@ validate_options(fko_srv_options_t *opts)
*/
if(opts->config[CONF_SNAT_TRANSLATE_IP] != NULL)
{
if(! is_valid_ipv4_addr(opts->config[CONF_SNAT_TRANSLATE_IP]))
if(! is_valid_ipv4_addr(opts->config[CONF_SNAT_TRANSLATE_IP], strlen(opts->config[CONF_SNAT_TRANSLATE_IP])))
{
log_msg(LOG_ERR,
"Invalid IPv4 addr for SNAT_TRANSLATE_IP"
@ -697,7 +697,7 @@ validate_options(fko_srv_options_t *opts)
*/
if(opts->config[CONF_SNAT_TRANSLATE_IP] != NULL)
{
if(! is_valid_ipv4_addr(opts->config[CONF_SNAT_TRANSLATE_IP]))
if(! is_valid_ipv4_addr(opts->config[CONF_SNAT_TRANSLATE_IP], strlen(opts->config[CONF_SNAT_TRANSLATE_IP])))
{
log_msg(LOG_ERR,
"Invalid IPv4 addr for SNAT_TRANSLATE_IP"

10
server/fw_util_firewalld.c
View File

@ -1389,7 +1389,7 @@ static void snat_rule(const fko_srv_options_t * const opts,
/* Add SNAT or MASQUERADE rules.
*/
if(acc->force_snat && is_valid_ipv4_addr(acc->force_snat_ip))
if(acc->force_snat && is_valid_ipv4_addr(acc->force_snat_ip, strlen(acc->force_snat_ip)))
{
/* Using static SNAT */
snat_chain = &(opts->fw_config->chain[FIREWD_SNAT_ACCESS]);
@ -1397,7 +1397,7 @@ static void snat_rule(const fko_srv_options_t * const opts,
"--to-source %s", acc->force_snat_ip);
}
else if((opts->config[CONF_SNAT_TRANSLATE_IP] != NULL)
&& is_valid_ipv4_addr(opts->config[CONF_SNAT_TRANSLATE_IP]))
&& is_valid_ipv4_addr(opts->config[CONF_SNAT_TRANSLATE_IP], strlen(opts->config[CONF_SNAT_TRANSLATE_IP])))
{
/* Using static SNAT */
snat_chain = &(opts->fw_config->chain[FIREWD_SNAT_ACCESS]);
@ -1423,7 +1423,7 @@ static void snat_rule(const fko_srv_options_t * const opts,
{
/* Add SNAT or MASQUERADE rules.
*/
if(acc->force_snat && is_valid_ipv4_addr(acc->force_snat_ip))
if(acc->force_snat && is_valid_ipv4_addr(acc->force_snat_ip, strlen(acc->force_snat_ip)))
{
/* Using static SNAT */
snat_chain = &(opts->fw_config->chain[FIREWD_SNAT_ACCESS]);
@ -1438,7 +1438,7 @@ static void snat_rule(const fko_srv_options_t * const opts,
"--to-ports %i", fst_port);
}
else if((opts->config[CONF_SNAT_TRANSLATE_IP] != NULL)
&& is_valid_ipv4_addr(opts->config[CONF_SNAT_TRANSLATE_IP]))
&& is_valid_ipv4_addr(opts->config[CONF_SNAT_TRANSLATE_IP], strlen(opts->config[CONF_SNAT_TRANSLATE_IP])))
{
/* Using static SNAT */
snat_chain = &(opts->fw_config->chain[FIREWD_SNAT_ACCESS]);
@ -1549,7 +1549,7 @@ process_spa_request(const fko_srv_options_t * const opts,
if((ndx != NULL) && (str_len <= MAX_HOSTNAME_LEN))
{
strlcpy(nat_dst, spadat->nat_access, str_len+1);
if((! is_valid_ipv4_addr(nat_dst)))
if((! is_valid_ipv4_addr(nat_dst, strlen(nat_dst))))
{
if(strncasecmp(opts->config[CONF_ENABLE_NAT_DNS], "Y", 1)==0)
{

10
server/fw_util_iptables.c
View File

@ -1377,7 +1377,7 @@ static void snat_rule(const fko_srv_options_t * const opts,
/* Add SNAT or MASQUERADE rules.
*/
if(acc->force_snat && is_valid_ipv4_addr(acc->force_snat_ip))
if(acc->force_snat && is_valid_ipv4_addr(acc->force_snat_ip, strlen(acc->force_snat_ip)))
{
/* Using static SNAT */
snat_chain = &(opts->fw_config->chain[IPT_SNAT_ACCESS]);
@ -1385,7 +1385,7 @@ static void snat_rule(const fko_srv_options_t * const opts,
"--to-source %s", acc->force_snat_ip);
}
else if((opts->config[CONF_SNAT_TRANSLATE_IP] != NULL)
&& is_valid_ipv4_addr(opts->config[CONF_SNAT_TRANSLATE_IP]))
&& is_valid_ipv4_addr(opts->config[CONF_SNAT_TRANSLATE_IP], strlen(opts->config[CONF_SNAT_TRANSLATE_IP])))
{
/* Using static SNAT */
snat_chain = &(opts->fw_config->chain[IPT_SNAT_ACCESS]);
@ -1411,7 +1411,7 @@ static void snat_rule(const fko_srv_options_t * const opts,
{
/* Add SNAT or MASQUERADE rules.
*/
if(acc->force_snat && is_valid_ipv4_addr(acc->force_snat_ip))
if(acc->force_snat && is_valid_ipv4_addr(acc->force_snat_ip, strlen(acc->force_snat_ip)))
{
/* Using static SNAT */
snat_chain = &(opts->fw_config->chain[IPT_SNAT_ACCESS]);
@ -1426,7 +1426,7 @@ static void snat_rule(const fko_srv_options_t * const opts,
"--to-ports %i", fst_port);
}
else if((opts->config[CONF_SNAT_TRANSLATE_IP] != NULL)
&& is_valid_ipv4_addr(opts->config[CONF_SNAT_TRANSLATE_IP]))
&& is_valid_ipv4_addr(opts->config[CONF_SNAT_TRANSLATE_IP], strlen(opts->config[CONF_SNAT_TRANSLATE_IP])))
{
/* Using static SNAT */
snat_chain = &(opts->fw_config->chain[IPT_SNAT_ACCESS]);
@ -1538,7 +1538,7 @@ process_spa_request(const fko_srv_options_t * const opts,
if((ndx != NULL) && (str_len <= MAX_HOSTNAME_LEN))
{
strlcpy(nat_dst, spadat->nat_access, str_len+1);
if((! is_valid_ipv4_addr(nat_dst)))
if(! is_valid_ipv4_addr(nat_dst, strlen(nat_dst)))
{
if(strncasecmp(opts->config[CONF_ENABLE_NAT_DNS], "Y", 1)==0)
{

4
server/incoming_spa.c
View File

@ -119,7 +119,7 @@ preprocess_spa_data(const fko_srv_options_t *opts, spa_pkt_info_t *spa_pkt, spa_
xff -= i - 1;
if (!is_valid_ipv4_addr(xff))
if (!is_valid_ipv4_addr(xff, strlen(xff)))
log_msg(LOG_WARNING,
"Error parsing X-Forwarded-For header: value '%s' is not an IP address",
xff);
@ -1090,7 +1090,7 @@ incoming_spa(fko_srv_options_t *opts)
strlcpy(spadat.spa_message_src_ip,
spadat.spa_message, (spa_ip_demark-spadat.spa_message)+1);
if(! is_valid_ipv4_addr(spadat.spa_message_src_ip))
if(! is_valid_ipv4_addr(spadat.spa_message_src_ip, strlen(spadat.spa_message_src_ip)))
{
log_msg(LOG_WARNING,
"[%s] (stanza #%d) Invalid source IP in SPA message, ignoring SPA packet",