mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-09-20 21:16:22 +02:00
Warn when comparing against an AF_UNSPEC address in a policy
It produces unexpected results, and it's most likely a bug.
This commit is contained in:
parent
ce92335214
commit
e2e09a2dbe
6
changes/feature17863
Normal file
6
changes/feature17863
Normal file
@ -0,0 +1,6 @@
|
||||
o Minor feature (IPv6):
|
||||
- Add address policy assume_action support for IPv6 addresses.
|
||||
- Limit IPv6 mask bits to 128.
|
||||
- Warn when comparing against an AF_UNSPEC address in a policy,
|
||||
it's almost always a bug.
|
||||
Closes ticket 17863; patch by "teor".
|
@ -696,6 +696,10 @@ compare_known_tor_addr_to_addr_policy(const tor_addr_t *addr, uint16_t port,
|
||||
/* We know the address and port, and we know the policy, so we can just
|
||||
* compute an exact match. */
|
||||
SMARTLIST_FOREACH_BEGIN(policy, addr_policy_t *, tmpe) {
|
||||
if (tmpe->addr.family == AF_UNSPEC) {
|
||||
log_warn(LD_BUG, "Policy contains an AF_UNSPEC address, which only "
|
||||
"matches other AF_UNSPEC addresses.");
|
||||
}
|
||||
/* Address is known */
|
||||
if (!tor_addr_compare_masked(addr, &tmpe->addr, tmpe->maskbits,
|
||||
CMP_EXACT)) {
|
||||
@ -723,6 +727,10 @@ compare_known_tor_addr_to_addr_policy_noport(const tor_addr_t *addr,
|
||||
int maybe_accept = 0, maybe_reject = 0;
|
||||
|
||||
SMARTLIST_FOREACH_BEGIN(policy, addr_policy_t *, tmpe) {
|
||||
if (tmpe->addr.family == AF_UNSPEC) {
|
||||
log_warn(LD_BUG, "Policy contains an AF_UNSPEC address, which only "
|
||||
"matches other AF_UNSPEC addresses.");
|
||||
}
|
||||
if (!tor_addr_compare_masked(addr, &tmpe->addr, tmpe->maskbits,
|
||||
CMP_EXACT)) {
|
||||
if (tmpe->prt_min <= 1 && tmpe->prt_max >= 65535) {
|
||||
@ -762,6 +770,10 @@ compare_unknown_tor_addr_to_addr_policy(uint16_t port,
|
||||
int maybe_accept = 0, maybe_reject = 0;
|
||||
|
||||
SMARTLIST_FOREACH_BEGIN(policy, addr_policy_t *, tmpe) {
|
||||
if (tmpe->addr.family == AF_UNSPEC) {
|
||||
log_warn(LD_BUG, "Policy contains an AF_UNSPEC address, which only "
|
||||
"matches other AF_UNSPEC addresses.");
|
||||
}
|
||||
if (tmpe->prt_min <= port && port <= tmpe->prt_max) {
|
||||
if (tmpe->maskbits == 0) {
|
||||
/* Definitely matches, since it covers all addresses. */
|
||||
|
Loading…
Reference in New Issue
Block a user