From: Michael Rash Date: Mon, 3 Sep 2012 04:21:32 +0000 (-0400) Subject: added inet_aton() call for IP strong IP validation (credit: Fernando Arnaboldi) X-Git-Tag: fwknop-2.0.3~7 X-Git-Url: http://www.cipherdyne.com/cgi-bin/gitweb.cgi?p=fwknop.git;a=commitdiff_plain;h=263fa01f2af1d336961df320f1c7a9ea84ddac9a added inet_aton() call for IP strong IP validation (credit: Fernando Arnaboldi) --- diff --git a/lib/fko_message.c b/lib/fko_message.c index 3228dfa..d74d58a 100644 --- a/lib/fko_message.c +++ b/lib/fko_message.c @@ -29,6 +29,7 @@ * ***************************************************************************** */ +#include "fko_message.h" #include "fko_common.h" #include "fko.h" @@ -265,12 +266,17 @@ validate_nat_access_msg(const char *msg) int got_allow_ip(const char *msg) { - const char *ndx = msg; - int dot_ctr = 0, char_ctr = 0; - int res = FKO_SUCCESS; + const char *ndx = msg; + char ip_str[MAX_IPV4_STR_LEN]; + int dot_ctr = 0, char_ctr = 0; + int res = FKO_SUCCESS; +#if HAVE_SYS_SOCKET_H + struct in_addr in; +#endif while(*ndx != ',' && *ndx != '\0') { + ip_str[char_ctr] = *ndx; char_ctr++; if(char_ctr >= MAX_IPV4_STR_LEN) { @@ -287,12 +293,25 @@ got_allow_ip(const char *msg) ndx++; } - if (char_ctr < MIN_IPV4_STR_LEN) + if(char_ctr < MAX_IPV4_STR_LEN) + ip_str[char_ctr] = '\0'; + else res = FKO_ERROR_INVALID_ALLOW_IP; - if(dot_ctr != 3) + if ((res == FKO_SUCCESS) && (char_ctr < MIN_IPV4_STR_LEN)) res = FKO_ERROR_INVALID_ALLOW_IP; + if((res == FKO_SUCCESS) && dot_ctr != 3) + res = FKO_ERROR_INVALID_ALLOW_IP; + +#if HAVE_SYS_SOCKET_H + /* Stronger IP validation now that we have a candidate that looks + * close enough + */ + if((res == FKO_SUCCESS) && (inet_aton(ip_str, &in) == 0)) + res = FKO_ERROR_INVALID_ALLOW_IP; +#endif + return(res); } diff --git a/lib/fko_message.h b/lib/fko_message.h index 8350460..7be313a 100644 --- a/lib/fko_message.h +++ b/lib/fko_message.h @@ -32,6 +32,11 @@ #ifndef FKO_MESSAGE_H #define FKO_MESSAGE_H 1 +#if HAVE_SYS_SOCKET_H + #include +#endif +#include + #define MAX_PROTO_STR_LEN 4 /* tcp, udp, icmp for now */ #define MAX_PORT_STR_LEN 5 diff --git a/test/conf/fuzzing_open_ports_access.conf b/test/conf/fuzzing_open_ports_access.conf new file mode 100644 index 0000000..d79f1ce --- /dev/null +++ b/test/conf/fuzzing_open_ports_access.conf @@ -0,0 +1,4 @@ +SOURCE: 4.3.2.0/24, 127.0.0.0/24, 123.123.123.123/24, 23.43.0.0/16, 10.10.10.10; +OPEN_PORTS: udp/6001, tcp/22, tcp/80, tcp/123453; +KEY: fwknoptest; +FW_ACCESS_TIMEOUT: 3; diff --git a/test/conf/fuzzing_restrict_ports_access.conf b/test/conf/fuzzing_restrict_ports_access.conf new file mode 100644 index 0000000..baf6ae0 --- /dev/null +++ b/test/conf/fuzzing_restrict_ports_access.conf @@ -0,0 +1,5 @@ +SOURCE: 4.3.2.0/24, 127.0.0.0/24, 123.123.123.123/24, 23.43.0.0/16, 10.10.10.10; +OPEN_PORTS: udp/6001, tcp/22, tcp/80, tcp/12345; +RESTRICT_PORTS: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA; +KEY: fwknoptest; +FW_ACCESS_TIMEOUT: 3; diff --git a/test/conf/fuzzing_source_access.conf b/test/conf/fuzzing_source_access.conf new file mode 100644 index 0000000..78281ba --- /dev/null +++ b/test/conf/fuzzing_source_access.conf @@ -0,0 +1,4 @@ +SOURCE: 4.3.2.0/24, 127.0.0.0/24, 123.123.123.1234/24, 23.43.0.0/16, A0.10.10.10; +OPEN_PORTS: udp/6001, tcp/22, tcp/80, tcp/12345; +KEY: fwknoptest; +FW_ACCESS_TIMEOUT: 3;