4483. [func] Check prefixes in acls to make sure the address and

prefix lengths are consistent. Warn only in BIND 9.11 and earlier. [RT #43367]
2026-06-08 23:32:05 -04:00 · 2016-10-11 14:52:28 +11:00 · 2016-10-11 14:52:28 +11:00 · c5d4cfc8aa
commit c5d4cfc8aa
parent 61463ab7a4
6 changed files with 32 additions and 5 deletions
--- a/4
+++ b/4
@ -1,3 +1,7 @@
+4483.	[func]		Check prefixes in acls to make sure the address and
+			prefix lengths are consistent.  Warn only in
+			BIND 9.11 and earlier. [RT #43367]
+
 4482.	[bug]		Address use before require check and remove extraneous
 			dns_message_gettsigkey call in dns_tsig_sign.
 			[RT #43374]
--- a/bin/tests/system/checkconf/bad-acl.conf
+++ b/bin/tests/system/checkconf/bad-acl.conf
@ -0,0 +1,16 @@
+/*
+ * Copyright (C) 2016  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * This Source Code Form is subject to the terms of the Mozilla Public
+ * License, v. 2.0. If a copy of the MPL was not distributed with this
+ * file, You can obtain one at http://mozilla.org/MPL/2.0/.
+ */
+
+acl a {
+	{ "none"; };
+	{ !19.0.0.0/7; };
+};
+
+options {
+	allow-query { a; };
+};
--- a/bin/tests/system/checkconf/good-acl.conf
+++ b/bin/tests/system/checkconf/good-acl.conf
@ -8,7 +8,7 @@

 acl a {
 	{ "none"; };
-	{ !19.0.0.0/0; };
+	{ !19.0.0.0/8; };
 };

 options {
--- a/bin/tests/system/checkconf/good.conf
+++ b/bin/tests/system/checkconf/good.conf
@ -36,7 +36,7 @@ options {
 	hostname none;
 	interface-interval 30;
 	keep-response-order {
-		10.0.0.10/24;
+		10.0.10.0/24;
 	};
 	listen-on port 90 {
 		"any";
--- a/bin/tests/system/pending/ns2/named.conf
+++ b/bin/tests/system/pending/ns2/named.conf
@ -41,7 +41,7 @@ zone "example" {
 zone "example.com" {
 	type master;
 	file "example.com.db.signed";
-	allow-update { 10.53.0.0/8; };
+	allow-update { 10.53.0.0/16; };
 };

 zone "good" {
--- a/lib/isccfg/aclconf.c
+++ b/lib/isccfg/aclconf.c
@ -6,8 +6,6 @@
 * file, You can obtain one at http://mozilla.org/MPL/2.0/.
 */

-/* $Id$ */
-
 #include <config.h>

 #include <isc/mem.h>
@ -712,6 +710,15 @@ cfg_acl_fromconfig2(const cfg_obj_t *caml, const cfg_obj_t *cctx,
 					dns_acl_detach(&de->nestedacl);
 				continue;
 			}
+			result = isc_netaddr_prefixok(&addr, bitlen);
+			if (result != ISC_R_SUCCESS) {
+				char buf[ISC_NETADDR_FORMATSIZE + 1];
+				isc_netaddr_format(&addr, buf, sizeof(buf));
+				cfg_obj_log(ce, lctx, ISC_LOG_WARNING,
+					    "'%s/%u': address/prefix length "
+					    "mismatch", buf, bitlen);
+				goto cleanup;
+			}

 			/*
 			 * If nesting ACLs (nest_level != 0), we negate