From c5d4cfc8aaedb5498a70bc49845209ac948558b9 Mon Sep 17 00:00:00 2001 From: Mark Andrews Date: Tue, 11 Oct 2016 14:52:28 +1100 Subject: [PATCH] 4483. [func] Check prefixes in acls to make sure the address and prefix lengths are consistent. Warn only in BIND 9.11 and earlier. [RT #43367] --- CHANGES | 4 ++++ bin/tests/system/checkconf/bad-acl.conf | 16 ++++++++++++++++ bin/tests/system/checkconf/good-acl.conf | 2 +- bin/tests/system/checkconf/good.conf | 2 +- bin/tests/system/pending/ns2/named.conf | 2 +- lib/isccfg/aclconf.c | 11 +++++++++-- 6 files changed, 32 insertions(+), 5 deletions(-) create mode 100644 bin/tests/system/checkconf/bad-acl.conf diff --git a/CHANGES b/CHANGES index 4450be6bab..b8ddcbf7d5 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,7 @@ +4483. [func] Check prefixes in acls to make sure the address and + prefix lengths are consistent. Warn only in + BIND 9.11 and earlier. [RT #43367] + 4482. [bug] Address use before require check and remove extraneous dns_message_gettsigkey call in dns_tsig_sign. [RT #43374] diff --git a/bin/tests/system/checkconf/bad-acl.conf b/bin/tests/system/checkconf/bad-acl.conf new file mode 100644 index 0000000000..803a199feb --- /dev/null +++ b/bin/tests/system/checkconf/bad-acl.conf @@ -0,0 +1,16 @@ +/* + * Copyright (C) 2016 Internet Systems Consortium, Inc. ("ISC") + * + * This Source Code Form is subject to the terms of the Mozilla Public + * License, v. 2.0. If a copy of the MPL was not distributed with this + * file, You can obtain one at http://mozilla.org/MPL/2.0/. + */ + +acl a { + { "none"; }; + { !19.0.0.0/7; }; +}; + +options { + allow-query { a; }; +}; diff --git a/bin/tests/system/checkconf/good-acl.conf b/bin/tests/system/checkconf/good-acl.conf index 7249b6fc3f..c80ed0cd8a 100644 --- a/bin/tests/system/checkconf/good-acl.conf +++ b/bin/tests/system/checkconf/good-acl.conf @@ -8,7 +8,7 @@ acl a { { "none"; }; - { !19.0.0.0/0; }; + { !19.0.0.0/8; }; }; options { diff --git a/bin/tests/system/checkconf/good.conf b/bin/tests/system/checkconf/good.conf index b80a843378..e7df659100 100644 --- a/bin/tests/system/checkconf/good.conf +++ b/bin/tests/system/checkconf/good.conf @@ -36,7 +36,7 @@ options { hostname none; interface-interval 30; keep-response-order { - 10.0.0.10/24; + 10.0.10.0/24; }; listen-on port 90 { "any"; diff --git a/bin/tests/system/pending/ns2/named.conf b/bin/tests/system/pending/ns2/named.conf index 832f08c46e..a6ac98a6c1 100644 --- a/bin/tests/system/pending/ns2/named.conf +++ b/bin/tests/system/pending/ns2/named.conf @@ -41,7 +41,7 @@ zone "example" { zone "example.com" { type master; file "example.com.db.signed"; - allow-update { 10.53.0.0/8; }; + allow-update { 10.53.0.0/16; }; }; zone "good" { diff --git a/lib/isccfg/aclconf.c b/lib/isccfg/aclconf.c index 83f5937d2f..8743e2eaf1 100644 --- a/lib/isccfg/aclconf.c +++ b/lib/isccfg/aclconf.c @@ -6,8 +6,6 @@ * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ -/* $Id$ */ - #include #include @@ -712,6 +710,15 @@ cfg_acl_fromconfig2(const cfg_obj_t *caml, const cfg_obj_t *cctx, dns_acl_detach(&de->nestedacl); continue; } + result = isc_netaddr_prefixok(&addr, bitlen); + if (result != ISC_R_SUCCESS) { + char buf[ISC_NETADDR_FORMATSIZE + 1]; + isc_netaddr_format(&addr, buf, sizeof(buf)); + cfg_obj_log(ce, lctx, ISC_LOG_WARNING, + "'%s/%u': address/prefix length " + "mismatch", buf, bitlen); + goto cleanup; + } /* * If nesting ACLs (nest_level != 0), we negate