added inet_aton() call for IP strong IP validation (credit: Fernando Arnaboldi)
authorMichael Rash <mbr@cipherdyne.org>
Mon, 3 Sep 2012 04:21:32 +0000 (00:21 -0400)
committerMichael Rash <mbr@cipherdyne.org>
Mon, 3 Sep 2012 04:21:32 +0000 (00:21 -0400)
lib/fko_message.c
lib/fko_message.h
test/conf/fuzzing_open_ports_access.conf [new file with mode: 0644]
test/conf/fuzzing_restrict_ports_access.conf [new file with mode: 0644]
test/conf/fuzzing_source_access.conf [new file with mode: 0644]

index 3228dfa..d74d58a 100644 (file)
@@ -29,6 +29,7 @@
  *
  *****************************************************************************
 */
+#include "fko_message.h"
 #include "fko_common.h"
 #include "fko.h"
 
@@ -265,12 +266,17 @@ validate_nat_access_msg(const char *msg)
 int
 got_allow_ip(const char *msg)
 {
-    const char *ndx     = msg;
-    int         dot_ctr = 0, char_ctr = 0;
-    int         res     = FKO_SUCCESS;
+    const char         *ndx     = msg;
+    char                ip_str[MAX_IPV4_STR_LEN];
+    int                 dot_ctr = 0, char_ctr = 0;
+    int                 res     = FKO_SUCCESS;
+#if HAVE_SYS_SOCKET_H
+    struct in_addr      in;
+#endif
 
     while(*ndx != ',' && *ndx != '\0')
     {
+        ip_str[char_ctr] = *ndx;
         char_ctr++;
         if(char_ctr >= MAX_IPV4_STR_LEN)
         {
@@ -287,12 +293,25 @@ got_allow_ip(const char *msg)
         ndx++;
     }
 
-    if (char_ctr < MIN_IPV4_STR_LEN)
+    if(char_ctr < MAX_IPV4_STR_LEN)
+        ip_str[char_ctr] = '\0';
+    else
         res = FKO_ERROR_INVALID_ALLOW_IP;
 
-    if(dot_ctr != 3)
+    if ((res == FKO_SUCCESS) && (char_ctr < MIN_IPV4_STR_LEN))
         res = FKO_ERROR_INVALID_ALLOW_IP;
 
+    if((res == FKO_SUCCESS) && dot_ctr != 3)
+        res = FKO_ERROR_INVALID_ALLOW_IP;
+
+#if HAVE_SYS_SOCKET_H
+    /* Stronger IP validation now that we have a candidate that looks
+     * close enough
+    */
+    if((res == FKO_SUCCESS) && (inet_aton(ip_str, &in) == 0))
+        res = FKO_ERROR_INVALID_ALLOW_IP;
+#endif
+
     return(res);
 }
 
index 8350460..7be313a 100644 (file)
 #ifndef FKO_MESSAGE_H
 #define FKO_MESSAGE_H 1
 
+#if HAVE_SYS_SOCKET_H
+  #include <sys/socket.h>
+#endif
+#include <arpa/inet.h>
+
 #define MAX_PROTO_STR_LEN   4  /* tcp, udp, icmp for now */
 #define MAX_PORT_STR_LEN    5
 
diff --git a/test/conf/fuzzing_open_ports_access.conf b/test/conf/fuzzing_open_ports_access.conf
new file mode 100644 (file)
index 0000000..d79f1ce
--- /dev/null
@@ -0,0 +1,4 @@
+SOURCE: 4.3.2.0/24, 127.0.0.0/24, 123.123.123.123/24, 23.43.0.0/16, 10.10.10.10;
+OPEN_PORTS: udp/6001, tcp/22, tcp/80, tcp/123453;
+KEY: fwknoptest;
+FW_ACCESS_TIMEOUT:  3;
diff --git a/test/conf/fuzzing_restrict_ports_access.conf b/test/conf/fuzzing_restrict_ports_access.conf
new file mode 100644 (file)
index 0000000..baf6ae0
--- /dev/null
@@ -0,0 +1,5 @@
+SOURCE: 4.3.2.0/24, 127.0.0.0/24, 123.123.123.123/24, 23.43.0.0/16, 10.10.10.10;
+OPEN_PORTS: udp/6001, tcp/22, tcp/80, tcp/12345;
+RESTRICT_PORTS: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;
+KEY: fwknoptest;
+FW_ACCESS_TIMEOUT:  3;
diff --git a/test/conf/fuzzing_source_access.conf b/test/conf/fuzzing_source_access.conf
new file mode 100644 (file)
index 0000000..78281ba
--- /dev/null
@@ -0,0 +1,4 @@
+SOURCE: 4.3.2.0/24, 127.0.0.0/24, 123.123.123.1234/24, 23.43.0.0/16, A0.10.10.10;
+OPEN_PORTS: udp/6001, tcp/22, tcp/80, tcp/12345;
+KEY: fwknoptest;
+FW_ACCESS_TIMEOUT:  3;