wg: warn if an AllowedIP has a nonzero host part

Signed-off-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
This commit is contained in:
Luis Ressel 2019-03-17 00:02:32 +01:00 committed by Jason A. Donenfeld
parent 7c20ac5ce2
commit 84cf22da0d

View file

@ -287,6 +287,37 @@ err:
return false; return false;
} }
static bool validate_netmask(struct wgallowedip *allowedip)
{
uint32_t *ip;
int last;
switch (allowedip->family) {
case AF_INET:
last = 0;
ip = (uint32_t *)&allowedip->ip4;
break;
case AF_INET6:
last = 3;
ip = (uint32_t *)&allowedip->ip6;
break;
default:
return true; /* We don't know how to validate it, so say 'okay'. */
}
for (int i = last; i >= 0; --i) {
uint32_t mask = ~0;
if (allowedip->cidr >= 32 * (i + 1))
break;
if (allowedip->cidr > 32 * i)
mask >>= (allowedip->cidr - 32 * i);
if (ntohl(ip[i]) & mask)
return false;
}
return true;
}
static inline bool parse_allowedips(struct wgpeer *peer, struct wgallowedip **last_allowedip, const char *value) static inline bool parse_allowedips(struct wgpeer *peer, struct wgallowedip **last_allowedip, const char *value)
{ {
@ -339,6 +370,9 @@ static inline bool parse_allowedips(struct wgpeer *peer, struct wgallowedip **la
goto err; goto err;
new_allowedip->cidr = cidr; new_allowedip->cidr = cidr;
if (!validate_netmask(new_allowedip))
fprintf(stderr, "Warning: AllowedIP has nonzero host part: %s/%s\n", ip, mask);
if (allowedip) if (allowedip)
allowedip->next_allowedip = new_allowedip; allowedip->next_allowedip = new_allowedip;
else else