isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

When matching an address with a netmask in sudoers, AND the mask

Browse Source 
and addr before checking against the local addresses.
This commit is contained in:
Todd C. Miller
2011-08-27 12:09:30 -04:00
parent 526a61004d
commit a47f005437
1 changed files with 5 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
plugins/sudoers/match.c
View File

@@ -679,18 +679,20 @@ addr_matches_if_netmask(char *n, char *m)
mask.ip4.s_addr = 0xffffffff - (1 << (32 - i)) + 1; mask.ip4.s_addr = 0xffffffff - (1 << (32 - i)) + 1;
mask.ip4.s_addr = htonl(mask.ip4.s_addr); mask.ip4.s_addr = htonl(mask.ip4.s_addr);
} }
addr.ip4.s_addr &= mask.ip4.s_addr;
} }
#ifdef HAVE_IN6_ADDR #ifdef HAVE_IN6_ADDR
else { else {
if (inet_pton(AF_INET6, m, &mask.ip6) <= 0) { if (inet_pton(AF_INET6, m, &mask.ip6) <= 0) {
j = atoi(m); j = atoi(m);
for (i = 0; i < 16; i++) { for (i = 0; i < sizeof(addr.ip6.s6_addr); i++) {
if (j < i * 8) if (j < i * 8)
mask.ip6.s6_addr[i] = 0; mask.ip6.s6_addr[i] = 0;
else if (i * 8 + 8 <= j) else if (i * 8 + 8 <= j)
mask.ip6.s6_addr[i] = 0xff; mask.ip6.s6_addr[i] = 0xff;
else else
mask.ip6.s6_addr[i] = 0xff00 >> (j - i * 8); mask.ip6.s6_addr[i] = 0xff00 >> (j - i * 8);
addr.ip6.s6_addr[i] &= mask.ip6.s6_addr[i];
} }
} }
} }
@@ -701,12 +703,12 @@ addr_matches_if_netmask(char *n, char *m)
continue; continue;
switch(family) { switch(family) {
case AF_INET: case AF_INET:
if ((ifp->addr.ip4.s_addr & mask.ip4.s_addr) == (addr.ip4.s_addr & mask.ip4.s_addr)) if ((ifp->addr.ip4.s_addr & mask.ip4.s_addr) == addr.ip4.s_addr)
return TRUE; return TRUE;
#ifdef HAVE_IN6_ADDR #ifdef HAVE_IN6_ADDR
case AF_INET6: case AF_INET6:
for (j = 0; j < sizeof(addr.ip6.s6_addr); j++) { for (j = 0; j < sizeof(addr.ip6.s6_addr); j++) {
if ((ifp->addr.ip6.s6_addr[j] & mask.ip6.s6_addr[j]) != (addr.ip6.s6_addr[j] & mask.ip6.s6_addr[j])) if ((ifp->addr.ip6.s6_addr[j] & mask.ip6.s6_addr[j]) != addr.ip6.s6_addr[j])
break; break;
} }
if (j == sizeof(addr.ip6.s6_addr)) if (j == sizeof(addr.ip6.s6_addr))