Skip to content

Commit

Permalink
checkpolicy: warn on bogus IP address or netmask in nodecon statement
Browse files Browse the repository at this point in the history
Warn if the netmask is not contiguous or the address has host bits set,
e.g.:

    127.0.0.0 255.255.245.0
    127.0.0.1 255.255.255.0

Signed-off-by: Christian Göttsche <[email protected]>
  • Loading branch information
cgzones authored and jwcart2 committed Dec 15, 2021
1 parent 413518a commit 01b88ac
Showing 1 changed file with 50 additions and 0 deletions.
50 changes: 50 additions & 0 deletions checkpolicy/policy_define.c
Original file line number Diff line number Diff line change
Expand Up @@ -5290,6 +5290,14 @@ int define_ipv4_node_context()
goto out;
}

if (mask.s_addr != 0 && ((~mask.s_addr + 1) & ~mask.s_addr) != 0) {
yywarn("ipv4 mask is not contiguous");
}

if ((~mask.s_addr & addr.s_addr) != 0) {
yywarn("host bits in ipv4 address set");
}

newc = malloc(sizeof(ocontext_t));
if (!newc) {
yyerror("out of memory");
Expand Down Expand Up @@ -5325,6 +5333,40 @@ int define_ipv4_node_context()
return rc;
}

static int ipv6_is_mask_contiguous(const struct in6_addr *mask)
{
int filled = 1;
unsigned i;

for (i = 0; i < 16; i++) {
if ((((~mask->s6_addr[i] & 0xFF) + 1) & (~mask->s6_addr[i] & 0xFF)) != 0) {
return 0;
}
if (!filled && mask->s6_addr[i] != 0) {
return 0;
}

if (filled && mask->s6_addr[i] != 0xFF) {
filled = 0;
}
}

return 1;
}

static int ipv6_has_host_bits_set(const struct in6_addr *addr, const struct in6_addr *mask)
{
unsigned i;

for (i = 0; i < 16; i++) {
if ((addr->s6_addr[i] & ~mask->s6_addr[i]) != 0) {
return 1;
}
}

return 0;
}

int define_ipv6_node_context(void)
{
char *id;
Expand Down Expand Up @@ -5376,6 +5418,14 @@ int define_ipv6_node_context(void)
goto out;
}

if (!ipv6_is_mask_contiguous(&mask)) {
yywarn("ipv6 mask is not contiguous");
}

if (ipv6_has_host_bits_set(&addr, &mask)) {
yywarn("host bits in ipv6 address set");
}

newc = malloc(sizeof(ocontext_t));
if (!newc) {
yyerror("out of memory");
Expand Down

0 comments on commit 01b88ac

Please sign in to comment.