github_mirrors/ModSecurity
3
0
Fork 1
mirror of https://github.com/owasp-modsecurity/ModSecurity.git synced 2025-08-14 05:45:59 +03:00
Code Issues Packages Projects Releases Wiki Activity

Fixes subnets representations using slash notation

Browse Source 
The ipv4 representation was only accepting slash notation with masks
represented in 2 digits. In the ipv6 implementation several fixies were made:
The maximum value to a bitmask was 64 which is not the reality, as ipv6 can
handle 128 bits. The second change was also to enable mask representation with
more and less than 2 digits. A more general fix was added to allow the unit
tests to work even if a invalid ip/range was informed during the creation of
the "tree", now it is checking if the tree is NULL while performing the
execution of the operator. Initial problem was reported at the issue: #706.
This commit is contained in:
Felipe Zimmerle 2014-06-10 16:09:05 -07:00
parent 731466cff0
commit 5d92e448ae
3 changed files with 36 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
apache2/msc_tree.c
View File

@ -820,35 +820,46 @@ TreeNode *TreeAddIP(const char *buffer, CPTTree *tree, int type) {
char ip_strv4[NETMASK_32], ip_strv6[NETMASK_128];
struct in_addr addr4;
struct in6_addr addr6;
int pos = 0;
char *ptr = NULL;
if(tree == NULL)
return NULL;
pos = strchr(buffer, '/') - buffer;
switch(type) {
case IPV4_TREE:
memset(&addr4, 0, sizeof(addr4));
memset(ip_strv4, 0x0, NETMASK_32);
strncpy(ip_strv4, buffer, sizeof(ip_strv4) - 2);
strncpy(ip_strv4, buffer, sizeof(ip_strv4));
*(ip_strv4 + (sizeof(ip_strv4) - 1)) = '\0';
ptr = strdup(ip_strv4);
netmask_v4 = is_netmask_v4(ptr);
if (netmask_v4 > NETMASK_32) {
free(ptr);
ptr = NULL;
return NULL;
}
if(ptr != NULL) {
free(ptr);
ptr = NULL;
}
if(netmask_v4 == 0)
if(netmask_v4 == 0) {
return NULL;
else if(netmask_v4 != NETMASK_32) {
ip_strv4[strlen(ip_strv4)-3] = '\0';
}
else if (netmask_v4 != NETMASK_32 && pos < strlen(ip_strv4)) {
ip_strv4[pos] = '\0';
}
ret = inet_pton(AF_INET, ip_strv4, &addr4);
if (ret <= 0) {
return NULL;
}
@ -863,26 +874,36 @@ TreeNode *TreeAddIP(const char *buffer, CPTTree *tree, int type) {
memset(&addr6, 0, sizeof(addr6));
memset(ip_strv6, 0x0, NETMASK_128);
strncpy(ip_strv6, buffer, sizeof(ip_strv6) - 2);
strncpy(ip_strv6, buffer, sizeof(ip_strv6));
*(ip_strv6 + sizeof(ip_strv6) - 1) = '\0';
ptr = strdup(ip_strv6);
netmask_v6 = is_netmask_v6(ptr);
if (netmask_v6 > NETMASK_128) {
free(ptr);
ptr = NULL;
return NULL;
}
if(ptr != NULL) {
free(ptr);
ptr = NULL;
}
if(netmask_v6 == 0)
if(netmask_v6 == 0) {
return NULL;
else if (netmask_v6 != NETMASK_64) {
ip_strv4[strlen(ip_strv6)-3] = '\0';
}
else if (netmask_v6 != NETMASK_128 && pos < strlen(ip_strv6)) {
ip_strv6[pos] = '\0';
}
ret = inet_pton(AF_INET6, ip_strv6, &addr6);
if(ret <= 0)
if (ret <= 0)
{
return NULL;
}
tree->count++;

4
apache2/msc_util.c
View File

@ -364,12 +364,12 @@ unsigned char is_netmask_v6(char *ip_strv6) {
if ((mask_str = strchr(ip_strv6, '/'))) {
*(mask_str++) = '\0';
if (strchr(mask_str, '.') != NULL) {
if (strchr(mask_str, ':') != NULL) {
return 0;
}
cidr = atoi(mask_str);
if ((cidr < 0) || (cidr > 64)) {
if ((cidr < 0) || (cidr > 128)) {
return 0;
}
netmask_v6 = (unsigned char)cidr;

6
apache2/re_operators.c
View File

@ -122,7 +122,7 @@ static int msre_op_ipmatch_param_init(msre_rule *rule, char **error_msg) {
* \retval 0 On No Match
*/
static int msre_op_ipmatch_execute(modsec_rec *msr, msre_rule *rule, msre_var *var, char **error_msg) {
TreeRoot *rtree = rule->ip_op;
TreeRoot *rtree = NULL;
int res = 0;
if (error_msg == NULL)
@ -130,11 +130,13 @@ static int msre_op_ipmatch_execute(modsec_rec *msr, msre_rule *rule, msre_var *v
else
*error_msg = NULL;
if (rtree == NULL) {
if (rule == NULL || rule->ip_op == NULL) {
msr_log(msr, 1, "ipMatch Internal Error: ipmatch value is null.");
return 0;
}
rtree = rule->ip_op;
res = tree_contains_ip(msr->mp, rtree, var->value, NULL, error_msg);
if (res < 0) {