From 4c01beb64bd5fc96952f4d31660080aedb9eda7b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Cyril=20Bont=C3=A9?= Date: Tue, 23 Oct 2012 21:28:31 +0200 Subject: [PATCH] BUG/MEDIUM: acls using IPv6 subnets patterns incorrectly match IPs Some tests revealed that IPs not in the range of IPv6 subnets incorrectly matched (for example "acl BUG src 2804::/16" applied to a src IP "127.0.0.1"). This is caused by the acl_match_ip() function applies a mask in host byte order, whereas it should be in network byte order. --- src/acl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/acl.c b/src/acl.c index d0ea731d2..ef9630c89 100644 --- a/src/acl.c +++ b/src/acl.c @@ -776,7 +776,7 @@ int acl_match_ip(struct sample *smp, struct acl_pattern *pattern) for (pos = 0; bits > 0; pos += 4, bits -= 32) { v4 = *(uint32_t*)&v6->s6_addr[pos] ^ *(uint32_t*)&pattern->val.ipv6.addr.s6_addr[pos]; if (bits < 32) - v4 &= (~0U) << (32-bits); + v4 &= htonl((~0U) << (32-bits)); if (v4) return ACL_PAT_FAIL; }