mirrors/haproxy
1
0
Fork 0
mirror of https://git.haproxy.org/git/haproxy.git/ synced 2025-09-22 22:31:28 +02:00
Code Issues Projects Releases Wiki Activity

BUG/MEDIUM: acls using IPv6 subnets patterns incorrectly match IPs

Browse Source 
Some tests revealed that IPs not in the range of IPv6 subnets incorrectly
matched (for example "acl BUG src 2804::/16" applied to a src IP "127.0.0.1").

This is caused by the acl_match_ip() function applies a mask in host byte
order, whereas it should be in network byte order.
This commit is contained in:
Cyril Bont 2012-10-23 21:28:31 +02:00 committed by Willy Tarreau
parent 35b7b16818
commit 4c01beb64b
1 changed files with 1 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/acl.c
View File

@ -776,7 +776,7 @@ int acl_match_ip(struct sample *smp, struct acl_pattern *pattern)
for (pos = 0; bits > 0; pos += 4, bits -= 32) { for (pos = 0; bits > 0; pos += 4, bits -= 32) {
v4 = *(uint32_t*)&v6->s6_addr[pos] ^ *(uint32_t*)&pattern->val.ipv6.addr.s6_addr[pos]; v4 = *(uint32_t*)&v6->s6_addr[pos] ^ *(uint32_t*)&pattern->val.ipv6.addr.s6_addr[pos];
if (bits < 32) if (bits < 32)
v4 &= (~0U) << (32-bits); v4 &= htonl((~0U) << (32-bits));
if (v4) if (v4)
return ACL_PAT_FAIL; return ACL_PAT_FAIL;
} }