Skip to content

Commit

Permalink
Merge pull request ossec#920 from reyjrar/bugfix/broken_ip_comparison
Browse files Browse the repository at this point in the history 
Bugfixes for OS_IPFound, OS_IPFoundList, OS_IsValidIP.
  • Loading branch information
@ddpbsd
ddpbsd authored Aug 11, 2016
2 parents aefeecf + 0f776e8 commit f42e4d0
Showing 1 changed file with 50 additions and 12 deletions.
62 changes: 50 additions & 12 deletions src/shared/validate_op.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -153,20 +153,30 @@ int OS_IPFound(const char *ip_address, const os_ip *that_ip)
int _true = 1;
os_ip temp_ip;

/* If negate is set */
char *ip = that_ip->ip;
if (ip[0] == '!') {
ip++;
_true = 0;
}

/* The simplest case is the 'any' case.
* We just return true
*/
if( strcmp(ip, "any") == 0 ) {
return _true;
}

memset(&temp_ip, 0, sizeof(struct _os_ip));

/* Extract IP address */
if (OS_IsValidIP(ip_address, &temp_ip) == 0) {
return (!_true);
}

/* If negate is set */
if (that_ip->ip[0] == '!') {
_true = 0;
}

/* Check if IP is in thatip & netmask */
if (sacmp((struct sockaddr *) &temp_ip.ss,
if (sacmp((struct sockaddr *) &temp_ip.ss,
(struct sockaddr *) &that_ip->ss,
that_ip->prefixlength)) {
return (_true);
Expand Down Expand Up @@ -195,12 +205,24 @@ int OS_IPFoundList(const char *ip_address, os_ip **list_of_ips)
while (*list_of_ips) {
os_ip *l_ip = *list_of_ips;

if (l_ip->ip[0] == '!') {
char *ip = l_ip->ip;
if (ip[0] == '!') {
ip++;
_true = 0;
}
else {
_true = 1;
}

/* Simplest case, if the list contains an any
* ip, we return true.
*/
if( strcmp(ip,"any" ) == 0 ) {
return _true;
}

/* Checking if ip is in thatip & netmask */
if (sacmp((struct sockaddr *) &temp_ip.ss,
if (sacmp((struct sockaddr *) &temp_ip.ss,
(struct sockaddr *) &l_ip->ss,
l_ip->prefixlength)) {
return (_true);
Expand All @@ -216,18 +238,24 @@ int OS_IPFoundList(const char *ip_address, os_ip **list_of_ips)
* Returns 0 if doesn't match or 1 if it is an IP or 2 an IP with CIDR.
* WARNING: On success this function may modify the value of ip_address
*/
int OS_IsValidIP(const char *ip_address, os_ip *final_ip)
int OS_IsValidIP(const char *in_address, os_ip *final_ip)
{
char *tmp_str;
int cidr = -1, prefixlength;
struct addrinfo hints, *result;
char *ip_address = NULL;

/* Can't be null */
if (!ip_address) {
if (!in_address) {
return (0);
}

/* Assign the IP address */
/* We mess with in_address later and we set 'const'
* in the signature, so we need to copy it
* here.
*/
os_strdup(in_address, ip_address);

if (final_ip) {
os_strdup(ip_address, final_ip->ip);
}
Expand All @@ -236,8 +264,12 @@ int OS_IsValidIP(const char *ip_address, os_ip *final_ip)
ip_address++;
}

/* Use IPv6 here, because it doesn't matter
* OS_IPFound and OS_IPFoundList will
* return true if the os_ip.ip element is 'any'
*/
if(strcmp(ip_address, "any") == 0) {
strcpy((char *) ip_address, "::/0");
strcpy(ip_address, "::/0");
}

/* Getting the cidr/netmask if available */
Expand All @@ -250,6 +282,7 @@ int OS_IsValidIP(const char *ip_address, os_ip *final_ip)
if(strlen(tmp_str) <= 3) {
cidr = atoi(tmp_str);
} else {
free(ip_address);
return(0);
}
}
Expand All @@ -258,6 +291,7 @@ int OS_IsValidIP(const char *ip_address, os_ip *final_ip)
memset(&hints, 0, sizeof(struct addrinfo));
hints.ai_flags = AI_NUMERICHOST;
if (getaddrinfo(ip_address, NULL, &hints, &result) != 0) {
free(ip_address);
return(0);
}

Expand All @@ -271,6 +305,7 @@ int OS_IsValidIP(const char *ip_address, os_ip *final_ip)
prefixlength = 32;
break;
}
free(ip_address);
return(0);
case AF_INET6:
if (cidr >=0 && cidr <= 128) {
Expand All @@ -280,8 +315,10 @@ int OS_IsValidIP(const char *ip_address, os_ip *final_ip)
prefixlength = 128;
break;
}
free(ip_address);
return(0);
default:
default:
free(ip_address);
return(0);
}

Expand All @@ -291,6 +328,7 @@ int OS_IsValidIP(const char *ip_address, os_ip *final_ip)
}

freeaddrinfo(result);
free(ip_address);
return((cidr >= 0) ? 2 : 1);
}

Expand Down

0 comments on commit f42e4d0

Please sign in to comment.