diff options
author | Luis Ressel <aranea@aixah.de> | 2019-03-17 00:02:32 +0100 |
---|---|---|
committer | Jason A. Donenfeld <Jason@zx2c4.com> | 2019-03-23 12:49:41 +0100 |
commit | 752fcf87e82a01fb7a820ce1fd7da300d20a4a33 (patch) | |
tree | 8cb9071858d8978d0e7c77f51935cf9e23406e7f | |
parent | wg-quick: freebsd: export TMPDIR when restoring and don't make empty (diff) | |
download | wireguard-monolithic-historical-752fcf87e82a01fb7a820ce1fd7da300d20a4a33.tar.xz wireguard-monolithic-historical-752fcf87e82a01fb7a820ce1fd7da300d20a4a33.zip |
tools: warn if an AllowedIP has a nonzero host part
Signed-off-by: Luis Ressel <aranea@aixah.de>
Diffstat (limited to '')
-rw-r--r-- | src/tools/config.c | 34 |
1 files changed, 34 insertions, 0 deletions
diff --git a/src/tools/config.c b/src/tools/config.c index 5d15356..d510ea7 100644 --- a/src/tools/config.c +++ b/src/tools/config.c @@ -287,6 +287,37 @@ err: return false; } +static bool validate_netmask(struct wgallowedip *allowedip) +{ + uint32_t *ip; + int last; + + switch (allowedip->family) { + case AF_INET: + last = 0; + ip = (uint32_t *)&allowedip->ip4; + break; + case AF_INET6: + last = 3; + ip = (uint32_t *)&allowedip->ip6; + break; + default: + return true; /* We don't know how to validate it, so say 'okay'. */ + } + + for (int i = last; i >= 0; --i) { + uint32_t mask = ~0; + + if (allowedip->cidr >= 32 * (i + 1)) + break; + if (allowedip->cidr > 32 * i) + mask >>= (allowedip->cidr - 32 * i); + if (ntohl(ip[i]) & mask) + return false; + } + + return true; +} static inline bool parse_allowedips(struct wgpeer *peer, struct wgallowedip **last_allowedip, const char *value) { @@ -339,6 +370,9 @@ static inline bool parse_allowedips(struct wgpeer *peer, struct wgallowedip **la goto err; new_allowedip->cidr = cidr; + if (!validate_netmask(new_allowedip)) + fprintf(stderr, "Warning: AllowedIP has nonzero host part: %s/%s\n", ip, mask); + if (allowedip) allowedip->next_allowedip = new_allowedip; else |