From 84cf22da0d11719eea9d82ada9978d8fc19712ee Mon Sep 17 00:00:00 2001
From: Luis Ressel <aranea@aixah.de>
Date: Sun, 17 Mar 2019 00:02:32 +0100
Subject: wg: warn if an AllowedIP has a nonzero host part

Signed-off-by: Luis Ressel <aranea@aixah.de>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
---
 src/config.c | 34 ++++++++++++++++++++++++++++++++++
 1 file changed, 34 insertions(+)

(limited to 'src/config.c')

diff --git a/src/config.c b/src/config.c
index 5d15356..d510ea7 100644
--- a/src/config.c
+++ b/src/config.c
@@ -287,6 +287,37 @@ err:
 	return false;
 }
 
+static bool validate_netmask(struct wgallowedip *allowedip)
+{
+	uint32_t *ip;
+	int last;
+
+	switch (allowedip->family) {
+		case AF_INET:
+			last = 0;
+			ip = (uint32_t *)&allowedip->ip4;
+			break;
+		case AF_INET6:
+			last = 3;
+			ip = (uint32_t *)&allowedip->ip6;
+			break;
+		default:
+			return true; /* We don't know how to validate it, so say 'okay'. */
+	}
+
+	for (int i = last; i >= 0; --i) {
+		uint32_t mask = ~0;
+
+		if (allowedip->cidr >= 32 * (i + 1))
+			break;
+		if (allowedip->cidr > 32 * i)
+			mask >>= (allowedip->cidr - 32 * i);
+		if (ntohl(ip[i]) & mask)
+			return false;
+	}
+
+	return true;
+}
 
 static inline bool parse_allowedips(struct wgpeer *peer, struct wgallowedip **last_allowedip, const char *value)
 {
@@ -339,6 +370,9 @@ static inline bool parse_allowedips(struct wgpeer *peer, struct wgallowedip **la
 			goto err;
 		new_allowedip->cidr = cidr;
 
+		if (!validate_netmask(new_allowedip))
+			fprintf(stderr, "Warning: AllowedIP has nonzero host part: %s/%s\n", ip, mask);
+
 		if (allowedip)
 			allowedip->next_allowedip = new_allowedip;
 		else
-- 
cgit v1.2.3-59-g8ed1b