Some tests revealed that IPs not in the range of IPv6 subnets incorrectly
matched (for example "acl BUG src 2804::/16" applied to a src IP "127.0.0.1").
This is caused by the acl_match_ip() function applies a mask in host byte
order, whereas it should be in network byte order.
---
src/acl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/acl.c b/src/acl.c
index f220394..9083471 100644
--- a/src/acl.c
+++ b/src/acl.c
@@ -765,7 +765,7 @@ int acl_match_ip(struct sample *smp, struct acl_pattern
*pattern)
for (pos = 0; bits > 0; pos += 4, bits -= 32) {
v4 = *(uint32_t*)&v6->s6_addr[pos] ^
*(uint32_t*)&pattern->val.ipv6.addr.s6_addr[pos];
if (bits < 32)
- v4 &= (~0U) << (32-bits);
+ v4 &= htonl((~0U) << (32-bits));
if (v4)
return ACL_PAT_FAIL;
}
--
1.7.10.4
