CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2026/05/08 19:42:30
Modified files:
usr.sbin/rpki-client: ip.c
Log message:
rpki-client: fix ip_addr_check_overlap()
There is an off-by-one in the ip_addr_check_overlap() logic which allows
a newly added interval to overlap in a common end point with an interval
already in the list. Disallow equality in the two memcmp to avoid this.
This bug dates back to the initial import of rpki-client where malformed
certificates would be accepted. In modern rpki-client, the impact of this
has been minimal ever since we started requiring that libcrypto support
the RFC 3779 extensions in early 2022 by disallowing unknown critical
extensions (rpki-client 7.6):
For certificates this duplicates a check in the X.509 verifier (where it
is correct). For TA constraints we have a canonicalization procedure that
ensures the absence of overlaps. For ROAs no such check can be made since
standards historically haven't required that addresses are canonical and
still don't. The only remaining use of this API is from rsc.c where the
overlap condition is indeed a small problem.
Found by Frank Denis
ok job
