Re: be more strict when parsing netmasks for IPv6

Thu, 06 Dec 2018 10:33:44 -0800 

On Thu, Dec 06, 2018 at 05:14:45PM +0100, Florian Obser wrote:
> On Thu, Dec 06, 2018 at 03:24:52PM +0100, Claudio Jeker wrote:
> > On Wed, Dec 05, 2018 at 11:53:48PM +0100, Remi Locherer wrote:
> > > On Wed, Dec 05, 2018 at 09:22:22AM +0100, Claudio Jeker wrote:
> > > > When parsing a network mask into prefixlen be more paranoid and make 
> > > > sure
> > > > no value bigger then 128 is returned. In general this should never 
> > > > happen
> > > > but if it does the result can be bad.
> > > > 
> > > > This is for bgpd but there are other users in the tree. I will adjust 
> > > > them
> > > > if we dicide to go this way.
> > > > -- 
> > > > :wq Claudio
> > > > 
> > > 
> > > makes sense to me.
> > > 
> > > OK remi@
> > > 
> > 
> > Here the same diff against other users of mask2prefixlen6().
> > IIRC there are some other users with different function names which I need
> > to hunt down (unless someone else wants to do that job).
> 
> rad(8) and slaacd(8) use
> 
> int
> in6_mask2prefixlen(struct in6_addr *in6)
> {
>       u_char *nam = (u_char *)in6;
>       int byte, bit, plen = 0, size = sizeof(struct in6_addr);
> 
>       for (byte = 0; byte < size; byte++, plen += 8)
>               if (nam[byte] != 0xff)
>                       break;
>       if (byte == size)
>               return (plen);
>       for (bit = 7; bit != 0; bit--, plen++)
>               if (!(nam[byte] & (1 << bit)))
>                       break;
>       for (; bit != 0; bit--)
>               if (nam[byte] & (1 << bit))
>                       return (0);
>       byte++;
>       for (; byte < size; byte++)
>               if (nam[byte])
>                       return (0);
>       return (plen);
> }
> 
> which came from ifconfig where it's called prefix() and is actually AF
> independent.
> 
> Note that it operates on in6_addr not struct sockaddr_in6...
> 
> rad(8) could be easily adapted since it's operating on struct sockaddr_in6
> anyway. slaacd(8) is a bit more difficult since it passes struct
> in6_addr around.
> 
> I'm not sure it's worth the effort though. Its not like one version is
> massively better than the other. Having only one version is an
> improvement though...

I'm not suggesting to change functions that are working correctly.
At the moment I'm just looking at all those that are similar to the bgpd
one and will adjust those if possible. 
The version you pasted returns 0 for any non-consecutive netmask which is not
ideal but that is another story.

-- 
:wq Claudio

Reply via email to