Hi all,
The ASN.1 profile in draft-ietf-sidrops-rfc6482bis section 4
https://datatracker.ietf.org/doc/html/draft-ietf-sidrops-rfc6482bis-01
specifies that there must not be more than 2 ipAddrBlocks (one for IPv4,
and one for IPv6). This changeset enforces that constraint. Compatible
with all published ROAs.
OK?
Kind regards,
Job
Index: roa.c
===================================================================
RCS file: /cvs/src/usr.sbin/rpki-client/roa.c,v
retrieving revision 1.55
diff -u -p -r1.55 roa.c
--- roa.c 4 Nov 2022 09:43:13 -0000 1.55
+++ roa.c 9 Nov 2022 18:04:59 -0000
@@ -111,6 +111,7 @@ roa_parse_econtent(const unsigned char *
long maxlen;
struct ip_addr ipaddr;
struct roa_ip *res;
+ int ipaddrblocksz;
int i, j, rc = 0;
if ((roa = d2i_RouteOriginAttestation(NULL, &d, dsz)) == NULL) {
@@ -128,7 +129,14 @@ roa_parse_econtent(const unsigned char *
goto out;
}
- for (i = 0; i < sk_ROAIPAddressFamily_num(roa->ipAddrBlocks); i++) {
+ ipaddrblocksz = sk_ROAIPAddressFamily_num(roa->ipAddrBlocks);
+ if (ipaddrblocksz > 2) {
+ warnx("%s: draft-rfc6482bis: too many ipAddrBlocks (got %i, "
+ "expected 1 or 2)", p->fn, ipaddrblocksz);
+ goto out;
+ }
+
+ for (i = 0; i < ipaddrblocksz; i++) {
addrfam = sk_ROAIPAddressFamily_value(roa->ipAddrBlocks, i);
addrs = addrfam->addresses;
addrsz = sk_ROAIPAddress_num(addrs);
