X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ian/git?a=blobdiff_plain;f=helper.c;h=a58e7aae666f30899a9673f2efbaf7b070b8bdd2;hb=64b7841344fcc3cc5208a6ac8ec92c2db1a8802f;hp=7c50551c6bd54ec8c697fbf1b168c499135eab09;hpb=ea186a6c113d2397f73596952a65ecd4e3d51c76;p=authbind.git

diff --git a/helper.c b/helper.c
index 7c50551..a58e7aa 100644
--- a/helper.c
+++ b/helper.c
@@ -34,8 +34,6 @@
 # define CONFIGDIR "/etc/authbind"
 #endif
 
-static const char *rcsid="$Id$";
-
 static void exiterrno(int e) {
   exit(e>0 && e<128 ? e : ENOSYS);
 }
@@ -48,7 +46,7 @@ static void perrorfail(const char *m) {
 }
 
 static void badusage(void) {
-  fprintf(stderr,"libauthbind's helper: bad usage\n (%s)\n",rcsid);
+  fprintf(stderr,"libauthbind's helper: bad usage\n");
   exit(ENOSYS);
 }
 
@@ -64,6 +62,11 @@ static void authorised(void) {
   else _exit(0);
 }
 
+static void checkexecflagfile(const char *file) {
+  if (!access(file,X_OK)) authorised();
+  if (errno != ENOENT) exiterrno(errno);
+}
+
 static void hex2bytes(const char *string, unsigned char *out, int len) {
   int i;
   for (i=0; i<len; i++) {
@@ -83,8 +86,8 @@ int main(int argc, const char *const *argv) {
   const char *np;
   const char *tophalfchar="";
   unsigned long port, addr4=0, haddr4=0;
-  unsigned int hport, a1,a2,a3,a4, alen,pmin,pmax;
-  int nchar, af;
+  unsigned int hport;
+  int af;
   FILE *file;
 
   if (argc == 3) {
@@ -136,12 +139,31 @@ int main(int argc, const char *const *argv) {
   if (errno != ENOENT) exiterrno(errno);
 
   char npbuf[INET_ADDRSTRLEN + INET6_ADDRSTRLEN];
-  np= inet_ntop(af,addr_any,npbuf,addrlen_any);
+  np= inet_ntop(af,addr_any,npbuf,sizeof(npbuf));
   assert(np);
 
-  snprintf(fnbuf,sizeof(fnbuf)-1,"byaddr/%s:%s%u",np,tophalfchar,hport);
-  if (!access(fnbuf,X_OK)) authorised();
-  if (errno != ENOENT) exiterrno(errno);
+  if (af == AF_INET) {
+    snprintf(fnbuf,sizeof(fnbuf)-1,"byaddr/%s%s:%u",tophalfchar,np,hport);
+    checkexecflagfile(fnbuf);
+  }
+
+  snprintf(fnbuf,sizeof(fnbuf)-1,"byaddr/%s%s,%u",tophalfchar,np,hport);
+  checkexecflagfile(fnbuf);
+
+  if (af == AF_INET6) {
+    char sbuf[addrlen_any*3+1], *sp = sbuf;
+    const unsigned char *ip = addr_any;
+    int i;
+    for (i=0; i<8; i++) {
+      unsigned val = 0;
+      val |= *ip++;  val <<= 8;
+      val |= *ip++;
+      if (i) *sp++ = ':';
+      sp += sprintf(sp,"%x",val);
+    }
+    snprintf(fnbuf,sizeof(fnbuf)-1,"byaddr/%s%s,%u",tophalfchar,sbuf,hport);
+    checkexecflagfile(fnbuf);
+  }
 
   uid= getuid(); if (uid==(uid_t)-1) perrorfail("getuid");
   snprintf(fnbuf,sizeof(fnbuf)-1,"byuid/%s%lu",tophalfchar,(unsigned long)uid);
@@ -150,49 +172,94 @@ int main(int argc, const char *const *argv) {
   if (!file) exiterrno(errno==ENOENT ? EPERM : errno);
 
   while (fgets(fnbuf,sizeof(fnbuf)-1,file)) {
-    nchar= -1;
+    unsigned int a1,a2,a3,a4, alen,pmin,pmax;
+    int nchar;
 
-    char *colon = strchr(fnbuf,'/');
-    if (!colon) continue;
-    *colon++ = '\0';
+    if (af == AF_INET &&
+	(nchar = -1,
+	 sscanf(fnbuf," %u.%u.%u.%u/%u: %u,%u %n",
+		&a1,&a2,&a3,&a4,&alen,&pmin,&pmax,&nchar),
+	 nchar == strlen(fnbuf))) {
 
-    sscanf(fnbuf," %u.%u.%u.%u/%u%n",
-	   &a1,&a2,&a3,&a4,&alen,&nchar);
-    if (nchar == strlen(fnbuf)) {
       if (alen>32 || pmin&~0x0ffff || pmax&~0x0ffff ||
 	  a1&~0x0ff || a2&~0xff || a3&~0x0ff || a4&~0x0ff)
 	continue;
 
       unsigned long thaddr, thmask;
       thaddr= (a1<<24)|(a2<<16)|(a3<<8)|(a4);
-      thmask= 0x0ffffffffUL<<(32-alen);
+      thmask= alen ? 0x0ffffffffUL<<(32-alen) : 0;
       if ((haddr4&thmask) != thaddr) continue;
+
     } else {
+
+      char *comma = strchr(fnbuf,',');
+      if (!comma) continue;
+      *comma++ = '\0';
+
+      char *slash = strchr(fnbuf,'/');
       char *hyphen = strchr(fnbuf,'-');
-      const char *min, *max;
-      if (hyphen) {
-	*hyphen++ = '\0';
-	min = fnbuf;
-	max = hyphen;
+
+      if (slash && hyphen)
+	continue;
+
+      if (slash) {
+	int alen;
+	*slash++ = '\0';
+	nchar = -1;
+	sscanf(slash," %u %n",&alen,&nchar);
+	if (nchar != strlen(slash))
+	  continue;
+	unsigned char thaddr[addrlen_any];
+	if (inet_pton(af,fnbuf,thaddr) != 1)
+	  continue;
+	int pfxlen_remain = alen;
+	int i;
+	for (i=0; i<addrlen_any; i++) {
+	  int pfxlen_thisbyte = pfxlen_remain < 8 ? pfxlen_remain : 8;
+	  pfxlen_remain -= pfxlen_thisbyte;
+	  unsigned mask_thisbyte = 0xff ^ (0xff >> pfxlen_thisbyte);
+	  unsigned thaddr_thisbyte = thaddr[i];
+	  unsigned addr_thisbyte = ((unsigned char*)addr_any)[i];
+	  if ((addr_thisbyte & mask_thisbyte) != thaddr_thisbyte)
+	    goto badline;
+	}
+	if (pfxlen_remain) badline: continue;
+	/* hooray */
       } else {
-	min = fnbuf;
-	max = fnbuf;
+	const char *min, *max;
+	if (hyphen) {
+	  *hyphen++ = '\0';
+	  min = fnbuf;
+	  max = hyphen;
+	} else {
+	  min = fnbuf;
+	  max = fnbuf;
+	}
+	unsigned char minaddr[addrlen_any];
+	unsigned char maxaddr[addrlen_any];
+	if (inet_pton(af,min,minaddr) != 1 ||
+	    inet_pton(af,max,maxaddr) != 1)
+	  continue;
+	if (memcmp(addr_any,minaddr,addrlen_any) < 0 ||
+	    memcmp(addr_any,maxaddr,addrlen_any) > 0)
+	  continue;
       }
-      unsigned char minaddr[addrlen_any];
-      unsigned char maxaddr[addrlen_any];
-      if (inet_pton(af,min,minaddr) != 1 ||
-	  inet_pton(af,max,maxaddr) != 1)
-        continue;
-      if (memcmp(addr_any,minaddr,addrlen_any) < 0 ||
-	  memcmp(addr_any,maxaddr,addrlen_any) > 0)
-        continue;
-    }
 
-    sscanf(colon," %u,%u %n",
-	   &pmin,&pmax,&nchar);
-    if (nchar != strlen(colon))
-      continue;
-    
+      if (nchar = -1,
+	  sscanf(comma," %u-%u %n",
+		 &pmin,&pmax,&nchar),
+	  nchar == strlen(comma)) {
+	/* good */
+      } else if (nchar = -1,
+		 sscanf(comma," %u %n",
+			&pmin,&nchar),
+		 nchar == strlen(comma)) {
+	pmax = pmin;
+      } else {
+	continue;
+      }
+
+    }
     if (hport<pmin || hport>pmax) continue;
 
     authorised();