diff options
author | Robert James Kaes <rjk@wormbytes.ca> | 2008-06-15 21:22:07 -0400 |
---|---|---|
committer | Mukund Sivaraman <muks@banu.com> | 2008-06-17 13:31:04 +0530 |
commit | 51fb15be2c4c9ae7646659fad93358a3b080a521 (patch) | |
tree | 635490b69f52cb6bf92baa6476516d8234b8ea8f | |
parent | 95c1f39f6039dc82346f3e024e86a23b7103a0a6 (diff) | |
download | tinyproxy-51fb15be2c4c9ae7646659fad93358a3b080a521.tar.gz tinyproxy-51fb15be2c4c9ae7646659fad93358a3b080a521.zip |
Refactored netmask array fill with range check
When building a numeric ACL with netmask, range check the supplied
value. In addition, the code to walk the array has been extracted and
"simplified".
Signed-off-by: Robert James Kaes <rjk@wormbytes.ca>
-rw-r--r-- | src/acl.c | 47 |
1 files changed, 39 insertions, 8 deletions
@@ -57,6 +57,41 @@ struct acl_s { */ static vector_t access_list = NULL; + +/* + * Fills in the netmask array given a numeric value. + * + * Returns: + * 0 on success + * -1 on failure (invalid mask value) + * + */ +inline static int +fill_netmask_array(long int mask, unsigned char array[], unsigned int len) +{ + unsigned int i; + + if (mask < 0 || mask > (8 * len)) + return -1; + + for (i = 0; i != len; ++i) { + if (mask >= 8) { + array[i] = 0xff; + mask -= 8; + } + else if (mask > 0) { + array[i] = (unsigned char)(0xff << (8 - mask)); + mask = 0; + } + else { + array[i] = 0; + } + } + + return 0; +} + + /* * Inserts a new access control into the list. The function will figure out * whether the location is an IP address (with optional netmask) or a @@ -70,7 +105,8 @@ int insert_acl(char *location, acl_access_t access_type) { struct acl_s acl; - int i, ret, mask; + int ret; + long int mask; char *p, ip_dst[IPV6_LEN]; assert(location != NULL); @@ -119,13 +155,8 @@ insert_acl(char *location, acl_access_t access_type) memcpy(acl.address.ip.octet, ip_dst, IPV6_LEN); mask = strtol(p + 1, NULL, 10); - for (i = 0; i != IPV6_LEN; ++i) { - if (mask >= ((i + 1) * 8)) - acl.address.ip.mask[i] = 0xff; - else - acl.address.ip.mask[i] = - 0xff << (8 - (mask - i * 8)); - } + if (fill_netmask_array(mask, &(acl.address.ip.mask[0]), IPV6_LEN) < 0) + return -1; } else { /* In all likelihood a string */ acl.type = ACL_STRING; |