There is a bug in ipops module related to matching subnet with mask /0
modules/ipops/ipops_mod.c:
533 static int w_ip_is_in_subnet(struct sip_msg* _msg, char* _s1,
char* _s2)
... 538 int netmask = 0; ... 589 if (netmask == 0) 590 { 591 if (_compare_ips(string1.s, string1.len, ip1_type,
string2.s, string2.len, ip2_type))
the code above has collision for cases when mask is not specified or specified as zero. for example: checking if 127.0.0.1 in 0.0.0.0/0 will give negative result because of exact ip matching instead of subnet matching and this is definitely not expected behavior if we speak about CIDR.
the simplest fix is to init 'netmask' variable with -1 and check against -1 on branching:
538 int netmask = -1; 589 if (netmask == -1)
please, check and fix
Hello,
can you make a pull request on githup project with the patch that you consider it fixes the issue?
- https://github.com/kamailio/kamailio/pulls
There is easier to review as well as have automatic builds to be sure no compile issue pops up. Also, the issue is not forgotten, given the holidays season is around.
Thanks, Daniel
On 11/07/16 11:35, Michael Furmur wrote:
There is a bug in ipops module related to matching subnet with mask /0
modules/ipops/ipops_mod.c:
533 static int w_ip_is_in_subnet(struct sip_msg* _msg, char* _s1,
char* _s2)
... 538 int netmask = 0; ... 589 if (netmask == 0) 590 { 591 if (_compare_ips(string1.s, string1.len, ip1_type,
string2.s, string2.len, ip2_type))
the code above has collision for cases when mask is not specified or specified as zero. for example: checking if 127.0.0.1 in 0.0.0.0/0 will give negative result because of exact ip matching instead of subnet matching and this is definitely not expected behavior if we speak about CIDR.
the simplest fix is to init 'netmask' variable with -1 and check against -1 on branching:
538 int netmask = -1; 589 if (netmask == -1)
please, check and fix
-
Daniel-Constantin Mierla -
Michael Furmur