From 85598f77b23b2002b8eef43eaef100d0735c5405 Mon Sep 17 00:00:00 2001 From: "Todd C. Miller" Date: Wed, 5 Feb 2014 10:00:07 -0700 Subject: [PATCH] Use inet_pton() instead of inet_aton() and include a version from BIND for those without it. --- MANIFEST | 1 + compat/getaddrinfo.c | 2 +- compat/inet_pton.c | 256 +++++++++++++++++++++++++++++++++++ config.h.in | 3 + configure | 84 ++---------- configure.ac | 33 ++--- doc/LICENSE | 18 +++ include/missing.h | 3 + mkdep.pl | 2 +- plugins/sudoers/interfaces.c | 4 +- plugins/sudoers/match_addr.c | 6 +- 11 files changed, 313 insertions(+), 99 deletions(-) create mode 100644 compat/inet_pton.c diff --git a/MANIFEST b/MANIFEST index 14aaab28a..829e60d7f 100644 --- a/MANIFEST +++ b/MANIFEST @@ -75,6 +75,7 @@ compat/getopt.h compat/getopt_long.c compat/glob.c compat/glob.h +compat/inet_pton.c compat/isblank.c compat/memrchr.c compat/memset_s.c diff --git a/compat/getaddrinfo.c b/compat/getaddrinfo.c index bbb11aa5e..10d2b1113 100644 --- a/compat/getaddrinfo.c +++ b/compat/getaddrinfo.c @@ -300,7 +300,7 @@ gai_lookup(const char *nodename, int flags, int socktype, unsigned short port, const char *canonical; int i; - if (inet_aton(nodename, &addr)) { + if (inet_pton(AF_INET, nodename, &addr)) { canonical = (flags & AI_CANONNAME) ? nodename : NULL; ai = gai_addrinfo_new(socktype, canonical, addr, port); if (ai == NULL) diff --git a/compat/inet_pton.c b/compat/inet_pton.c new file mode 100644 index 000000000..9855f6477 --- /dev/null +++ b/compat/inet_pton.c @@ -0,0 +1,256 @@ +/* $OpenBSD: inet_pton.c,v 1.8 2010/05/06 15:47:14 claudio Exp $ */ + +/* Copyright (c) 1996 by Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS + * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE + * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL + * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR + * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS + * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS + * SOFTWARE. + */ + +#include + +#if !defined(HAVE_INET_PTON) + +#include +#include +#include +#include +#include +#include +#ifdef HAVE_STRING_H +# if defined(HAVE_MEMORY_H) && !defined(STDC_HEADERS) +# include +# endif +# include +#endif /* HAVE_STRING_H */ +#ifdef HAVE_STRINGS_H +# include +#endif /* HAVE_STRINGS_H */ +#include + +#include "missing.h" + +#ifndef EAFNOSUPPORT +# define EAFNOSUPPORT EINVAL +#endif + +#ifndef NS_INADDRSZ +# ifdef INADDRSZ +# define NS_INADDRSZ INADDRSZ +# else +# define NS_INADDRSZ 4 +# endif +#endif +#ifndef NS_IN6ADDRSZ +# ifdef IN6ADDRSZ +# define NS_IN6ADDRSZ IN6ADDRSZ +# else +# define NS_IN6ADDRSZ 16 +# endif +#endif +#ifndef NS_INT16SZ +# ifdef INT16SZ +# define NS_INT16SZ INT16SZ +# else +# define NS_INT16SZ 2 +# endif +#endif + +/* + * WARNING: Don't even consider trying to compile this on a system where + * sizeof(int) < 4. sizeof(int) > 4 is fine; all the world's not a VAX. + */ + +/* int + * inet_pton4(src, dst) + * like inet_aton() but without all the hexadecimal and shorthand. + * return: + * 1 if `src' is a valid dotted quad, else 0. + * notice: + * does not touch `dst' unless it's returning 1. + * author: + * Paul Vixie, 1996. + */ +static int +inet_pton4(const char *src, u_char *dst) +{ + const char digits[] = "0123456789"; + int saw_digit, octets, ch; + u_char tmp[NS_INADDRSZ], *tp; + + saw_digit = 0; + octets = 0; + *(tp = tmp) = '\0'; + while ((ch = (unsigned char)*src++) != '\0') { + const char *pch; + + if ((pch = strchr(digits, ch)) != NULL) { + u_int new = *tp * 10 + (pch - digits); + + if (new > 255) + return (0); + if (!saw_digit) { + if (++octets > 4) + return (0); + saw_digit = 1; + } + *tp = new; + } else if (ch == '.' && saw_digit) { + if (octets == 4) + return (0); + *++tp = 0; + saw_digit = 0; + } else + return (0); + } + if (octets < 4) + return (0); + + memcpy(dst, tmp, NS_INADDRSZ); + return (1); +} + +#ifdef HAVE_STRUCT_IN6_ADDR +/* int + * inet_pton6(src, dst) + * convert presentation level address to network order binary form. + * return: + * 1 if `src' is a valid [RFC1884 2.2] address, else 0. + * notice: + * does not touch `dst' unless it's returning 1. + * credit: + * inspired by Mark Andrews. + * author: + * Paul Vixie, 1996. + */ +static int +inet_pton6(const char *src, u_char *dst) +{ + const char xdigits_l[] = "0123456789abcdef", + xdigits_u[] = "0123456789ABCDEF"; + u_char tmp[NS_IN6ADDRSZ], *tp, *endp, *colonp; + const char *xdigits, *curtok; + int ch, saw_xdigit, count_xdigit; + u_int val; + + memset((tp = tmp), 0, NS_IN6ADDRSZ); + endp = tp + NS_IN6ADDRSZ; + colonp = NULL; + /* Leading :: requires some special handling. */ + if (*src == ':') + if (*++src != ':') + return (0); + curtok = src; + saw_xdigit = count_xdigit = 0; + val = 0; + while ((ch = (unsigned char)*src++) != '\0') { + const char *pch; + + if ((pch = strchr((xdigits = xdigits_l), ch)) == NULL) + pch = strchr((xdigits = xdigits_u), ch); + if (pch != NULL) { + if (count_xdigit >= 4) + return (0); + val <<= 4; + val |= (pch - xdigits); + if (val > 0xffff) + return (0); + saw_xdigit = 1; + count_xdigit++; + continue; + } + if (ch == ':') { + curtok = src; + if (!saw_xdigit) { + if (colonp) + return (0); + colonp = tp; + continue; + } else if (*src == '\0') { + return (0); + } + if (tp + NS_INT16SZ > endp) + return (0); + *tp++ = (u_char) (val >> 8) & 0xff; + *tp++ = (u_char) val & 0xff; + saw_xdigit = 0; + count_xdigit = 0; + val = 0; + continue; + } + if (ch == '.' && ((tp + NS_INADDRSZ) <= endp) && + inet_pton4(curtok, tp) > 0) { + tp += NS_INADDRSZ; + saw_xdigit = 0; + count_xdigit = 0; + break; /* '\0' was seen by inet_pton4(). */ + } + return (0); + } + if (saw_xdigit) { + if (tp + NS_INT16SZ > endp) + return (0); + *tp++ = (u_char) (val >> 8) & 0xff; + *tp++ = (u_char) val & 0xff; + } + if (colonp != NULL) { + /* + * Since some memmove()'s erroneously fail to handle + * overlapping regions, we'll do the shift by hand. + */ + const long n = tp - colonp; + long i; + + if (tp == endp) + return (0); + for (i = 1; i <= n; i++) { + endp[- i] = colonp[n - i]; + colonp[n - i] = 0; + } + tp = endp; + } + if (tp != endp) + return (0); + memcpy(dst, tmp, NS_IN6ADDRSZ); + return (1); +} +#endif /* HAVE_STRUCT_IN6_ADDR */ + +/* int + * inet_pton(af, src, dst) + * convert from presentation format (which usually means ASCII printable) + * to network format (which is usually some kind of binary format). + * return: + * 1 if the address was valid for the specified address family + * 0 if the address wasn't valid (`dst' is untouched in this case) + * -1 if some other error occurred (`dst' is untouched in this case, too) + * author: + * Paul Vixie, 1996. + */ +int +inet_pton(int af, const char *src, void *dst) +{ + switch (af) { + case AF_INET: + return (inet_pton4(src, dst)); +#ifdef HAVE_STRUCT_IN6_ADDR + case AF_INET6: + return (inet_pton6(src, dst)); +#endif /* HAVE_STRUCT_IN6_ADDR */ + default: + errno = EAFNOSUPPORT; + return (-1); + } + /* NOTREACHED */ +} + +#endif /* HAVE_INET_PTON */ diff --git a/config.h.in b/config.h.in index b392f1de6..611a3f5a9 100644 --- a/config.h.in +++ b/config.h.in @@ -262,6 +262,9 @@ /* Define to 1 if your Kerberos is Heimdal. */ #undef HAVE_HEIMDAL +/* Define to 1 if you have the `inet_pton' function. */ +#undef HAVE_INET_PTON + /* Define to 1 if you have the `initprivs' function. */ #undef HAVE_INITPRIVS diff --git a/configure b/configure index faaad179f..c864d9e67 100755 --- a/configure +++ b/configure @@ -18607,7 +18607,7 @@ if test "x$ac_cv_func_inet_pton" = xyes; then : else - for libs in "-lsocket" "-linet" "-lsocket -lnsl"; do + for libs in "-lsocket" "-linet" "-lsocket -lnsl" "-lresolv"; do _libs= for lib in $libs; do case "$NET_LIBS" in @@ -18662,78 +18662,13 @@ fi if eval test \$sudo_cv_lib_$lib''_inet_pton$_sudo_check_lib_extras = "yes"; then { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 $as_echo "yes" >&6; } - NET_LIBS="${NET_LIBS} $libs"; LIBS="${LIBS} $libs"; break - else - { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 -$as_echo "no" >&6; } - - fi - - done - -fi - -ac_fn_c_check_func "$LINENO" "inet_aton" "ac_cv_func_inet_aton" -if test "x$ac_cv_func_inet_aton" = xyes; then : - -else - - for libs in "-lsocket" "-linet" "-lsocket -lnsl" "-lresolv"; do - _libs= - for lib in $libs; do - case "$NET_LIBS" in - *"$lib"*) ;; - *) _libs="$_libs $lib";; - esac - done - libs="${_libs# }" - test -z "$libs" && continue - lib="`echo \"$libs\"|sed -e 's/^-l//' -e 's/ .*$//'`" - extralibs="`echo \"$libs\"|sed 's/^-l[^ ]*//'`" - - _sudo_check_lib_extras=`echo "$extralibs"|sed -e 's/ *//g' -e 's/-l/_/g'` - { $as_echo "$as_me:${as_lineno-$LINENO}: checking for inet_aton in -l$lib${5+ }$extralibs" >&5 -$as_echo_n "checking for inet_aton in -l$lib${5+ }$extralibs... " >&6; } - if { as_var=sudo_cv_lib_$lib''_inet_aton$_sudo_check_lib_extras; eval \${$as_var+:} false; }; then : - $as_echo_n "(cached) " >&6 -else - - SUDO_CHECK_LIB_OLIBS="$LIBS" - LIBS="$LIBS -l$lib${5+ }$extralibs" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ - -/* Override any GCC internal prototype to avoid an error. - Use char because int might match the return type of a GCC - builtin and then its argument prototype would still apply. */ -#ifdef __cplusplus -extern "C" -#endif -char inet_aton (); -int -main () -{ -return inet_aton (); - ; - return 0; -} -_ACEOF -if ac_fn_c_try_link "$LINENO"; then : - eval sudo_cv_lib_$lib''_inet_aton$_sudo_check_lib_extras=yes -else - eval sudo_cv_lib_$lib''_inet_aton$_sudo_check_lib_extras=no -fi -rm -f core conftest.err conftest.$ac_objext \ - conftest$ac_exeext conftest.$ac_ext - LIBS="$SUDO_CHECK_LIB_OLIBS" + $as_echo "#define HAVE_INET_PTON 1" >>confdefs.h -fi + NET_LIBS="${NET_LIBS} $libs" + LIBS="${LIBS} $libs" + break - if eval test \$sudo_cv_lib_$lib''_inet_aton$_sudo_check_lib_extras = "yes"; then - { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 -$as_echo "yes" >&6; } - NET_LIBS="${NET_LIBS} $libs"; LIBS="${LIBS} $libs"; break else { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 $as_echo "no" >&6; } @@ -18744,6 +18679,14 @@ $as_echo "no" >&6; } fi +if test X"$ac_cv_func_inet_pton" != X"yes"; then + case " $LIBOBJS " in + *" inet_pton.$ac_objext "* ) ;; + *) LIBOBJS="$LIBOBJS inet_pton.$ac_objext" + ;; +esac + +fi ac_fn_c_check_func "$LINENO" "syslog" "ac_cv_func_syslog" if test "x$ac_cv_func_syslog" = xyes; then : @@ -24646,5 +24589,6 @@ fi + diff --git a/configure.ac b/configure.ac index 72b941a71..8b5ad9bbf 100644 --- a/configure.ac +++ b/configure.ac @@ -2529,29 +2529,9 @@ AC_CHECK_FUNC(socket, [], [ dnl dnl If inet_pton(3) not in libc, check -lnsl and -linet dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols +dnl Some systems may have inet_pton() in libresolv. dnl AC_CHECK_FUNC(inet_pton, [], [ - for libs in "-lsocket" "-linet" "-lsocket -lnsl"; do - _libs= - for lib in $libs; do - case "$NET_LIBS" in - *"$lib"*) ;; - *) _libs="$_libs $lib";; - esac - done - libs="${_libs# }" - test -z "$libs" && continue - lib="`echo \"$libs\"|sed -e 's/^-l//' -e 's/ .*$//'`" - extralibs="`echo \"$libs\"|sed 's/^-l[[^ ]]*//'`" - SUDO_CHECK_LIB($lib, inet_pton, [NET_LIBS="${NET_LIBS} $libs"; LIBS="${LIBS} $libs"; break], [], [$extralibs]) - done -]) -dnl -dnl If inet_aton(3) not in libc, check -lnsl and -linet -dnl May need to link with *both* -lnsl and -lsocket due to unresolved symbols -dnl Some systems have inet_aton() in libresolv (older Solaris). -dnl -AC_CHECK_FUNC(inet_aton, [], [ for libs in "-lsocket" "-linet" "-lsocket -lnsl" "-lresolv"; do _libs= for lib in $libs; do @@ -2564,9 +2544,17 @@ AC_CHECK_FUNC(inet_aton, [], [ test -z "$libs" && continue lib="`echo \"$libs\"|sed -e 's/^-l//' -e 's/ .*$//'`" extralibs="`echo \"$libs\"|sed 's/^-l[[^ ]]*//'`" - SUDO_CHECK_LIB($lib, inet_aton, [NET_LIBS="${NET_LIBS} $libs"; LIBS="${LIBS} $libs"; break], [], [$extralibs]) + SUDO_CHECK_LIB($lib, inet_pton, [ + AC_DEFINE(HAVE_INET_PTON) + NET_LIBS="${NET_LIBS} $libs" + LIBS="${LIBS} $libs" + break + ], [], [$extralibs]) done ]) +if test X"$ac_cv_func_inet_pton" != X"yes"; then + AC_LIBOBJ(inet_pton) +fi dnl dnl If syslog(3) not in libc, check -lsocket, -lnsl and -linet dnl @@ -3865,6 +3853,7 @@ AH_TEMPLATE(HAVE_GETSPNAM, [Define to 1 if you have the `getspnam' function (SVR AH_TEMPLATE(HAVE_GETSPWUID, [Define to 1 if you have the `getspwuid' function. (HP-UX <= 9.X shadow passwords).]) AH_TEMPLATE(HAVE_GSS_KRB5_CCACHE_NAME, [Define to 1 if you have the `gss_krb5_ccache_name' function.]) AH_TEMPLATE(HAVE_HEIMDAL, [Define to 1 if your Kerberos is Heimdal.]) +AH_TEMPLATE(HAVE_INET_PTON, [Define to 1 if you have the `inet_pton' function.]) AH_TEMPLATE(HAVE_ISCOMSEC, [Define to 1 if you have the `iscomsec' function. (HP-UX >= 10.x check for shadow enabled).]) AH_TEMPLATE(HAVE_ISSECURE, [Define to 1 if you have the `issecure' function. (SunOS 4.x check for shadow enabled).]) AH_TEMPLATE(HAVE_KERB5, [Define to 1 if you use Kerberos V.]) diff --git a/doc/LICENSE b/doc/LICENSE index eadb62c59..ef02290d1 100644 --- a/doc/LICENSE +++ b/doc/LICENSE @@ -129,6 +129,24 @@ The file getopt_long.c bears the following license: * POSSIBILITY OF SUCH DAMAGE. */ +The file inet_pton.c bears the following license: + +/* Copyright (c) 1996 by Internet Software Consortium. + * + * Permission to use, copy, modify, and distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM DISCLAIMS + * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL INTERNET SOFTWARE + * CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL + * DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR + * PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS + * ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS + * SOFTWARE. + */ + The embedded copy of zlib bears the following license: Copyright (C) 1995-2012 Jean-loup Gailly and Mark Adler diff --git a/include/missing.h b/include/missing.h index 65512c953..f712cc1da 100644 --- a/include/missing.h +++ b/include/missing.h @@ -443,5 +443,8 @@ long long rpl_strtonum(const char *, long long, long long, const char **); # endif int clock_gettime(clockid_t clock_id, struct timespec *tp); #endif +#ifndef HAVE_INET_PTON +int inet_pton(int af, const char *src, void *dst); +#endif #endif /* _SUDO_MISSING_H */ diff --git a/mkdep.pl b/mkdep.pl index b97f1ad79..97610e71d 100755 --- a/mkdep.pl +++ b/mkdep.pl @@ -70,7 +70,7 @@ sub mkdep { $makefile =~ s:\@SUDOERS_OBJS\@:bsm_audit.lo linux_audit.lo ldap.lo sssd.lo:; # XXX - fill in AUTH_OBJS from contents of the auth dir instead $makefile =~ s:\@AUTH_OBJS\@:afs.lo aix_auth.lo bsdauth.lo dce.lo fwtk.lo getspwuid.lo kerb5.lo pam.lo passwd.lo rfc1938.lo secureware.lo securid5.lo sia.lo:; - $makefile =~ s:\@LTLIBOBJS\@:clock_gettime.lo closefrom.lo fnmatch.lo getaddrinfo.lo getcwd.lo getgrouplist.lo getline.lo getopt_long.lo glob.lo isblank.lo memrchr.lo memset_s.lo mksiglist.lo mksigname.lo mktemp.lo pw_dup.lo sig2str.lo siglist.lo signame.lo snprintf.lo strlcat.lo strlcpy.lo strsignal.lo strtonum.lo utimes.lo globtest.o fnm_test.o:; + $makefile =~ s:\@LTLIBOBJS\@:clock_gettime.lo closefrom.lo fnmatch.lo getaddrinfo.lo getcwd.lo getgrouplist.lo getline.lo getopt_long.lo glob.lo isblank.lo memrchr.lo memset_s.lo mksiglist.lo mksigname.lo mktemp.lo pw_dup.lo sig2str.lo siglist.lo signame.lo snprintf.lo strlcat.lo strlcpy.lo strsignal.lo strtonum.lo utimes.lo globtest.o fnm_test.o inet_pton:; # Parse OBJS lines my %objs; diff --git a/plugins/sudoers/interfaces.c b/plugins/sudoers/interfaces.c index e3f23de56..358d4447e 100644 --- a/plugins/sudoers/interfaces.c +++ b/plugins/sudoers/interfaces.c @@ -87,8 +87,8 @@ set_interfaces(const char *ai) } else { /* IPv4 */ ifp->family = AF_INET; - if (inet_aton(addr, &ifp->addr.ip4) != 1 || - inet_aton(mask, &ifp->netmask.ip4) != 1) { + if (inet_pton(AF_INET, addr, &ifp->addr.ip4) != 1 || + inet_pton(AF_INET, mask, &ifp->netmask.ip4) != 1) { efree(ifp); continue; } diff --git a/plugins/sudoers/match_addr.c b/plugins/sudoers/match_addr.c index e2d4347f3..75c0bbc4c 100644 --- a/plugins/sudoers/match_addr.c +++ b/plugins/sudoers/match_addr.c @@ -65,7 +65,7 @@ addr_matches_if(const char *n) family = AF_INET6; } else #endif /* HAVE_STRUCT_IN6_ADDR */ - if (inet_aton(n, &addr.ip4) == 1) { + if (inet_pton(AF_INET, n, &addr.ip4) == 1) { family = AF_INET; } else { debug_return_bool(false); @@ -118,7 +118,7 @@ addr_matches_if_netmask(const char *n, const char *m) family = AF_INET6; else #endif /* HAVE_STRUCT_IN6_ADDR */ - if (inet_aton(n, &addr.ip4) == 1) { + if (inet_pton(AF_INET, n, &addr.ip4) == 1) { family = AF_INET; } else { debug_return_bool(false); @@ -126,7 +126,7 @@ addr_matches_if_netmask(const char *n, const char *m) if (family == AF_INET) { if (strchr(m, '.')) { - if (inet_aton(m, &mask.ip4) != 1) { + if (inet_pton(AF_INET, m, &mask.ip4) != 1) { sudo_debug_printf(SUDO_DEBUG_ERROR|SUDO_DEBUG_LINENO, "IPv4 netmask %s: %s", m, "invalid value"); debug_return_bool(false); -- 2.50.1