lib/54992: hosts_access(5) doesn't work for IPv6 linklocal address without scope-id

To: lib-bug-people%netbsd.org@localhost,gnats-admin%netbsd.org@localhost,netbsd-bugs%netbsd.org@localhost
Subject: lib/54992: hosts_access(5) doesn't work for IPv6 linklocal address without scope-id
From: ryo%nerv.org@localhost
Date: Thu, 20 Feb 2020 21:05:00 +0000 (UTC)

>Number:         54992
>Category:       lib
>Synopsis:       hosts_access(5) doesn't work for IPv6 linklocal address without scope-id
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    lib-bug-people
>State:          open
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Thu Feb 20 21:05:00 +0000 2020
>Originator:     Ryo Shimizu
>Release:        NetBSD 9.99.46
>Organization:
>Environment:
System: NetBSD subq 9.99.46 NetBSD 9.99.46 (SUBQ) #17: Mon Feb 10 02:58:24 JST 2020 ryo@subq:/usr/src/sys/arch/amd64/compile/SUBQ amd64
Architecture: x86_64
Machine: amd64
>Description:

  [hosts.allow]
  ALL: [fe80::%re0/16]	# this works

but,

  [hosts.allow]
  ALL: [fe80::/16]	# this doesn't work.


>How-To-Repeat:

  hostA# echo 'ALL: [fe80::/16]' >> /etc/hosts.allow
  hostB# ssh fe80::6d9:f5ff:fe06:e273%wm2

connect to linklocal address of hostA, but connection refused.


>Fix:

In this case, it should be compared only addresses, with or without scope-id.

libwrap/hosts_access.c:masked_match6() always compares scope_id when the address is linklocal.
(e.g., string="fe80::1efd:8ff:fe70:5d2e%re0", net="fe80::", mask="16")

>    if (addr.sa.sa_family == AF_INET6 && addr.sin6.sin6_scope_id &&
>        addr.sin6.sin6_scope_id != net.sin6.sin6_scope_id)
>	return NO;

'addr' is a client address extracted by getaddrinfo() from 'string' argument,
and 'net' is address/mask written in /etc/hosts.{allow,deny}.

when addr is a linklocal, the 2nd condition (addr.sin6.sin6_scope_id) is true, but
'net' may not have valid scope-id, therefore

    if (addr.sa.sa_family == AF_INET6 && addr.sin6.sin6_scope_id && net.sin6.sin6_scope_id &&
        addr.sin6.sin6_scope_id != net.sin6.sin6_scope_id)
	return NO;

However, this is too verbose, so the following is sufficient.

Index: hosts_access.c
===================================================================
RCS file: /src/cvs/cvsroot-netbsd/src/lib/libwrap/hosts_access.c,v
retrieving revision 1.21
diff -a -u -r1.21 hosts_access.c
--- hosts_access.c	17 Feb 2016 19:52:20 -0000	1.21
+++ hosts_access.c	19 Feb 2020 18:01:24 -0000
@@ -561,7 +561,7 @@
     for (i = 0; i < alen; i++)
 	ap[i] &= mp[i];
 
-    if (addr.sa.sa_family == AF_INET6 && addr.sin6.sin6_scope_id &&
+    if (addr.sa.sa_family == AF_INET6 && net.sin6.sin6_scope_id &&
         addr.sin6.sin6_scope_id != net.sin6.sin6_scope_id)
 	return NO;
     return (memcmp(ap, np, alen) == 0);

Prev by Date: NetBSD Nightly Trouble Ticket Report
Next by Date: re: kern/54976: radeon framebuffer fails initialization in NetBSD-9
Previous by Thread: Re: install/54990 (After upgrade from 9.0-RC2 to 9.0, the release candidate is still present)
Next by Thread: toolchain/54993: ./build.sh tools with MKLLVM=yes HAVE_LLVM=yes broken without terminfo library
Indexes:

Home | Main Index | Thread Index | Old Index