ligang/vpp
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

acl: verify that src and dst have sane and same address family

Browse Source 
API refactoring moved the address-family tag from rule
level down to prefix level.

This necessarily warrants the check that they are the same.

Also, add a check that the address family is sane.

Change-Id: Ia63b688cc9e7c9e9cc773e89708d9e9f99185fb7
Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
This commit is contained in:
Andrew Yourtchenko
2021-03-25 15:34:33 +00:00
committed by Ole Tr�an
parent 90943e5a04
commit 80c5fb76fc
1 changed files with 5 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
src/plugins/acl/acl.c
View File

@@ -309,7 +309,9 @@ static int
acl_api_invalid_prefix (const vl_api_prefix_t * prefix)
{
ip_prefix_t ip_prefix;
return ip_prefix_decode2 (prefix, &ip_prefix);
int valid_af =
prefix->address.af == ADDRESS_IP4 || prefix->address.af == ADDRESS_IP6;
return (!valid_af) || ip_prefix_decode2 (prefix, &ip_prefix);
}
static int
@@ -338,6 +340,8 @@ acl_add_list (u32 count, vl_api_acl_rule_t rules[],
return VNET_API_ERROR_INVALID_SRC_ADDRESS;
if (acl_api_invalid_prefix (&rules[i].dst_prefix))
return VNET_API_ERROR_INVALID_DST_ADDRESS;
if (rules[i].src_prefix.address.af != rules[i].dst_prefix.address.af)
return VNET_API_ERROR_INVALID_SRC_ADDRESS;
if (ntohs (rules[i].srcport_or_icmptype_first) >
ntohs (rules[i].srcport_or_icmptype_last))
return VNET_API_ERROR_INVALID_VALUE_2;