upstream commit
Validate address ranges for AllowUser/DenyUsers at
configuration load time and refuse to accept bad ones. It was previously
possible to specify invalid CIDR address ranges (e.g. djm@127.1.2.3/55) and
these would always match.
Thanks to Laurence Parry for a detailed bug report. ok markus (for
a previous diff version)
Upstream-ID: 9dfcdd9672b06e65233ea4434c38226680d40bfb
diff --git a/match.c b/match.c
index b29a30e..c15dcd1 100644
--- a/match.c
+++ b/match.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: match.c,v 1.32 2016/09/21 16:55:42 djm Exp $ */
+/* $OpenBSD: match.c,v 1.33 2016/11/06 05:46:37 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -191,11 +191,10 @@
{
int mhost, mip;
- /* error in ipaddr match */
if ((mip = addr_match_list(ipaddr, patterns)) == -2)
- return -1;
- else if (mip == -1) /* negative ip address match */
- return 0;
+ return -1; /* error in ipaddr match */
+ else if (host == NULL || ipaddr == NULL || mip == -1)
+ return 0; /* negative ip address match, or testing pattern */
/* negative hostname match */
if ((mhost = match_hostname(host, patterns)) == -1)
@@ -207,7 +206,9 @@
}
/*
- * match user, user@host_or_ip, user@host_or_ip_list against pattern
+ * Match user, user@host_or_ip, user@host_or_ip_list against pattern.
+ * If user, host and ipaddr are all NULL then validate pattern/
+ * Returns -1 on invalid pattern, 0 on no match, 1 on match.
*/
int
match_user(const char *user, const char *host, const char *ipaddr,
@@ -216,6 +217,14 @@
char *p, *pat;
int ret;
+ /* test mode */
+ if (user == NULL && host == NULL && ipaddr == NULL) {
+ if ((p = strchr(pattern, '@')) != NULL &&
+ match_host_and_ip(NULL, NULL, p + 1) < 0)
+ return -1;
+ return 0;
+ }
+
if ((p = strchr(pattern,'@')) == NULL)
return match_pattern(user, pattern);