tcp_wrappers: recognize IPv6 addresses/prefixes

Intentionally or not, but the libwrap was written in such manner that if your /etc/hosts.allow doesn't have any domain names, neither smart keywords like LOCAL or KNOWN, then it will not try to resolve the client address during the hosts check. This was achieved with the NOT_INADDR() check that matched IPv4 addresses/prefixes. Extend this to also skip resolve if client list token looks like IPv6. Reviewed by: philip, emaste PR: 269456 Differential revision: https://reviews.freebsd.org/D40070
nhuff · Jul 20, 2023 · 1d9722d · 1d9722d
1 parent 9ff45b8
commit 1d9722d
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 1 deletion.
diff --git a/contrib/tcp_wrappers/hosts_access.c b/contrib/tcp_wrappers/hosts_access.c
@@ -315,7 +315,8 @@ static int host_match(char *tok, struct host_info *host)
 	return (masked_match(tok, mask, eval_hostaddr(host)));
     } else {					/* anything else */
 	return (string_match(tok, eval_hostaddr(host))
-	    || (NOT_INADDR(tok) && string_match(tok, eval_hostname(host))));
+	    || (NOT_INADDR(tok) && NOT_INADDR6(tok)
+	     && string_match(tok, eval_hostname(host))));
     }
 }
 

diff --git a/contrib/tcp_wrappers/tcpd.h b/contrib/tcp_wrappers/tcpd.h
@@ -70,6 +70,7 @@ extern char paranoid[];
 #define	HOSTNAME_KNOWN(s) (STR_NE((s),unknown) && STR_NE((s),paranoid))
 
 #define	NOT_INADDR(s) (s[strspn(s,"01234567890./")] != 0)
+#define	NOT_INADDR6(s) (strchr(s, ':') == NULL)
 
 /* Global functions. */