From 1d9722de6f90c3edf286b077938bfa696e728d6c Mon Sep 17 00:00:00 2001 From: Gleb Smirnoff Date: Thu, 20 Jul 2023 14:56:20 -0700 Subject: [PATCH] tcp_wrappers: recognize IPv6 addresses/prefixes Intentionally or not, but the libwrap was written in such manner that if your /etc/hosts.allow doesn't have any domain names, neither smart keywords like LOCAL or KNOWN, then it will not try to resolve the client address during the hosts check. This was achieved with the NOT_INADDR() check that matched IPv4 addresses/prefixes. Extend this to also skip resolve if client list token looks like IPv6. Reviewed by: philip, emaste PR: 269456 Differential revision: https://reviews.freebsd.org/D40070 --- contrib/tcp_wrappers/hosts_access.c | 3 ++- contrib/tcp_wrappers/tcpd.h | 1 + 2 files changed, 3 insertions(+), 1 deletion(-) diff --git a/contrib/tcp_wrappers/hosts_access.c b/contrib/tcp_wrappers/hosts_access.c index 05c62d1940914e..e55f3f34dd20b4 100644 --- a/contrib/tcp_wrappers/hosts_access.c +++ b/contrib/tcp_wrappers/hosts_access.c @@ -315,7 +315,8 @@ static int host_match(char *tok, struct host_info *host) return (masked_match(tok, mask, eval_hostaddr(host))); } else { /* anything else */ return (string_match(tok, eval_hostaddr(host)) - || (NOT_INADDR(tok) && string_match(tok, eval_hostname(host)))); + || (NOT_INADDR(tok) && NOT_INADDR6(tok) + && string_match(tok, eval_hostname(host)))); } } diff --git a/contrib/tcp_wrappers/tcpd.h b/contrib/tcp_wrappers/tcpd.h index 1078073c8e3ab9..194cde378c1cf5 100644 --- a/contrib/tcp_wrappers/tcpd.h +++ b/contrib/tcp_wrappers/tcpd.h @@ -70,6 +70,7 @@ extern char paranoid[]; #define HOSTNAME_KNOWN(s) (STR_NE((s),unknown) && STR_NE((s),paranoid)) #define NOT_INADDR(s) (s[strspn(s,"01234567890./")] != 0) +#define NOT_INADDR6(s) (strchr(s, ':') == NULL) /* Global functions. */