aboutsummaryrefslogtreecommitdiffstats
path: root/src/plugins/acl
diff options
context:
space:
mode:
authorAndrew Yourtchenko <ayourtch@gmail.com>2021-03-25 15:34:33 +0000
committerOle Tr�an <otroan@employees.org>2022-11-09 15:37:36 +0000
commit80c5fb76fc1ff23dada2d1d7a319b5896ea28456 (patch)
treecf07f43571f0f8a84903f76f7a08cb058c315049 /src/plugins/acl
parent90943e5a049c18816a0da947a7366072e9a4a50a (diff)
acl: verify that src and dst have sane and same address family
API refactoring moved the address-family tag from rule level down to prefix level. This necessarily warrants the check that they are the same. Also, add a check that the address family is sane. Change-Id: Ia63b688cc9e7c9e9cc773e89708d9e9f99185fb7 Type: fix Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
Diffstat (limited to 'src/plugins/acl')
-rw-r--r--src/plugins/acl/acl.c6
1 files changed, 5 insertions, 1 deletions
diff --git a/src/plugins/acl/acl.c b/src/plugins/acl/acl.c
index eb3815082f3..7e51247cadf 100644
--- a/src/plugins/acl/acl.c
+++ b/src/plugins/acl/acl.c
@@ -309,7 +309,9 @@ static int
acl_api_invalid_prefix (const vl_api_prefix_t * prefix)
{
ip_prefix_t ip_prefix;
- return ip_prefix_decode2 (prefix, &ip_prefix);
+ int valid_af =
+ prefix->address.af == ADDRESS_IP4 || prefix->address.af == ADDRESS_IP6;
+ return (!valid_af) || ip_prefix_decode2 (prefix, &ip_prefix);
}
static int
@@ -338,6 +340,8 @@ acl_add_list (u32 count, vl_api_acl_rule_t rules[],
return VNET_API_ERROR_INVALID_SRC_ADDRESS;
if (acl_api_invalid_prefix (&rules[i].dst_prefix))
return VNET_API_ERROR_INVALID_DST_ADDRESS;
+ if (rules[i].src_prefix.address.af != rules[i].dst_prefix.address.af)
+ return VNET_API_ERROR_INVALID_SRC_ADDRESS;
if (ntohs (rules[i].srcport_or_icmptype_first) >
ntohs (rules[i].srcport_or_icmptype_last))
return VNET_API_ERROR_INVALID_VALUE_2;