From 572ee41306386393e0b0e81332a15914ddb9ba3b Mon Sep 17 00:00:00 2001 From: Jacques de Laval Date: Wed, 8 Sep 2021 15:34:53 +0200 Subject: [PATCH 1/6] Fix Coverity warning: initialize socket address storage Signed-off-by: Jacques de Laval --- accept-guard.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/accept-guard.c b/accept-guard.c index abeb80e..2e5e54c 100644 --- a/accept-guard.c +++ b/accept-guard.c @@ -125,9 +125,9 @@ static int identify_inbound(int sd, int ifindex, char *ifname, size_t len, int * { struct ifaddrs *ifaddr, *ifa; #ifdef AF_INET6 - struct sockaddr_storage ss; + struct sockaddr_storage ss = { 0 }; #else - struct sockaddr_in ss; + struct sockaddr_in ss = { 0 }; #endif socklen_t slen = sizeof(ss); From eace0f7c9a3243a33cc51fa3beefe07e52e1bc4d Mon Sep 17 00:00:00 2001 From: Jacques de Laval Date: Wed, 8 Sep 2021 15:38:53 +0200 Subject: [PATCH 2/6] Pass through SOCK_STREAM in *recv functions Signed-off-by: Jacques de Laval --- accept-guard.c | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/accept-guard.c b/accept-guard.c index 2e5e54c..67ac40f 100644 --- a/accept-guard.c +++ b/accept-guard.c @@ -261,6 +261,21 @@ static int is_inet_domain(int sd) return 0; /* Possibly AF_UNIX socket, allow */ } +static int is_sock_stream(int sd) +{ + socklen_t len; + int val; + + len = sizeof(val); + if (getsockopt(sd, SOL_SOCKET, SO_TYPE, &val, &len) == -1) + return 1; /* Fall back to allow syscall on error */ + + if (val == SOCK_STREAM) + return 1; + + return 0; +} + int accept(int socket, struct sockaddr *addr, socklen_t *addrlen) { int rc; @@ -319,7 +334,7 @@ static int peek_ifindex(int sd) static ssize_t do_recv(int sd, int rc, int flags, int ifindex) { - if (rc == -1 || (flags & MSG_PEEK) || ifindex == 0 || !is_inet_domain(sd)) + if (rc == -1 || (flags & MSG_PEEK) || ifindex == 0 || !is_inet_domain(sd) || is_sock_stream(sd)) goto done; parse_acl(); From 5c254fdd9c3cd87cd0adcbaa92236f6fd46e0bcd Mon Sep 17 00:00:00 2001 From: Jacques de Laval Date: Wed, 8 Sep 2021 15:40:21 +0200 Subject: [PATCH 3/6] Restore IP_PKTINFO option on socket after interface inspection Signed-off-by: Jacques de Laval --- accept-guard.c | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-) diff --git a/accept-guard.c b/accept-guard.c index 67ac40f..f0684af 100644 --- a/accept-guard.c +++ b/accept-guard.c @@ -307,9 +307,15 @@ static int peek_ifindex(int sd) struct sockaddr_in sin; struct cmsghdr *cmsg; struct msghdr msgh; + socklen_t orig_len; + int orig_on = 0; int on = 1; - setsockopt(sd, SOL_IP, IP_PKTINFO, &on, sizeof(on)); + orig_len = sizeof(orig_on); + if (getsockopt(sd, SOL_IP, IP_PKTINFO, &orig_on, &orig_len) == -1) + return 0; /* Fall back to allow syscall on error */ + if (setsockopt(sd, SOL_IP, IP_PKTINFO, &on, sizeof(on)) == -1) + return 0; /* Fall back to allow syscall on error */ memset(&msgh, 0, sizeof(msgh)); msgh.msg_name = &sin; @@ -317,9 +323,13 @@ static int peek_ifindex(int sd) msgh.msg_control = cmbuf; msgh.msg_controllen = sizeof(cmbuf); - if (org_recvmsg(sd, &msgh, MSG_PEEK) == -1) + + if (org_recvmsg(sd, &msgh, MSG_PEEK) == -1) { + setsockopt(sd, SOL_IP, IP_PKTINFO, &orig_on, sizeof(orig_on)); return 0; + } + setsockopt(sd, SOL_IP, IP_PKTINFO, &orig_on, sizeof(orig_on)); for (cmsg = CMSG_FIRSTHDR(&msgh); cmsg; cmsg = CMSG_NXTHDR(&msgh, cmsg)) { struct in_pktinfo *ipi = (struct in_pktinfo *)CMSG_DATA(cmsg); From 7aa178b0762311b1323be02ac55499559e8cd05f Mon Sep 17 00:00:00 2001 From: Jacques de Laval Date: Wed, 8 Sep 2021 16:17:22 +0200 Subject: [PATCH 4/6] Add test case for IPv4 addresses mapped on IPv6 Signed-off-by: Jacques de Laval --- test/Makefile | 2 +- test/accept6-ipv4-mapped.sh | 19 +++++++++++++++++++ 2 files changed, 20 insertions(+), 1 deletion(-) create mode 100755 test/accept6-ipv4-mapped.sh diff --git a/test/Makefile b/test/Makefile index a4797ce..d0bc536 100644 --- a/test/Makefile +++ b/test/Makefile @@ -1,6 +1,6 @@ EXEC := client server CFLAGS := -W -Wall -Wextra -std=gnu99 -g -O2 -TESTS := accept.sh accept6.sh recvfrom.sh recvmsg.sh +TESTS := accept.sh accept6.sh accept6-ipv4-mapped.sh recvfrom.sh recvmsg.sh all: $(EXEC) diff --git a/test/accept6-ipv4-mapped.sh b/test/accept6-ipv4-mapped.sh new file mode 100755 index 0000000..eba845f --- /dev/null +++ b/test/accept6-ipv4-mapped.sh @@ -0,0 +1,19 @@ +#!/bin/sh +#set -x + +# shellcheck source=/dev/null +. "$(dirname "$0")/lib.sh" + +topology +server -6 -t + +print "Verifying loopback connectivity ..." +./client -t -p 8080 127.0.0.1 || FAIL + +print "Verifying no connection via a1 ..." +./client -t -p 8080 10.0.0.1 && FAIL + +print "Verifying connection via a2 ..." +./client -t -p 8080 20.0.0.1 || FAIL + +OK From 634f42b3801abe3880febc2d5fb681a098c2aac5 Mon Sep 17 00:00:00 2001 From: Jacques de Laval Date: Thu, 9 Sep 2021 10:39:49 +0200 Subject: [PATCH 5/6] Ignore irrelevant return value from setsockopt() Signed-off-by: Jacques de Laval --- accept-guard.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/accept-guard.c b/accept-guard.c index f0684af..b0d8f46 100644 --- a/accept-guard.c +++ b/accept-guard.c @@ -325,11 +325,11 @@ static int peek_ifindex(int sd) if (org_recvmsg(sd, &msgh, MSG_PEEK) == -1) { - setsockopt(sd, SOL_IP, IP_PKTINFO, &orig_on, sizeof(orig_on)); + (void)setsockopt(sd, SOL_IP, IP_PKTINFO, &orig_on, sizeof(orig_on)); return 0; } - setsockopt(sd, SOL_IP, IP_PKTINFO, &orig_on, sizeof(orig_on)); + (void)setsockopt(sd, SOL_IP, IP_PKTINFO, &orig_on, sizeof(orig_on)); for (cmsg = CMSG_FIRSTHDR(&msgh); cmsg; cmsg = CMSG_NXTHDR(&msgh, cmsg)) { struct in_pktinfo *ipi = (struct in_pktinfo *)CMSG_DATA(cmsg); From e84faada9fd162dc497324ff84968e818a6d1284 Mon Sep 17 00:00:00 2001 From: Jacques de Laval Date: Thu, 9 Sep 2021 10:44:44 +0200 Subject: [PATCH 6/6] Update changelog and bump version for v1.5 release Signed-off-by: Jacques de Laval --- ChangeLog.md | 13 +++++++++++++ Makefile | 2 +- 2 files changed, 14 insertions(+), 1 deletion(-) diff --git a/ChangeLog.md b/ChangeLog.md index 4b3fca6..e074af8 100644 --- a/ChangeLog.md +++ b/ChangeLog.md @@ -4,6 +4,18 @@ ChangeLog All notable changes to the project are documented in this file. +[v1.5][] - 2021-09-09 +--------------------- + +### Changes +- Add support for handling IPv4 addresses mapped on IPv6 +- Pass through SOCK_STREAM in `recv()`, `recvfrom()` and `recvmsg()` + +### Fixes +- Restore IP_PKTINFO option on socket after interface inspection +- Fix uninitialized variable + + [v1.4][] - 2021-09-06 --------------------- @@ -58,6 +70,7 @@ First public release. Basic `accept()` wrapper which reads allowed interface:port tuples from an `ACL=iface:port;iface2:port` environment variable. +[v1.5]: https://github.com/westermo/accept-guard/compare/v1.4...v1.5 [v1.4]: https://github.com/westermo/accept-guard/compare/v1.3...v1.4 [v1.3]: https://github.com/westermo/accept-guard/compare/v1.2...v1.3 [v1.2]: https://github.com/westermo/accept-guard/compare/v1.1...v1.2 diff --git a/Makefile b/Makefile index e6c14e9..bb6b5d4 100644 --- a/Makefile +++ b/Makefile @@ -1,4 +1,4 @@ -VERSION = 1.4 +VERSION = 1.5 NAME = accept-guard PKG = $(NAME)-$(VERSION) ARCHIVE = $(PKG).tar.gz