diff options
author | netblue30 <netblue30@yahoo.com> | 2018-01-16 20:44:06 -0500 |
---|---|---|
committer | netblue30 <netblue30@yahoo.com> | 2018-01-16 20:44:06 -0500 |
commit | 3cab64296a5e0739552f1d959c5efc7fd49cc1d5 (patch) | |
tree | 6eb0961cd038780ccd7d2cc630b9408e6855b09f | |
parent | added support for IPv6 DNS configuration - #1722 (diff) | |
download | firejail-3cab64296a5e0739552f1d959c5efc7fd49cc1d5.tar.gz firejail-3cab64296a5e0739552f1d959c5efc7fd49cc1d5.tar.zst firejail-3cab64296a5e0739552f1d959c5efc7fd49cc1d5.zip |
add check for ipv6 address syntax
-rw-r--r-- | src/firejail/main.c | 16 | ||||
-rw-r--r-- | src/firejail/network.c | 21 | ||||
-rw-r--r-- | src/firejail/profile.c | 16 |
3 files changed, 38 insertions, 15 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c index b2b4fe525..9cd89d42c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c | |||
@@ -2034,18 +2034,20 @@ int main(int argc, char **argv) { | |||
2034 | fprintf(stderr, "Error: no network device configured\n"); | 2034 | fprintf(stderr, "Error: no network device configured\n"); |
2035 | exit(1); | 2035 | exit(1); |
2036 | } | 2036 | } |
2037 | if (br->arg_ip_none || br->ip6sandbox) { | 2037 | if (br->ip6sandbox) { |
2038 | fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); | 2038 | fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); |
2039 | exit(1); | 2039 | exit(1); |
2040 | } | 2040 | } |
2041 | 2041 | ||
2042 | // configure this IP address for the last bridge defined | 2042 | // configure this IP address for the last bridge defined |
2043 | // todo: verify ipv6 syntax | 2043 | if (check_ip46_address(argv[i] + 6) == 0) { |
2044 | br->ip6sandbox = argv[i] + 6; | 2044 | fprintf(stderr, "Error: invalid IPv6 address\n"); |
2045 | // if (atoip(argv[i] + 5, &br->ipsandbox)) { | 2045 | exit(1); |
2046 | // fprintf(stderr, "Error: invalid IP address\n"); | 2046 | } |
2047 | // exit(1); | 2047 | |
2048 | // } | 2048 | br->ip6sandbox = strdup(argv[i] + 6); |
2049 | if (br->ip6sandbox == NULL) | ||
2050 | errExit("strdup"); | ||
2049 | } | 2051 | } |
2050 | else | 2052 | else |
2051 | exit_err_feature("networking"); | 2053 | exit_err_feature("networking"); |
diff --git a/src/firejail/network.c b/src/firejail/network.c index 5ebaf873c..7b84854d3 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c | |||
@@ -37,8 +37,27 @@ int check_ip46_address(const char *addr) { | |||
37 | 37 | ||
38 | // check ipv6 address | 38 | // check ipv6 address |
39 | struct in6_addr result; | 39 | struct in6_addr result; |
40 | if (inet_pton(AF_INET6, addr, &result) == 1) | 40 | |
41 | char *tmpstr = strdup(addr); | ||
42 | if (!tmpstr) | ||
43 | errExit("strdup"); | ||
44 | char *ptr = strchr(tmpstr, '/'); | ||
45 | if (ptr) { | ||
46 | *ptr = '\0'; | ||
47 | ptr++; | ||
48 | int mask = atoi(ptr); | ||
49 | // check the network mask | ||
50 | if (mask < 0 || mask > 128) { | ||
51 | free(tmpstr); | ||
52 | return 0; | ||
53 | } | ||
54 | } | ||
55 | if (inet_pton(AF_INET6, tmpstr, &result) == 1) { | ||
56 | free(tmpstr); | ||
41 | return 1; | 57 | return 1; |
58 | } | ||
59 | |||
60 | free(tmpstr); | ||
42 | 61 | ||
43 | // failed | 62 | // failed |
44 | return 0; | 63 | return 0; |
diff --git a/src/firejail/profile.c b/src/firejail/profile.c index c14f2b1f3..d0c43d13e 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c | |||
@@ -502,18 +502,20 @@ int profile_check_line(char *ptr, int lineno, const char *fname) { | |||
502 | fprintf(stderr, "Error: no network device configured\n"); | 502 | fprintf(stderr, "Error: no network device configured\n"); |
503 | exit(1); | 503 | exit(1); |
504 | } | 504 | } |
505 | if (br->arg_ip_none || br->ip6sandbox) { | 505 | if (br->ip6sandbox) { |
506 | fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); | 506 | fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n"); |
507 | exit(1); | 507 | exit(1); |
508 | } | 508 | } |
509 | 509 | ||
510 | // configure this IP address for the last bridge defined | 510 | // configure this IP address for the last bridge defined |
511 | // todo: verify ipv6 syntax | 511 | if (check_ip46_address(ptr + 4) == 0) { |
512 | br->ip6sandbox = ptr + 4; | 512 | fprintf(stderr, "Error: invalid IPv6 address\n"); |
513 | // if (atoip(argv[i] + 5, &br->ipsandbox)) { | 513 | exit(1); |
514 | // fprintf(stderr, "Error: invalid IP address\n"); | 514 | } |
515 | // exit(1); | 515 | |
516 | // } | 516 | br->ip6sandbox = strdup(ptr + 4); |
517 | if (br->ip6sandbox == NULL) | ||
518 | errExit("strdup"); | ||
517 | 519 | ||
518 | } | 520 | } |
519 | else | 521 | else |