add check for ipv6 address syntax

author: netblue30 <netblue30@yahoo.com> 2018-01-16 20:44:06 -0500
committer: netblue30 <netblue30@yahoo.com> 2018-01-16 20:44:06 -0500
commit: 3cab64296a5e0739552f1d959c5efc7fd49cc1d5 (patch)
tree: 6eb0961cd038780ccd7d2cc630b9408e6855b09f /src
parent: added support for IPv6 DNS configuration - #1722 (diff)
download: firejail-3cab64296a5e0739552f1d959c5efc7fd49cc1d5.tar.gz
firejail-3cab64296a5e0739552f1d959c5efc7fd49cc1d5.tar.zst
firejail-3cab64296a5e0739552f1d959c5efc7fd49cc1d5.zip
3 files changed, 38 insertions, 15 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index b2b4fe525..9cd89d42c 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -2034,18 +2034,20 @@ int main(int argc, char **argv) {
                                        fprintf(stderr, "Error: no network device configured\n");
                                        exit(1);
                                }
-                                if (br->arg_ip_none || br->ip6sandbox) {
+                                if (br->ip6sandbox) {
                                        fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
                                        exit(1);
                                }
                                // configure this IP address for the last bridge defined
-                                // todo: verify ipv6 syntax
+                                if (check_ip46_address(argv[i] + 6) == 0) {
-                                br->ip6sandbox = argv[i] + 6;
+                                        fprintf(stderr, "Error: invalid IPv6 address\n");
-//                              if (atoip(argv[i] + 5, &br->ipsandbox)) {
+                                        exit(1);
-//                                      fprintf(stderr, "Error: invalid IP address\n");
+                                }
-//                                      exit(1);
-//                              }
+                                br->ip6sandbox = strdup(argv[i] + 6);
+                                if (br->ip6sandbox == NULL)
+                                        errExit("strdup");
                        }
                        else
                                exit_err_feature("networking");
diff --git a/src/firejail/network.c b/src/firejail/network.c
index 5ebaf873c..7b84854d3 100644
--- a/src/firejail/network.c
+++ b/src/firejail/network.c
@@ -37,8 +37,27 @@ int check_ip46_address(const char *addr) {
        // check ipv6 address
        struct in6_addr result;
-        if (inet_pton(AF_INET6, addr, &result) == 1)
+        char *tmpstr = strdup(addr);
+        if (!tmpstr)
+                errExit("strdup");
+        char *ptr = strchr(tmpstr, '/');
+        if (ptr) {
+                *ptr = '\0';
+                ptr++;
+                int mask = atoi(ptr);
+                // check the network mask
+                if (mask < 0 || mask > 128) {
+                        free(tmpstr);
+                        return 0;
+                }
+        }
+        if (inet_pton(AF_INET6, tmpstr, &result) == 1) {
+                free(tmpstr);
                return 1;
+        }
+        free(tmpstr);
        // failed
        return 0;
diff --git a/src/firejail/profile.c b/src/firejail/profile.c
index c14f2b1f3..d0c43d13e 100644
--- a/src/firejail/profile.c
+++ b/src/firejail/profile.c
@@ -502,18 +502,20 @@ int profile_check_line(char *ptr, int lineno, const char *fname) {
                                fprintf(stderr, "Error: no network device configured\n");
                                exit(1);
                        }
-                        if (br->arg_ip_none || br->ip6sandbox) {
+                        if (br->ip6sandbox) {
                                fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
                                exit(1);
                        }
                        // configure this IP address for the last bridge defined
-                        // todo: verify ipv6 syntax
+                        if (check_ip46_address(ptr + 4) == 0) {
-                        br->ip6sandbox = ptr + 4;
+                                fprintf(stderr, "Error: invalid IPv6 address\n");
-//                      if (atoip(argv[i] + 5, &br->ipsandbox)) {
+                                exit(1);
-//                              fprintf(stderr, "Error: invalid IP address\n");
+                        }
-//                              exit(1);
-//                      }
+                        br->ip6sandbox = strdup(ptr + 4);
+                        if (br->ip6sandbox == NULL)
+                                errExit("strdup");
                }
                else
author	netblue30 <netblue30@yahoo.com>	2018-01-16 20:44:06 -0500
committer	netblue30 <netblue30@yahoo.com>	2018-01-16 20:44:06 -0500
commit	3cab64296a5e0739552f1d959c5efc7fd49cc1d5 (patch)
tree	6eb0961cd038780ccd7d2cc630b9408e6855b09f /src
parent	added support for IPv6 DNS configuration - #1722 (diff)
download	firejail-3cab64296a5e0739552f1d959c5efc7fd49cc1d5.tar.gz firejail-3cab64296a5e0739552f1d959c5efc7fd49cc1d5.tar.zst firejail-3cab64296a5e0739552f1d959c5efc7fd49cc1d5.zip

diff --git a/src/firejail/main.c b/src/firejail/main.c index b2b4fe525..9cd89d42c 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -2034,18 +2034,20 @@ int main(int argc, char **argv) {
2034	fprintf(stderr, "Error: no network device configured\n");	2034	fprintf(stderr, "Error: no network device configured\n");
2035	exit(1);	2035	exit(1);
2036	}	2036	}
2037	if (br->arg_ip_none \|\| br->ip6sandbox) {	2037	if (br->ip6sandbox) {
2038	fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");	2038	fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
2039	exit(1);	2039	exit(1);
2040	}	2040	}
2041		2041
2042	// configure this IP address for the last bridge defined	2042	// configure this IP address for the last bridge defined
2043	// todo: verify ipv6 syntax	2043	if (check_ip46_address(argv[i] + 6) == 0) {
2044	br->ip6sandbox = argv[i] + 6;	2044	fprintf(stderr, "Error: invalid IPv6 address\n");
2045	// if (atoip(argv[i] + 5, &br->ipsandbox)) {	2045	exit(1);
2046	// fprintf(stderr, "Error: invalid IP address\n");	2046	}
2047	// exit(1);	2047
2048	// }	2048	br->ip6sandbox = strdup(argv[i] + 6);
		2049	if (br->ip6sandbox == NULL)
		2050	errExit("strdup");
2049	}	2051	}
2050	else	2052	else
2051	exit_err_feature("networking");	2053	exit_err_feature("networking");


diff --git a/src/firejail/network.c b/src/firejail/network.c index 5ebaf873c..7b84854d3 100644 --- a/src/firejail/network.c +++ b/src/firejail/network.c
@@ -37,8 +37,27 @@ int check_ip46_address(const char *addr) {
37		37
38	// check ipv6 address	38	// check ipv6 address
39	struct in6_addr result;	39	struct in6_addr result;
40	if (inet_pton(AF_INET6, addr, &result) == 1)	40
		41	char *tmpstr = strdup(addr);
		42	if (!tmpstr)
		43	errExit("strdup");
		44	char *ptr = strchr(tmpstr, '/');
		45	if (ptr) {
		46	*ptr = '\0';
		47	ptr++;
		48	int mask = atoi(ptr);
		49	// check the network mask
		50	if (mask < 0 \|\| mask > 128) {
		51	free(tmpstr);
		52	return 0;
		53	}
		54	}
		55	if (inet_pton(AF_INET6, tmpstr, &result) == 1) {
		56	free(tmpstr);
41	return 1;	57	return 1;
		58	}
		59
		60	free(tmpstr);
42		61
43	// failed	62	// failed
44	return 0;	63	return 0;


diff --git a/src/firejail/profile.c b/src/firejail/profile.c index c14f2b1f3..d0c43d13e 100644 --- a/src/firejail/profile.c +++ b/src/firejail/profile.c
@@ -502,18 +502,20 @@ int profile_check_line(char ptr, int lineno, const char fname) {
502	fprintf(stderr, "Error: no network device configured\n");	502	fprintf(stderr, "Error: no network device configured\n");
503	exit(1);	503	exit(1);
504	}	504	}
505	if (br->arg_ip_none \|\| br->ip6sandbox) {	505	if (br->ip6sandbox) {
506	fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");	506	fprintf(stderr, "Error: cannot configure the IP address twice for the same interface\n");
507	exit(1);	507	exit(1);
508	}	508	}
509		509
510	// configure this IP address for the last bridge defined	510	// configure this IP address for the last bridge defined
511	// todo: verify ipv6 syntax	511	if (check_ip46_address(ptr + 4) == 0) {
512	br->ip6sandbox = ptr + 4;	512	fprintf(stderr, "Error: invalid IPv6 address\n");
513	// if (atoip(argv[i] + 5, &br->ipsandbox)) {	513	exit(1);
514	// fprintf(stderr, "Error: invalid IP address\n");	514	}
515	// exit(1);	515
516	// }	516	br->ip6sandbox = strdup(ptr + 4);
		517	if (br->ip6sandbox == NULL)
		518	errExit("strdup");
517		519
518	}	520	}
519	else	521	else