2456. [bug] In ACLs, ::/0 and 0.0.0.0/0 would both match any

address, regardless of family. They now correctly distinguish IPv4 from IPv6. [RT #18559]
2008-09-26 21:12:02 +00:00
parent 106360491a
commit b0bf1ad5b0
5 changed files with 91 additions and 46 deletions
--- a/lib/dns/acl.c
+++ b/lib/dns/acl.c
@@ -15,7 +15,7 @@
 * PERFORMANCE OF THIS SOFTWARE.
 */

-/* $Id: acl.c,v 1.48 2008/09/26 16:44:49 each Exp $ */
+/* $Id: acl.c,v 1.49 2008/09/26 21:12:02 each Exp $ */

 /*! \file */

@@ -223,8 +223,6 @@ dns_acl_match(const isc_netaddr_t *reqaddr,

 	/* Found a match. */
 	if (result == ISC_R_SUCCESS && node != NULL) {
-		if (node->bit == 0)
-			family = AF_INET;
 		match_num = node->node_num[ISC_IS6(family)];
 		if (*(isc_boolean_t *) node->data[ISC_IS6(family)] == ISC_TRUE)
 			*match = match_num;
@@ -498,9 +496,8 @@ is_insecure(isc_prefix_t *prefix, void **data) {
 	isc_boolean_t secure;
 	int bitlen, family;

-	/* Bitlen 0 means "any" or "none", which is always treated as IPv4 */
 	bitlen = prefix->bitlen;
-	family = bitlen ? prefix->family : AF_INET;
+	family = prefix->family;

 	/* Negated entries are always secure. */
 	secure = * (isc_boolean_t *)data[ISC_IS6(family)];