From 97b89435aad77bd6d9e18747b55d701e360d5aac Mon Sep 17 00:00:00 2001 From: Rainer Gerhards Date: Sat, 29 Nov 2008 09:47:04 +0100 Subject: bugfix: $AllowedSender handled invalidly for plain TCP transport --- runtime/netstrm.c | 12 ++++++++++++ runtime/netstrm.h | 10 +++++++++- runtime/nsd.h | 12 +++++++++++- runtime/nsd_ptcp.c | 25 +++++++++++++++++++++++++ runtime/nsd_ptcp.h | 3 +++ tcpsrv.c | 5 +++-- 6 files changed, 63 insertions(+), 4 deletions(-) diff --git a/runtime/netstrm.c b/runtime/netstrm.c index 2f4a1964..ffa1c578 100644 --- a/runtime/netstrm.c +++ b/runtime/netstrm.c @@ -265,6 +265,17 @@ GetRemoteIP(netstrm_t *pThis, uchar **ppsz) } +/* get remote addr - slim wrapper for NSD driver function */ +static rsRetVal +GetRemAddr(netstrm_t *pThis, struct sockaddr_storage **ppAddr) +{ + DEFiRet; + ISOBJ_TYPE_assert(pThis, netstrm); + iRet = pThis->Drvr.GetRemAddr(pThis->pDrvrData, ppAddr); + RETiRet; +} + + /* open a connection to a remote host (server). * rgerhards, 2008-03-19 */ @@ -320,6 +331,7 @@ CODESTARTobjQueryInterface(netstrm) pIf->AcceptConnReq = AcceptConnReq; pIf->GetRemoteHName = GetRemoteHName; pIf->GetRemoteIP = GetRemoteIP; + pIf->GetRemAddr = GetRemAddr; pIf->SetDrvrMode = SetDrvrMode; pIf->SetDrvrAuthMode = SetDrvrAuthMode; pIf->SetDrvrPermPeers = SetDrvrPermPeers; diff --git a/runtime/netstrm.h b/runtime/netstrm.h index 1a97ef23..3ab790e8 100644 --- a/runtime/netstrm.h +++ b/runtime/netstrm.h @@ -61,8 +61,16 @@ BEGINinterface(netstrm) /* name must also be changed in ENDinterface macro! */ * this interface. -- rgerhards, 2008-05-05 */ rsRetVal (*GetSock)(netstrm_t *pThis, int *pSock); + rsRetVal (*GetRemAddr)(netstrm_t *pThis, struct sockaddr_storage **ppAddr); + /* getRemAddr() is an aid needed by the legacy ACL system. It exposes the remote + * peer's socket addr structure, so that the legacy matching functions can work on + * it. Note that this ties netstream drivers to things that can be implemented over + * sockets - not really desirable, but not the end of the world... TODO: should be + * reconsidered when a new ACL system is build. -- rgerhards, 2008-12-01 + */ ENDinterface(netstrm) -#define netstrmCURR_IF_VERSION 2 /* increment whenever you change the interface structure! */ +#define netstrmCURR_IF_VERSION 3 /* increment whenever you change the interface structure! */ +/* interface version 3 added GetRemAddr() */ /* prototypes */ PROTOTYPEObj(netstrm); diff --git a/runtime/nsd.h b/runtime/nsd.h index 1811f078..f0c9b9b6 100644 --- a/runtime/nsd.h +++ b/runtime/nsd.h @@ -27,6 +27,8 @@ #ifndef INCLUDED_NSD_H #define INCLUDED_NSD_H +#include + enum nsdsel_waitOp_e { NSDSEL_RD = 1, NSDSEL_WR = 2, @@ -60,8 +62,16 @@ BEGINinterface(nsd) /* name must also be changed in ENDinterface macro! */ * OS sockets. This interface is primarily meant as an internal aid for * those drivers that utilize the nsd_ptcp to do some of their work. */ + rsRetVal (*GetRemAddr)(nsd_t *pThis, struct sockaddr_storage **ppAddr); + /* getRemAddr() is an aid needed by the legacy ACL system. It exposes the remote + * peer's socket addr structure, so that the legacy matching functions can work on + * it. Note that this ties netstream drivers to things that can be implemented over + * sockets - not really desirable, but not the end of the world... TODO: should be + * reconsidered when a new ACL system is build. -- rgerhards, 2008-12-01 + */ ENDinterface(nsd) -#define nsdCURR_IF_VERSION 3 /* increment whenever you change the interface structure! */ +#define nsdCURR_IF_VERSION 4 /* increment whenever you change the interface structure! */ +/* interface version 4 added GetRemAddr() */ /* interface for the select call */ BEGINinterface(nsdsel) /* name must also be changed in ENDinterface macro! */ diff --git a/runtime/nsd_ptcp.c b/runtime/nsd_ptcp.c index 4cb46380..cc531ca0 100644 --- a/runtime/nsd_ptcp.c +++ b/runtime/nsd_ptcp.c @@ -91,6 +91,24 @@ CODESTARTobjDestruct(nsd_ptcp) ENDobjDestruct(nsd_ptcp) +/* Provide access to the sockaddr_storage of the remote peer. This + * is needed by the legacy ACL system. --- gerhards, 2008-12-01 + */ +static rsRetVal +GetRemAddr(nsd_t *pNsd, struct sockaddr_storage **ppAddr) +{ + nsd_ptcp_t *pThis = (nsd_ptcp_t*) pNsd; + DEFiRet; + + ISOBJ_TYPE_assert((pThis), nsd_ptcp); + assert(ppAddr != NULL); + + *ppAddr = &(pThis->remAddr); + + RETiRet; +} + + /* Provide access to the underlying OS socket. This is primarily * useful for other drivers (like nsd_gtls) who utilize ourselfs * for some of their functionality. -- rgerhards, 2008-04-18 @@ -320,6 +338,12 @@ AcceptConnReq(nsd_t *pNsd, nsd_t **ppNew) /* construct our object so that we can use it... */ CHKiRet(nsd_ptcpConstruct(&pNew)); + /* for the legacy ACL code, we need to preserve addr. While this is far from + * begin perfect (from an abstract design perspective), we need this to prevent + * breaking everything. TODO: we need to implement a new ACL module to get rid + * of this function. -- rgerhards, 2008-12-01 + */ + memcpy(&pNew->remAddr, &addr, sizeof(struct sockaddr_storage)); CHKiRet(FillRemHost(pNew, (struct sockaddr*) &addr)); /* set the new socket to non-blocking IO -TODO:do we really need to do this here? Do we always want it? */ @@ -716,6 +740,7 @@ CODESTARTobjQueryInterface(nsd_ptcp) pIf->Construct = (rsRetVal(*)(nsd_t**)) nsd_ptcpConstruct; pIf->Destruct = (rsRetVal(*)(nsd_t**)) nsd_ptcpDestruct; pIf->Abort = Abort; + pIf->GetRemAddr = GetRemAddr; pIf->GetSock = GetSock; pIf->SetSock = SetSock; pIf->SetMode = SetMode; diff --git a/runtime/nsd_ptcp.h b/runtime/nsd_ptcp.h index efd3ed05..b94cc018 100644 --- a/runtime/nsd_ptcp.h +++ b/runtime/nsd_ptcp.h @@ -24,6 +24,8 @@ #ifndef INCLUDED_NSD_PTCP_H #define INCLUDED_NSD_PTCP_H +#include + #include "nsd.h" typedef nsd_if_t nsd_ptcp_if_t; /* we just *implement* this interface */ @@ -32,6 +34,7 @@ struct nsd_ptcp_s { BEGINobjInstance; /* Data to implement generic object - MUST be the first data element! */ uchar *pRemHostIP; /**< IP address of remote peer (currently used in server mode, only) */ uchar *pRemHostName; /**< host name of remote peer (currently used in server mode, only) */ + struct sockaddr_storage remAddr; /**< remote addr as sockaddr - used for legacy ACL code */ int sock; /**< the socket we use for regular, single-socket, operations */ }; diff --git a/tcpsrv.c b/tcpsrv.c index 8aeb9f5c..1f307b7e 100644 --- a/tcpsrv.c +++ b/tcpsrv.c @@ -312,7 +312,7 @@ SessAccept(tcpsrv_t *pThis, tcps_sess_t **ppSess, netstrm_t *pStrm) tcps_sess_t *pSess; netstrm_t *pNewStrm = NULL; int iSess = -1; - struct sockaddr_storage addr; + struct sockaddr_storage *addr; uchar *fromHostFQDN = NULL; uchar *fromHostIP = NULL; @@ -336,13 +336,14 @@ SessAccept(tcpsrv_t *pThis, tcps_sess_t **ppSess, netstrm_t *pStrm) /* get the host name */ CHKiRet(netstrm.GetRemoteHName(pNewStrm, &fromHostFQDN)); CHKiRet(netstrm.GetRemoteIP(pNewStrm, &fromHostIP)); + CHKiRet(netstrm.GetRemAddr(pNewStrm, &addr)); /* TODO: check if we need to strip the domain name here -- rgerhards, 2008-04-24 */ /* Here we check if a host is permitted to send us messages. If it isn't, we do not further * process the message but log a warning (if we are configured to do this). * rgerhards, 2005-09-26 */ - if(!pThis->pIsPermittedHost((struct sockaddr*) &addr, (char*) fromHostFQDN, pThis->pUsr, pSess->pUsr)) { + if(!pThis->pIsPermittedHost((struct sockaddr*) addr, (char*) fromHostFQDN, pThis->pUsr, pSess->pUsr)) { dbgprintf("%s is not an allowed sender\n", fromHostFQDN); if(glbl.GetOption_DisallowWarning()) { errno = 0; -- cgit