/src/openssh/addrmatch.c

Source
/*  $OpenBSD: addrmatch.c,v 1.19 2026/02/14 00:18:34 jsg Exp $ */

/*
 * Copyright (c) 2004-2008 Damien Miller <djm@mindrot.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#include "includes.h"

#include <sys/types.h>
#include <netinet/in.h>

#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <stdarg.h>

#include "addr.h"
#include "match.h"
#include "log.h"

/*
 * Match "addr" against list pattern list "_list", which may contain a
 * mix of CIDR addresses and old-school wildcards.
 *
 * If addr is NULL, then no matching is performed, but _list is parsed
 * and checked for well-formedness.
 *
 * Returns 1 on match found (never returned when addr == NULL).
 * Returns 0 on if no match found, or no errors found when addr == NULL.
 * Returns -1 on negated match found (never returned when addr == NULL).
 * Returns -2 on invalid list entry.
 */
int
addr_match_list(const char *addr, const char *_list)
{
  char *list, *cp, *o;
  struct xaddr try_addr, match_addr;
  u_int masklen, neg;
  int ret = 0, r;

  if (addr != NULL && addr_pton(addr, &try_addr) != 0) {
    debug2_f("couldn't parse address %.100s", addr);
    return 0;
  }
  if ((o = list = strdup(_list)) == NULL)
    return -1;
  while ((cp = strsep(&list, ",")) != NULL) {
    neg = *cp == '!';
    if (neg)
      cp++;
    if (*cp == '\0') {
      ret = -2;
      break;
    }
    /* Prefer CIDR address matching */
    r = addr_pton_cidr(cp, &match_addr, &masklen);
    if (r == -2) {
      debug2_f("inconsistent mask length for "
          "match network \"%.100s\"", cp);
      ret = -2;
      break;
    } else if (r == 0) {
      if (addr != NULL && addr_netmatch(&try_addr,
          &match_addr, masklen) == 0) {
 foundit:
        if (neg) {
          ret = -1;
          break;
        }
        ret = 1;
      }
      continue;
    } else {
      /* If CIDR parse failed, try wildcard string match */
      if (addr != NULL && match_pattern(addr, cp) == 1)
        goto foundit;
    }
  }
  free(o);

  return ret;
}

/*
 * Match "addr" against list CIDR list "_list". Lexical wildcards and
 * negation are not supported. If "addr" == NULL, will verify structure
 * of "_list".
 *
 * Returns 1 on match found (never returned when addr == NULL).
 * Returns 0 on if no match found, or no errors found when addr == NULL.
 * Returns -1 on error
 */
int
addr_match_cidr_list(const char *addr, const char *_list)
{
  char *list, *cp, *o;
  struct xaddr try_addr, match_addr;
  u_int masklen;
  int ret = 0, r;

  if (addr != NULL && addr_pton(addr, &try_addr) != 0) {
    debug2_f("couldn't parse address %.100s", addr);
    return 0;
  }
  if ((o = list = strdup(_list)) == NULL)
    return -1;
  while ((cp = strsep(&list, ",")) != NULL) {
    if (*cp == '\0') {
      error_f("empty entry in list \"%.100s\"", o);
      ret = -1;
      break;
    }

    /*
     * NB. This function is called in pre-auth with untrusted data,
     * so be extra paranoid about junk reaching getaddrinfo (via
     * addr_pton_cidr).
     */

    /* Stop junk from reaching getaddrinfo. +3 is for masklen */
    if (strlen(cp) > INET6_ADDRSTRLEN + 3) {
      error_f("list entry \"%.100s\" too long", cp);
      ret = -1;
      break;
    }
#define VALID_CIDR_CHARS "0123456789abcdefABCDEF.:/"
    if (strspn(cp, VALID_CIDR_CHARS) != strlen(cp)) {
      error_f("list entry \"%.100s\" contains invalid "
          "characters", cp);
      ret = -1;
    }

    /* Prefer CIDR address matching */
    r = addr_pton_cidr(cp, &match_addr, &masklen);
    if (r == -1) {
      error("Invalid network entry \"%.100s\"", cp);
      ret = -1;
      break;
    } else if (r == -2) {
      error("Inconsistent mask length for "
          "network \"%.100s\"", cp);
      ret = -1;
      break;
    } else if (r == 0 && addr != NULL) {
      if (addr_netmatch(&try_addr, &match_addr,
          masklen) == 0)
        ret = 1;
      continue;
    }
  }
  free(o);

  return ret;
}

Coverage Report

Created: 2026-02-26 06:46

Line	Count	Source
1		/* $OpenBSD: addrmatch.c,v 1.19 2026/02/14 00:18:34 jsg Exp $ */
2
3		/*
4		* Copyright (c) 2004-2008 Damien Miller <djm@mindrot.org>
5		*
6		* Permission to use, copy, modify, and distribute this software for any
7		* purpose with or without fee is hereby granted, provided that the above
8		* copyright notice and this permission notice appear in all copies.
9		*
10		* THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11		* WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12		* MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13		* ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14		* WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15		* ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16		* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17		*/
18
19		#include "includes.h"
20
21		#include <sys/types.h>
22		#include <netinet/in.h>
23
24		#include <string.h>
25		#include <stdlib.h>
26		#include <stdio.h>
27		#include <stdarg.h>
28
29		#include "addr.h"
30		#include "match.h"
31		#include "log.h"
32
33		/*
34		* Match "addr" against list pattern list "_list", which may contain a
35		* mix of CIDR addresses and old-school wildcards.
36		*
37		* If addr is NULL, then no matching is performed, but _list is parsed
38		* and checked for well-formedness.
39		*
40		* Returns 1 on match found (never returned when addr == NULL).
41		* Returns 0 on if no match found, or no errors found when addr == NULL.
42		* Returns -1 on negated match found (never returned when addr == NULL).
43		* Returns -2 on invalid list entry.
44		*/
45		int
46		addr_match_list(const char addr, const char _list)
47	0	{
48	0	char list, cp, *o;
49	0	struct xaddr try_addr, match_addr;
50	0	u_int masklen, neg;
51	0	int ret = 0, r;
52
53	0	if (addr != NULL && addr_pton(addr, &try_addr) != 0) {
54	0	debug2_f("couldn't parse address %.100s", addr);
55	0	return 0;
56	0	}
57	0	if ((o = list = strdup(_list)) == NULL)
58	0	return -1;
59	0	while ((cp = strsep(&list, ",")) != NULL) {
60	0	neg = *cp == '!';
61	0	if (neg)
62	0	cp++;
63	0	if (*cp == '\0') {
64	0	ret = -2;
65	0	break;
66	0	}
67		/* Prefer CIDR address matching */
68	0	r = addr_pton_cidr(cp, &match_addr, &masklen);
69	0	if (r == -2) {
70	0	debug2_f("inconsistent mask length for "
71	0	"match network \"%.100s\"", cp);
72	0	ret = -2;
73	0	break;
74	0	} else if (r == 0) {
75	0	if (addr != NULL && addr_netmatch(&try_addr,
76	0	&match_addr, masklen) == 0) {
77	0	foundit:
78	0	if (neg) {
79	0	ret = -1;
80	0	break;
81	0	}
82	0	ret = 1;
83	0	}
84	0	continue;
85	0	} else {
86		/* If CIDR parse failed, try wildcard string match */
87	0	if (addr != NULL && match_pattern(addr, cp) == 1)
88	0	goto foundit;
89	0	}
90	0	}
91	0	free(o);
92
93	0	return ret;
94	0	}
95
96		/*
97		* Match "addr" against list CIDR list "_list". Lexical wildcards and
98		* negation are not supported. If "addr" == NULL, will verify structure
99		* of "_list".
100		*
101		* Returns 1 on match found (never returned when addr == NULL).
102		* Returns 0 on if no match found, or no errors found when addr == NULL.
103		* Returns -1 on error
104		*/
105		int
106		addr_match_cidr_list(const char addr, const char _list)
107	0	{
108	0	char list, cp, *o;
109	0	struct xaddr try_addr, match_addr;
110	0	u_int masklen;
111	0	int ret = 0, r;
112
113	0	if (addr != NULL && addr_pton(addr, &try_addr) != 0) {
114	0	debug2_f("couldn't parse address %.100s", addr);
115	0	return 0;
116	0	}
117	0	if ((o = list = strdup(_list)) == NULL)
118	0	return -1;
119	0	while ((cp = strsep(&list, ",")) != NULL) {
120	0	if (*cp == '\0') {
121	0	error_f("empty entry in list \"%.100s\"", o);
122	0	ret = -1;
123	0	break;
124	0	}
125
126		/*
127		* NB. This function is called in pre-auth with untrusted data,
128		* so be extra paranoid about junk reaching getaddrinfo (via
129		* addr_pton_cidr).
130		*/
131
132		/* Stop junk from reaching getaddrinfo. +3 is for masklen */
133	0	if (strlen(cp) > INET6_ADDRSTRLEN + 3) {
134	0	error_f("list entry \"%.100s\" too long", cp);
135	0	ret = -1;
136	0	break;
137	0	}
138	0	#define VALID_CIDR_CHARS "0123456789abcdefABCDEF.:/"
139	0	if (strspn(cp, VALID_CIDR_CHARS) != strlen(cp)) {
140	0	error_f("list entry \"%.100s\" contains invalid "
141	0	"characters", cp);
142	0	ret = -1;
143	0	}
144
145		/* Prefer CIDR address matching */
146	0	r = addr_pton_cidr(cp, &match_addr, &masklen);
147	0	if (r == -1) {
148	0	error("Invalid network entry \"%.100s\"", cp);
149	0	ret = -1;
150	0	break;
151	0	} else if (r == -2) {
152	0	error("Inconsistent mask length for "
153	0	"network \"%.100s\"", cp);
154	0	ret = -1;
155	0	break;
156	0	} else if (r == 0 && addr != NULL) {
157	0	if (addr_netmatch(&try_addr, &match_addr,
158	0	masklen) == 0)
159	0	ret = 1;
160	0	continue;
161	0	}
162	0	}
163	0	free(o);
164
165	0	return ret;
166	0	}