Uploaded image for project: 'CFEngine Community'
  1. CFEngine Community
  2. CFE-2223

cf-serverd treats valid IPv6 address as hostname, violates rfc4291 and rfc5952

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Unconfirmed
    • Priority: Medium
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Component/s: cf-serverd
    • Labels:
      None
    • Platform:
      RHEL or CentOS

      Description

      Example verbose output:

      verbose: admit_ips: 2610:8:7900:425::/64
      verbose: admit_ips: 2610:8:7900:4::/64
      verbose: admit_ips: 2610:8:7900:90::/64
      verbose: admit_ips: 2610:8:7900:c::/64
      verbose: admit_ips: 2610:8:7900:d::/64
      verbose: admit_ips: 2610:8:7900:e::1/64
      verbose: admit_hostnames: 2610:8:7800:1A::/64
      verbose: admit_hostnames: 2610:8:4000:7D::/64

      That leads to hosts on the last two subnets from connecting.

      I believe (though I haven't walked through the source code to verify) in IPV6_parser libutils/ip_address.c, line 433, we see this:

      if (is_hexdigit)
      {
      /*

      • RFC 5952 forbids upper case hex digits
        */
        if (is_upper_hexdigit) { state = 11; state_change = true; }

        else

        { sixteen = Char2Hex(sixteen, *p); }

        }

      In reading RFC 5952, though we see the statement "The characters "a", "b", "c", "d", "e", and "f" in an IPv6 address MUST be represented in lowercase." (4.3), in (4) we see "The recommendation in this section SHOULD be followed by systems when generating an address to be represented as ext, but all implementations MUST accept and be able to handle any legitimate [RFC4291] format."

      Because of this, I believe cfengine is in violation of RFC4291 by failing to treat a valid IPv6 address as such.

      FWiW, this same ACL worked in cf-serverd 3.4.5.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                a10038 jimis (Dimitrios Apostolou)
                Reporter:
                phalenor Andrew Cobaugh
              • Votes:
                2 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:

                  Summary Panel