From: Andrew Yourtchenko <ayourtch@gmail.com>
Date: Thu, 25 Mar 2021 15:34:33 +0000 (+0000)
Subject: acl: verify that src and dst have sane and same address family
X-Git-Tag: v23.06-rc0~138
X-Git-Url: https://gerrit.fd.io/r/gitweb?a=commitdiff_plain;h=80c5fb76fc1ff23dada2d1d7a319b5896ea28456;hp=90943e5a049c18816a0da947a7366072e9a4a50a;p=vpp.git

acl: verify that src and dst have sane and same address family

API refactoring moved the address-family tag from rule
level down to prefix level.

This necessarily warrants the check that they are the same.

Also, add a check that the address family is sane.

Change-Id: Ia63b688cc9e7c9e9cc773e89708d9e9f99185fb7
Type: fix
Signed-off-by: Andrew Yourtchenko <ayourtch@gmail.com>
---

diff --git a/src/plugins/acl/acl.c b/src/plugins/acl/acl.c
index eb3815082f3..7e51247cadf 100644
--- a/src/plugins/acl/acl.c
+++ b/src/plugins/acl/acl.c
@@ -309,7 +309,9 @@ static int
 acl_api_invalid_prefix (const vl_api_prefix_t * prefix)
 {
   ip_prefix_t ip_prefix;
-  return ip_prefix_decode2 (prefix, &ip_prefix);
+  int valid_af =
+    prefix->address.af == ADDRESS_IP4 || prefix->address.af == ADDRESS_IP6;
+  return (!valid_af) || ip_prefix_decode2 (prefix, &ip_prefix);
 }
 
 static int
@@ -338,6 +340,8 @@ acl_add_list (u32 count, vl_api_acl_rule_t rules[],
 	return VNET_API_ERROR_INVALID_SRC_ADDRESS;
       if (acl_api_invalid_prefix (&rules[i].dst_prefix))
 	return VNET_API_ERROR_INVALID_DST_ADDRESS;
+      if (rules[i].src_prefix.address.af != rules[i].dst_prefix.address.af)
+	return VNET_API_ERROR_INVALID_SRC_ADDRESS;
       if (ntohs (rules[i].srcport_or_icmptype_first) >
 	  ntohs (rules[i].srcport_or_icmptype_last))
 	return VNET_API_ERROR_INVALID_VALUE_2;