From 7e2d9531a79d289ee99dd436da14efb6d9a505fc Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>

Date: Wed, 3 Jun 2020 14:42:11 +0200

Subject: [PATCH] Change the invalid CIDR from parser error to warning

In [RT #43367], the BIND 9 changed the strictness of address / prefix

length checks:

    Check prefixes in acls to make sure the address and

    prefix lengths are consistent.  Warn only in

    BIND 9.11 and earlier.

Unfortunately, a regression slipped in and the check was made an error

also in the BIND 9.11.  This commit fixes the regression, but turning

the error into a warning.

---

 bin/tests/system/checkconf/tests.sh                  |  9 +++++++++

 ...conf => warn-address-prefix-length-mismatch.conf} | 12 ++++++++++--

 lib/isccfg/parser.c                                  |  9 ---------

 util/copyrights                                      |  2 +-

 4 files changed, 20 insertions(+), 12 deletions(-)

 rename bin/tests/system/checkconf/{bad-ipv4-prefix-dotted2.conf => warn-address-prefix-length-mismatch.conf} (70%)

diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh

index 85fb4839e9..d2b0daa35c 100644

--- a/bin/tests/system/checkconf/tests.sh

+++ b/bin/tests/system/checkconf/tests.sh

@@ -386,6 +386,15 @@ grep "dlv.isc.org has been shut down" < checkconf.out$n > /dev/null || ret=1

 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi

 status=`expr $status + $ret`

+n=`expr $n + 1`

+echo_i "check that invalid address/prefix length generates a warning ($n)"

+ret=0

+$CHECKCONF warn-address-prefix-length-mismatch.conf > checkconf.out$n 2>/dev/null || ret=1

+LINES=$(grep -c "address/prefix length mismatch" < checkconf.out$n) || ret=1

+[ "$LINES" -eq 8 ] || ret=1

+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi

+status=`expr $status + $ret`

+

 n=`expr $n + 1`

 echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' doesn't generates a warning ($n)"

 ret=0

diff --git a/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf b/bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf

similarity index 70%

rename from bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf

rename to bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf

index 2c768c7e1a..5e3bc3f6ee 100644

--- a/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf

+++ b/bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf

@@ -9,6 +9,14 @@

  * information regarding copyright ownership.

  */

-acl myacl {

-	127.1/8; /* No-zero bits */

+zone example {

+	type master;

+	file "example.db";

+	auto-dnssec maintain;

+	allow-update {

+		192.0.2.64/24;

+		192.0.2.128/24;

+		198.51.100.255/24;

+		203.0.113.2/24;

+	};

 };

diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c

index e2af054661..44a1dfc37a 100644

--- a/lib/isccfg/parser.c

+++ b/lib/isccfg/parser.c

@@ -2634,15 +2634,6 @@ cfg_parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type,

 					 "invalid prefix length");

 			return (ISC_R_RANGE);

 		}

-		result = isc_netaddr_prefixok(&netaddr, prefixlen);

-		if (result != ISC_R_SUCCESS) {

-			char buf[ISC_NETADDR_FORMATSIZE + 1];

-			isc_netaddr_format(&netaddr, buf, sizeof(buf));

-			cfg_parser_error(pctx, CFG_LOG_NOPREP,

-					 "'%s/%u': address/prefix length "

-					 "mismatch", buf, prefixlen);

-			return (ISC_R_FAILURE);

-		}

 	} else {

 		if (expectprefix) {

 			cfg_parser_error(pctx, CFG_LOG_NEAR,

-- 

GitLab