openvpn: validate IPv4 CIDR more strictly to prevent OpenVPN startup error; closes #1389

(cherry picked from commit c3e74008) (cherry picked from commit c35cfbce)

openvpn: validate IPv4 CIDR more strictly to prevent OpenVPN startup error; closes #1389
(cherry picked from commit c3e74008) (cherry picked from commit c35cfbce)
783c8403 · Franco Fichtner · 34c1037a · 783c8403
Commit 783c8403 authored Feb 15, 2017 by Franco Fichtner
Hide whitespace changes
Inline Side-by-side

Showing with 9 additions and 3 deletions

openvpn.inc src/etc/inc/openvpn.inc +9 -3

No files found.
--- a/src/etc/inc/openvpn.inc
+++ b/src/etc/inc/openvpn.inc
@@ -284,13 +284,19 @@ function openvpn_validate_cidr($value, $name, $multiple = false, $ipproto = "ipv
    }
 }
-function openvpn_validate_cidr_ipv4($value) {
+function openvpn_validate_cidr_ipv4($value)
+{
    $value = trim($value);
    if (!empty($value)) {
        list($ip, $mask) = explode('/', $value);
        if (!is_ipaddrv4($ip) or !is_numeric($mask) or ($mask > 32) or ($mask < 0)) {
            return false;
        }
+        /* IPv4 case is very strict, cannot be a host address */
+        $mask = (0xffffffff << (32 - $mask)) & 0xffffffff;
+        if ((ip2long($ip) & $mask) != ip2long($ip)) {
+            return false;
+        }
    }
    return true;
 }
@@ -301,7 +307,7 @@ function openvpn_validate_cidr_ipv6($value)
    if (!empty($value)) {
        list($ipv6, $prefix) = explode('/', $value);
        if (empty($prefix)) {
-            $prefix = "128";
+            $prefix = '128';
        }
        if (!is_ipaddrv6($ipv6) or !is_numeric($prefix) or ($prefix > 128) or ($prefix < 0)) {
            return false;
@@ -310,7 +316,7 @@ function openvpn_validate_cidr_ipv6($value)
    return true;
 }
-function openvpn_add_dhcpopts(& $settings, & $conf)
+function openvpn_add_dhcpopts(&$settings, &$conf)
 {
    if (!empty($settings['dns_domain'])) {
        $conf .= "push \"dhcp-option DOMAIN {$settings['dns_domain']}\"\n";