Browse Source

Tighten ROA parsing to prevent invalid CIDRs from breaking things.

master
Simon Marsh 3 weeks ago
parent
commit
547e7fdc04
WARNING! Although there is a key with this ID in the database it does not verify this commit! This commit is SUSPICIOUS. GPG Key ID: 30B29A716A54DBB3
1 changed files with 24 additions and 15 deletions
  1. +24
    -15
      roaapi.go

+ 24
- 15
roaapi.go View File

@@ -379,7 +379,7 @@ func (roa *ROA) CompileROA(registry *Registry,

// extract the prefix
prefix := rattribs[0].RawValue
_, pnet, err := net.ParseCIDR(prefix)
prefIP, prefNet, err := net.ParseCIDR(prefix)
if err != nil {
log.WithFields(log.Fields{
"object": object.Ref,
@@ -389,8 +389,16 @@ func (roa *ROA) CompileROA(registry *Registry,
continue
}

// check for CIDR errors
if !prefIP.Equal(prefNet.IP) {
log.WithFields(log.Fields{
"prefix": prefix,
}).Warn("Denied ROA: invalid CIDR")
continue
}

// match the prefix to the prefix filters
filter := roa.MatchFilter(pnet.IP)
filter := roa.MatchFilter(prefNet.IP)
if filter == nil {
continue
}
@@ -401,22 +409,12 @@ func (roa *ROA) CompileROA(registry *Registry,
"object": object.Ref,
"prefix": prefix,
"filter": filter.Prefix,
}).Warn("Denied ROA through filter rule")
}).Warn("Denied ROA: through filter rule")
continue
}

mlen := filter.MaxLen

// if the prefix is greater than the filter.MaxLen
// then don't emit an ROA route (making the route invalid)
if ones, _ := pnet.Mask.Size(); ones > int(mlen) {
log.WithFields(log.Fields{
"object": object.Ref,
"prefix": prefix,
"filter": filter.Prefix,
}).Debug("Defined ROA: Prefix > filter MaxLen")
continue
}
prefLen, _ := prefNet.Mask.Size()

// calculate the max-length for this object

@@ -442,6 +440,17 @@ func (roa *ROA) CompileROA(registry *Registry,
}
}

// if the prefix is greater than the max length
// then don't emit an ROA route (making the route invalid)
if prefLen > int(mlen) {
log.WithFields(log.Fields{
"object": object.Ref,
"prefix": prefix,
"maxlen": mlen,
}).Warn("Denied ROA: Prefix > filter MaxLen")
continue
}

// look up the origin key for this object
oattribs := originIX.Objects[object]
if oattribs == nil {
@@ -455,7 +464,7 @@ func (roa *ROA) CompileROA(registry *Registry,

// add the ROA
roalist = append(roalist, &PrefixROA{
Prefix: prefix,
Prefix: prefNet.String(),
MaxLen: mlen,
ASN: oattrib.RawValue,
})


Loading…
Cancel
Save