Tighten ROA parsing to prevent invalid CIDRs from breaking things.
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
729540bd60
commit
547e7fdc04
39
roaapi.go
39
roaapi.go
@ -379,7 +379,7 @@ func (roa *ROA) CompileROA(registry *Registry,
|
|||||||
|
|
||||||
// extract the prefix
|
// extract the prefix
|
||||||
prefix := rattribs[0].RawValue
|
prefix := rattribs[0].RawValue
|
||||||
_, pnet, err := net.ParseCIDR(prefix)
|
prefIP, prefNet, err := net.ParseCIDR(prefix)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
log.WithFields(log.Fields{
|
log.WithFields(log.Fields{
|
||||||
"object": object.Ref,
|
"object": object.Ref,
|
||||||
@ -389,8 +389,16 @@ func (roa *ROA) CompileROA(registry *Registry,
|
|||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// check for CIDR errors
|
||||||
|
if !prefIP.Equal(prefNet.IP) {
|
||||||
|
log.WithFields(log.Fields{
|
||||||
|
"prefix": prefix,
|
||||||
|
}).Warn("Denied ROA: invalid CIDR")
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
// match the prefix to the prefix filters
|
// match the prefix to the prefix filters
|
||||||
filter := roa.MatchFilter(pnet.IP)
|
filter := roa.MatchFilter(prefNet.IP)
|
||||||
if filter == nil {
|
if filter == nil {
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
@ -401,22 +409,12 @@ func (roa *ROA) CompileROA(registry *Registry,
|
|||||||
"object": object.Ref,
|
"object": object.Ref,
|
||||||
"prefix": prefix,
|
"prefix": prefix,
|
||||||
"filter": filter.Prefix,
|
"filter": filter.Prefix,
|
||||||
}).Warn("Denied ROA through filter rule")
|
}).Warn("Denied ROA: through filter rule")
|
||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
mlen := filter.MaxLen
|
mlen := filter.MaxLen
|
||||||
|
prefLen, _ := prefNet.Mask.Size()
|
||||||
// if the prefix is greater than the filter.MaxLen
|
|
||||||
// then don't emit an ROA route (making the route invalid)
|
|
||||||
if ones, _ := pnet.Mask.Size(); ones > int(mlen) {
|
|
||||||
log.WithFields(log.Fields{
|
|
||||||
"object": object.Ref,
|
|
||||||
"prefix": prefix,
|
|
||||||
"filter": filter.Prefix,
|
|
||||||
}).Debug("Defined ROA: Prefix > filter MaxLen")
|
|
||||||
continue
|
|
||||||
}
|
|
||||||
|
|
||||||
// calculate the max-length for this object
|
// calculate the max-length for this object
|
||||||
|
|
||||||
@ -442,6 +440,17 @@ func (roa *ROA) CompileROA(registry *Registry,
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// if the prefix is greater than the max length
|
||||||
|
// then don't emit an ROA route (making the route invalid)
|
||||||
|
if prefLen > int(mlen) {
|
||||||
|
log.WithFields(log.Fields{
|
||||||
|
"object": object.Ref,
|
||||||
|
"prefix": prefix,
|
||||||
|
"maxlen": mlen,
|
||||||
|
}).Warn("Denied ROA: Prefix > filter MaxLen")
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
|
||||||
// look up the origin key for this object
|
// look up the origin key for this object
|
||||||
oattribs := originIX.Objects[object]
|
oattribs := originIX.Objects[object]
|
||||||
if oattribs == nil {
|
if oattribs == nil {
|
||||||
@ -455,7 +464,7 @@ func (roa *ROA) CompileROA(registry *Registry,
|
|||||||
|
|
||||||
// add the ROA
|
// add the ROA
|
||||||
roalist = append(roalist, &PrefixROA{
|
roalist = append(roalist, &PrefixROA{
|
||||||
Prefix: prefix,
|
Prefix: prefNet.String(),
|
||||||
MaxLen: mlen,
|
MaxLen: mlen,
|
||||||
ASN: oattrib.RawValue,
|
ASN: oattrib.RawValue,
|
||||||
})
|
})
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user