Merge pull request #21940 from yuwata/network-wireguard-mask-allowed-ips

network: wireguard: handle invalid AllowedIPs= gracefully
author: Luca Boccassi <luca.boccassi@microsoft.com> 2021-12-30 21:18:05 +0000
committer: GitHub <noreply@github.com> 2021-12-30 21:18:05 +0000
commit: af73d8bd83147d64f4bc262bc9eeef64f7ff51ff (patch)
tree: f4396f779224915702c5b44d4bcaf707b60da746
parent: 1e65eb8f9b7d567462030b2e625998d77677e636 (diff)
parent: 14b451f20aaffa25f7091a7f1240aa711459b13e (diff)
download: systemd-af73d8bd83147d64f4bc262bc9eeef64f7ff51ff.tar.gz
2 files changed, 13 insertions, 2 deletions
diff --git a/src/network/netdev/wireguard.c b/src/network/netdev/wireguard.c
index e5cfb35c95..af91dc6257 100644
--- a/src/network/netdev/wireguard.c
+++ b/src/network/netdev/wireguard.c
@@ -686,6 +686,7 @@ int config_parse_wireguard_allowed_ips(
 
         for (const char *p = rvalue;;) {
                 _cleanup_free_ char *word = NULL;
+                union in_addr_union masked;
 
                 r = extract_first_word(&p, &word, "," WHITESPACE, 0);
                 if (r == 0)
@@ -705,13 +706,23 @@ int config_parse_wireguard_allowed_ips(
                         continue;
                 }
 
+                masked = addr;
+                assert_se(in_addr_mask(family, &masked, prefixlen) >= 0);
+                if (!in_addr_equal(family, &masked, &addr)) {
+                        _cleanup_free_ char *buf = NULL;
+
+                        (void) in_addr_prefix_to_string(family, &masked, prefixlen, &buf);
+                        log_syntax(unit, LOG_WARNING, filename, line, 0,
+                                   "Specified address '%s' is not properly masked, assuming '%s'.", word, strna(buf));
+                }
+
                 ipmask = new(WireguardIPmask, 1);
                 if (!ipmask)
                         return log_oom();
 
                 *ipmask = (WireguardIPmask) {
                         .family = family,
-                        .ip = addr,
+                        .ip = masked,
                         .cidr = prefixlen,
                 };
 
diff --git a/test/test-network/conf/25-wireguard.netdev b/test/test-network/conf/25-wireguard.netdev
index 16f63d00bd..4fed38e57a 100644
--- a/test/test-network/conf/25-wireguard.netdev
+++ b/test/test-network/conf/25-wireguard.netdev
@@ -12,7 +12,7 @@ RouteMetric=456
 
 [WireGuardPeer]
 PublicKey=RDf+LSpeEre7YEIKaxg+wbpsNV7du+ktR99uBEtIiCA=
-AllowedIPs=fd31:bf08:57cb::/48,192.168.26.0/24
+AllowedIPs=fd31:bf08:57cb::/48,192.168.26.3/24
 #Endpoint=wireguard.example.com:51820
 Endpoint=192.168.27.3:51820
 PresharedKey=IIWIV17wutHv7t4cR6pOT91z6NSz/T8Arh0yaywhw3M=
author	Luca Boccassi <luca.boccassi@microsoft.com>	2021-12-30 21:18:05 +0000
committer	GitHub <noreply@github.com>	2021-12-30 21:18:05 +0000
commit	af73d8bd83147d64f4bc262bc9eeef64f7ff51ff (patch)
tree	f4396f779224915702c5b44d4bcaf707b60da746
parent	1e65eb8f9b7d567462030b2e625998d77677e636 (diff)
parent	14b451f20aaffa25f7091a7f1240aa711459b13e (diff)
download	systemd-af73d8bd83147d64f4bc262bc9eeef64f7ff51ff.tar.gz