From 18202a0f73ef8f32cc8cbf9c86a761740f2bbfb1 Mon Sep 17 00:00:00 2001 From: Bram Matthys Date: Thu, 10 Aug 2017 08:30:54 +0200 Subject: [PATCH] Fix "ban too broad" checking. Reported by Gottem in #4961. * The 'ban too broad' checking was broken. This permitted glines such as 192.168.0.0/1 being set. Now it rejects CIDR of /15 and lower. To disable this safety measure you can (still) use: set { options { allow-insane-bans; }; }; --- doc/RELEASE-NOTES | 4 ++++ src/modules/m_tkl.c | 24 ++++++++++++++---------- 2 files changed, 18 insertions(+), 10 deletions(-) diff --git a/doc/RELEASE-NOTES b/doc/RELEASE-NOTES index b6818494a..d5efcdab1 100644 --- a/doc/RELEASE-NOTES +++ b/doc/RELEASE-NOTES @@ -18,6 +18,10 @@ Major issues fixed: Minor issues fixed: * Prevent /OPER for oper blocks with non-existant operclass * Bump MAXCONNECTIONS for Windows, allowing you to hold more clients. +* The 'ban too broad' checking was broken. This permitted glines such + as 192.168.0.0/1 being set. Now it rejects CIDR of /15 and lower. + To disable this safety measure you can (still) use: + set { options { allow-insane-bans; }; }; Other changes: * The websocket module now no longer sends \r\n in the websocket diff --git a/src/modules/m_tkl.c b/src/modules/m_tkl.c index 6d2e14653..936bc0d33 100644 --- a/src/modules/m_tkl.c +++ b/src/modules/m_tkl.c @@ -379,15 +379,8 @@ int ban_too_broad(char *usermask, char *hostmask) /* Allow things like clone@*, dsfsf@*, etc.. */ if (!strchr(usermask, '*') && !strchr(usermask, '?')) return 0; - - /* STEP 1: Must at least contain 4 non-wildcard/non-dot characters */ - for (p = hostmask; *p; p++) - if (*p != '*' && *p != '.' && *p != '?') - cnt++; - - if (cnt >= 4) - return 0; + /* If it's a CIDR, then check /mask first.. */ p = strchr(hostmask, '/'); if (p) { @@ -395,13 +388,24 @@ int ban_too_broad(char *usermask, char *hostmask) if (strchr(hostmask, ':')) { if (cidrlen < 48) - return 0; /* too broad IPv6 CIDR mask */ + return 1; /* too broad IPv6 CIDR mask */ } else { if (cidrlen < 16) - return 0; /* too broad IPv4 CIDR mask */ + return 1; /* too broad IPv4 CIDR mask */ } } + /* Must at least contain 4 non-wildcard/non-dot characters. + * This will deal with non-CIDR and hosts, but any correct + * CIDR mask will also pass this test (which is fine). + */ + for (p = hostmask; *p; p++) + if (*p != '*' && *p != '.' && *p != '?') + cnt++; + + if (cnt >= 4) + return 0; + return 1; }