Centralise banmask matching logic

This commit is contained in:
Ed Kellett 2020-04-12 02:07:17 +01:00
parent baef55657e
commit a7d4a0ab81
No known key found for this signature in database
GPG key ID: CB9986DEF342FABC
7 changed files with 116 additions and 133 deletions

View file

@ -61,7 +61,7 @@ static int eb_canjoin(const char *data, struct Client *client_p,
return EXTBAN_INVALID; return EXTBAN_INVALID;
#endif #endif
recurse = 1; recurse = 1;
ret = is_banned(chptr2, client_p, NULL, NULL, NULL, NULL) == CHFL_BAN ? EXTBAN_MATCH : EXTBAN_NOMATCH; ret = is_banned(chptr2, client_p, NULL, NULL, NULL) == CHFL_BAN ? EXTBAN_MATCH : EXTBAN_NOMATCH;
recurse = 0; recurse = 0;
return ret; return ret;
} }

View file

@ -32,36 +32,5 @@ _moddeinit(void)
static int static int
eb_hostmask(const char *banstr, struct Client *client_p, struct Channel *chptr, long mode_type) eb_hostmask(const char *banstr, struct Client *client_p, struct Channel *chptr, long mode_type)
{ {
char src_host[NAMELEN + USERLEN + HOSTLEN + 6]; return client_matches_mask(client_p, banstr) ? EXTBAN_MATCH : EXTBAN_NOMATCH;
char src_iphost[NAMELEN + USERLEN + HOSTLEN + 6];
char src_althost[NAMELEN + USERLEN + HOSTLEN + 6];
char src_ip4host[NAMELEN + USERLEN + HOSTLEN + 6];
struct sockaddr_in ip4;
char *s = src_host, *s2 = src_iphost, *s3 = NULL, *s4 = NULL;
sprintf(src_host, "%s!%s@%s", client_p->name, client_p->username, client_p->host);
sprintf(src_iphost, "%s!%s@%s", client_p->name, client_p->username, client_p->sockhost);
/* handle hostmangling if necessary */
if (client_p->localClient->mangledhost != NULL)
{
if (!strcmp(client_p->host, client_p->localClient->mangledhost))
sprintf(src_althost, "%s!%s@%s", client_p->name, client_p->username, client_p->orighost);
else if (!IsDynSpoof(client_p))
sprintf(src_althost, "%s!%s@%s", client_p->name, client_p->username, client_p->localClient->mangledhost);
s3 = src_althost;
}
/* handle Teredo if necessary */
if (GET_SS_FAMILY(&client_p->localClient->ip) == AF_INET6 && rb_ipv4_from_ipv6((const struct sockaddr_in6 *) &client_p->localClient->ip, &ip4))
{
sprintf(src_ip4host, "%s!%s@", client_p->name, client_p->username);
s4 = src_ip4host + strlen(src_ip4host);
rb_inet_ntop_sock((struct sockaddr *)&ip4,
s4, src_ip4host + sizeof src_ip4host - s4);
s4 = src_ip4host;
}
return match(banstr, s) || match(banstr, s2) || (s3 != NULL && match(banstr, s3)) || (s4 != NULL && match(banstr, s4)) ? EXTBAN_MATCH : EXTBAN_NOMATCH;
} }

View file

@ -215,10 +215,12 @@ extern int can_send(struct Channel *chptr, struct Client *who,
struct membership *); struct membership *);
extern bool flood_attack_channel(int p_or_n, struct Client *source_p, extern bool flood_attack_channel(int p_or_n, struct Client *source_p,
struct Channel *chptr, char *chname); struct Channel *chptr, char *chname);
struct matchset;
extern int is_banned(struct Channel *chptr, struct Client *who, extern int is_banned(struct Channel *chptr, struct Client *who,
struct membership *msptr, const char *, const char *, const char **); struct membership *msptr, const struct matchset *ms,
const char **);
extern int is_quieted(struct Channel *chptr, struct Client *who, extern int is_quieted(struct Channel *chptr, struct Client *who,
struct membership *msptr, const char *, const char *); struct membership *msptr, const struct matchset *ms);
extern int can_join(struct Client *source_p, struct Channel *chptr, extern int can_join(struct Client *source_p, struct Channel *chptr,
const char *key, const char **forward); const char *key, const char **forward);

View file

@ -59,6 +59,17 @@ int comp_with_mask_sock(struct sockaddr *addr, struct sockaddr *dest, unsigned i
extern char *collapse(char *pattern); extern char *collapse(char *pattern);
extern char *collapse_esc(char *pattern); extern char *collapse_esc(char *pattern);
struct matchset {
char host[2][NAMELEN + USERLEN + HOSTLEN + 6];
char ip[2][NAMELEN + USERLEN + HOSTIPLEN + 6];
};
struct Client;
void matchset_for_client(struct Client *who, struct matchset *m);
bool client_matches_mask(struct Client *who, const char *mask);
bool matches_mask(const struct matchset *m, const char *mask);
/* /*
* irccmp - case insensitive comparison of s1 and s2 * irccmp - case insensitive comparison of s1 and s2
*/ */

View file

@ -537,84 +537,41 @@ del_invite(struct Channel *chptr, struct Client *who)
static int static int
is_banned_list(struct Channel *chptr, rb_dlink_list *list, is_banned_list(struct Channel *chptr, rb_dlink_list *list,
struct Client *who, struct membership *msptr, struct Client *who, struct membership *msptr,
const char *s, const char *s2, const char **forward) const struct matchset *ms, const char **forward)
{ {
char src_host[NAMELEN + USERLEN + HOSTLEN + 6]; struct matchset ms_;
char src_iphost[NAMELEN + USERLEN + HOSTLEN + 6];
char src_althost[NAMELEN + USERLEN + HOSTLEN + 6];
char src_ip4host[NAMELEN + USERLEN + HOSTLEN + 6];
char *s3 = NULL;
char *s4 = NULL;
struct sockaddr_in ip4;
rb_dlink_node *ptr; rb_dlink_node *ptr;
struct Ban *actualBan = NULL; struct Ban *actualBan = NULL;
struct Ban *actualExcept = NULL; struct Ban *actualExcept = NULL;
if(!MyClient(who)) if (!MyClient(who))
return 0; return 0;
/* if the buffers havent been built, do it here */ if (ms == NULL)
if(s == NULL)
{ {
sprintf(src_host, "%s!%s@%s", who->name, who->username, who->host); matchset_for_client(who, &ms_);
sprintf(src_iphost, "%s!%s@%s", who->name, who->username, who->sockhost); ms = &ms_;
s = src_host;
s2 = src_iphost;
}
if(who->localClient->mangledhost != NULL)
{
/* if host mangling mode enabled, also check their real host */
if(!strcmp(who->host, who->localClient->mangledhost))
{
sprintf(src_althost, "%s!%s@%s", who->name, who->username, who->orighost);
s3 = src_althost;
}
/* if host mangling mode not enabled and no other spoof,
* also check the mangled form of their host */
else if (!IsDynSpoof(who))
{
sprintf(src_althost, "%s!%s@%s", who->name, who->username, who->localClient->mangledhost);
s3 = src_althost;
}
}
if(GET_SS_FAMILY(&who->localClient->ip) == AF_INET6 &&
rb_ipv4_from_ipv6((const struct sockaddr_in6 *)&who->localClient->ip, &ip4))
{
sprintf(src_ip4host, "%s!%s@", who->name, who->username);
s4 = src_ip4host + strlen(src_ip4host);
rb_inet_ntop_sock((struct sockaddr *)&ip4,
s4, src_ip4host + sizeof src_ip4host - s4);
s4 = src_ip4host;
} }
RB_DLINK_FOREACH(ptr, list->head) RB_DLINK_FOREACH(ptr, list->head)
{ {
actualBan = ptr->data; actualBan = ptr->data;
if(match(actualBan->banstr, s) || if (matches_mask(ms, actualBan->banstr))
match(actualBan->banstr, s2) || break;
match_cidr(actualBan->banstr, s2) || if (match_extban(actualBan->banstr, who, chptr, CHFL_BAN))
match_extban(actualBan->banstr, who, chptr, CHFL_BAN) ||
(s3 != NULL && match(actualBan->banstr, s3)) ||
(s4 != NULL && (match(actualBan->banstr, s4) || match_cidr(actualBan->banstr, s4)))
)
break; break;
else
actualBan = NULL; actualBan = NULL;
} }
if((actualBan != NULL) && ConfigChannel.use_except) if ((actualBan != NULL) && ConfigChannel.use_except)
{ {
RB_DLINK_FOREACH(ptr, chptr->exceptlist.head) RB_DLINK_FOREACH(ptr, chptr->exceptlist.head)
{ {
actualExcept = ptr->data; actualExcept = ptr->data;
/* theyre exempted.. */ /* theyre exempted.. */
if(match(actualExcept->banstr, s) || if (matches_mask(ms, actualExcept->banstr) ||
match(actualExcept->banstr, s2) || match_extban(actualExcept->banstr, who, chptr, CHFL_BAN))
match_cidr(actualExcept->banstr, s2) ||
match_extban(actualExcept->banstr, who, chptr, CHFL_EXCEPTION) ||
(s3 != NULL && match(actualExcept->banstr, s3)))
{ {
/* cache the fact theyre not banned */ /* cache the fact theyre not banned */
if(msptr != NULL) if(msptr != NULL)
@ -660,7 +617,7 @@ is_banned_list(struct Channel *chptr, rb_dlink_list *list,
*/ */
int int
is_banned(struct Channel *chptr, struct Client *who, struct membership *msptr, is_banned(struct Channel *chptr, struct Client *who, struct membership *msptr,
const char *s, const char *s2, const char **forward) const struct matchset *ms, const char **forward)
{ {
#if 0 #if 0
if (chptr->last_checked_client != NULL && if (chptr->last_checked_client != NULL &&
@ -676,7 +633,7 @@ is_banned(struct Channel *chptr, struct Client *who, struct membership *msptr,
return chptr->last_checked_result; return chptr->last_checked_result;
#else #else
return is_banned_list(chptr, &chptr->banlist, who, msptr, s, s2, forward); return is_banned_list(chptr, &chptr->banlist, who, msptr, ms, forward);
#endif #endif
} }
@ -689,7 +646,7 @@ is_banned(struct Channel *chptr, struct Client *who, struct membership *msptr,
*/ */
int int
is_quieted(struct Channel *chptr, struct Client *who, struct membership *msptr, is_quieted(struct Channel *chptr, struct Client *who, struct membership *msptr,
const char *s, const char *s2) const struct matchset *ms)
{ {
#if 0 #if 0
if (chptr->last_checked_client != NULL && if (chptr->last_checked_client != NULL &&
@ -705,7 +662,7 @@ is_quieted(struct Channel *chptr, struct Client *who, struct membership *msptr,
return chptr->last_checked_result; return chptr->last_checked_result;
#else #else
return is_banned_list(chptr, &chptr->quietlist, who, msptr, s, s2, NULL); return is_banned_list(chptr, &chptr->quietlist, who, msptr, ms, NULL);
#endif #endif
} }
@ -722,10 +679,7 @@ can_join(struct Client *source_p, struct Channel *chptr, const char *key, const
rb_dlink_node *invite = NULL; rb_dlink_node *invite = NULL;
rb_dlink_node *ptr; rb_dlink_node *ptr;
struct Ban *invex = NULL; struct Ban *invex = NULL;
char src_host[NAMELEN + USERLEN + HOSTLEN + 6]; struct matchset ms;
char src_iphost[NAMELEN + USERLEN + HOSTLEN + 6];
char src_althost[NAMELEN + USERLEN + HOSTLEN + 6];
int use_althost = 0;
int i = 0; int i = 0;
hook_data_channel moduledata; hook_data_channel moduledata;
@ -735,26 +689,9 @@ can_join(struct Client *source_p, struct Channel *chptr, const char *key, const
moduledata.chptr = chptr; moduledata.chptr = chptr;
moduledata.approved = 0; moduledata.approved = 0;
sprintf(src_host, "%s!%s@%s", source_p->name, source_p->username, source_p->host); matchset_for_client(source_p, &ms);
sprintf(src_iphost, "%s!%s@%s", source_p->name, source_p->username, source_p->sockhost);
if(source_p->localClient->mangledhost != NULL)
{
/* if host mangling mode enabled, also check their real host */
if(!strcmp(source_p->host, source_p->localClient->mangledhost))
{
sprintf(src_althost, "%s!%s@%s", source_p->name, source_p->username, source_p->orighost);
use_althost = 1;
}
/* if host mangling mode not enabled and no other spoof,
* also check the mangled form of their host */
else if (!IsDynSpoof(source_p))
{
sprintf(src_althost, "%s!%s@%s", source_p->name, source_p->username, source_p->localClient->mangledhost);
use_althost = 1;
}
}
if((is_banned(chptr, source_p, NULL, src_host, src_iphost, forward)) == CHFL_BAN) if((is_banned(chptr, source_p, NULL, &ms, forward)) == CHFL_BAN)
{ {
moduledata.approved = ERR_BANNEDFROMCHAN; moduledata.approved = ERR_BANNEDFROMCHAN;
goto finish_join_check; goto finish_join_check;
@ -784,11 +721,8 @@ can_join(struct Client *source_p, struct Channel *chptr, const char *key, const
RB_DLINK_FOREACH(ptr, chptr->invexlist.head) RB_DLINK_FOREACH(ptr, chptr->invexlist.head)
{ {
invex = ptr->data; invex = ptr->data;
if(match(invex->banstr, src_host) if (matches_mask(&ms, invex->banstr) ||
|| match(invex->banstr, src_iphost) match_extban(invex->banstr, source_p, chptr, CHFL_INVEX))
|| match_cidr(invex->banstr, src_iphost)
|| match_extban(invex->banstr, source_p, chptr, CHFL_INVEX)
|| (use_althost && match(invex->banstr, src_althost)))
break; break;
} }
if(ptr == NULL) if(ptr == NULL)
@ -879,8 +813,8 @@ can_send(struct Channel *chptr, struct Client *source_p, struct membership *mspt
if(can_send_banned(msptr)) if(can_send_banned(msptr))
moduledata.approved = CAN_SEND_NO; moduledata.approved = CAN_SEND_NO;
} }
else if(is_banned(chptr, source_p, msptr, NULL, NULL, NULL) == CHFL_BAN else if(is_banned(chptr, source_p, msptr, NULL, NULL) == CHFL_BAN
|| is_quieted(chptr, source_p, msptr, NULL, NULL) == CHFL_BAN) || is_quieted(chptr, source_p, msptr, NULL) == CHFL_BAN)
moduledata.approved = CAN_SEND_NO; moduledata.approved = CAN_SEND_NO;
} }
@ -964,14 +898,12 @@ find_bannickchange_channel(struct Client *client_p)
struct Channel *chptr; struct Channel *chptr;
struct membership *msptr; struct membership *msptr;
rb_dlink_node *ptr; rb_dlink_node *ptr;
char src_host[NAMELEN + USERLEN + HOSTLEN + 6]; struct matchset ms;
char src_iphost[NAMELEN + USERLEN + HOSTLEN + 6];
if (!MyClient(client_p)) if (!MyClient(client_p))
return NULL; return NULL;
sprintf(src_host, "%s!%s@%s", client_p->name, client_p->username, client_p->host); matchset_for_client(client_p, &ms);
sprintf(src_iphost, "%s!%s@%s", client_p->name, client_p->username, client_p->sockhost);
RB_DLINK_FOREACH(ptr, client_p->user->channel.head) RB_DLINK_FOREACH(ptr, client_p->user->channel.head)
{ {
@ -985,8 +917,8 @@ find_bannickchange_channel(struct Client *client_p)
if (can_send_banned(msptr)) if (can_send_banned(msptr))
return chptr; return chptr;
} }
else if (is_banned(chptr, client_p, msptr, src_host, src_iphost, NULL) == CHFL_BAN else if (is_banned(chptr, client_p, msptr, &ms, NULL) == CHFL_BAN
|| is_quieted(chptr, client_p, msptr, src_host, src_iphost) == CHFL_BAN) || is_quieted(chptr, client_p, msptr, &ms) == CHFL_BAN)
return chptr; return chptr;
} }
return NULL; return NULL;

View file

@ -586,6 +586,75 @@ int ircncmp(const char *s1, const char *s2, int n)
return (res); return (res);
} }
void matchset_for_client(struct Client *who, struct matchset *m)
{
unsigned hostn = 0;
unsigned ipn = 0;
struct sockaddr_in ip4;
sprintf(m->host[hostn++], "%s!%s@%s", who->name, who->username, who->host);
sprintf(m->ip[ipn++], "%s!%s@%s", who->name, who->username, who->sockhost);
if (who->localClient->mangledhost != NULL)
{
/* if host mangling mode enabled, also check their real host */
if (!strcmp(who->host, who->localClient->mangledhost))
{
sprintf(m->host[hostn++], "%s!%s@%s", who->name, who->username, who->orighost);
}
/* if host mangling mode not enabled and no other spoof,
* also check the mangled form of their host */
else if (!IsDynSpoof(who))
{
sprintf(m->host[hostn++], "%s!%s@%s", who->name, who->username, who->localClient->mangledhost);
}
}
if (GET_SS_FAMILY(&who->localClient->ip) == AF_INET6 &&
rb_ipv4_from_ipv6((const struct sockaddr_in6 *)&who->localClient->ip, &ip4))
{
int n = sprintf(m->ip[ipn++], "%s!%s@", who->name, who->username);
rb_inet_ntop_sock((struct sockaddr *)&ip4,
m->ip[ipn] + n, sizeof m->ip[ipn] - n);
}
for (int i = hostn; i < ARRAY_SIZE(m->host); i++)
{
m->host[i][0] = '\0';
}
for (int i = ipn; i < ARRAY_SIZE(m->ip); i++)
{
m->ip[i][0] = '\0';
}
}
bool client_matches_mask(struct Client *who, const char *mask)
{
static struct matchset ms;
matchset_for_client(who, &ms);
return matches_mask(&ms, mask);
}
bool matches_mask(const struct matchset *m, const char *mask)
{
for (int i = 0; i < ARRAY_SIZE(m->host); i++)
{
if (m->host[i][0] == '\0')
break;
if (match(mask, m->host[i]))
return true;
}
for (int i = 0; i < ARRAY_SIZE(m->ip); i++)
{
if (m->ip[i][0] == '\0')
break;
if (match(mask, m->ip[i]))
return true;
if (match_cidr(mask, m->ip[i]))
return true;
}
return false;
}
const unsigned char irctolower_tab[] = { const unsigned char irctolower_tab[] = {
0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa,
0xb, 0xc, 0xd, 0xe, 0xf, 0x10, 0x11, 0x12, 0x13, 0x14, 0xb, 0xc, 0xd, 0xe, 0xf, 0x10, 0x11, 0x12, 0x13, 0x14,

View file

@ -130,8 +130,8 @@ m_knock(struct MsgBuf *msgbuf_p, struct Client *client_p, struct Client *source_
if(MyClient(source_p)) if(MyClient(source_p))
{ {
/* don't allow a knock if the user is banned */ /* don't allow a knock if the user is banned */
if(is_banned(chptr, source_p, NULL, NULL, NULL, NULL) == CHFL_BAN || if(is_banned(chptr, source_p, NULL, NULL, NULL) == CHFL_BAN ||
is_quieted(chptr, source_p, NULL, NULL, NULL) == CHFL_BAN) is_quieted(chptr, source_p, NULL, NULL) == CHFL_BAN)
{ {
sendto_one_numeric(source_p, ERR_CANNOTSENDTOCHAN, sendto_one_numeric(source_p, ERR_CANNOTSENDTOCHAN,
form_str(ERR_CANNOTSENDTOCHAN), name); form_str(ERR_CANNOTSENDTOCHAN), name);