From 7e2d9531a79d289ee99dd436da14efb6d9a505fc Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= <ondrej@isc.org>
Date: Wed, 3 Jun 2020 14:42:11 +0200
Subject: [PATCH] Change the invalid CIDR from parser error to warning

In [RT #43367], the BIND 9 changed the strictness of address / prefix
length checks:

    Check prefixes in acls to make sure the address and
    prefix lengths are consistent.  Warn only in
    BIND 9.11 and earlier.

Unfortunately, a regression slipped in and the check was made an error
also in the BIND 9.11.  This commit fixes the regression, but turning
the error into a warning.
---
 bin/tests/system/checkconf/tests.sh                  |  9 +++++++++
 ...conf => warn-address-prefix-length-mismatch.conf} | 12 ++++++++++--
 lib/isccfg/parser.c                                  |  9 ---------
 util/copyrights                                      |  2 +-
 4 files changed, 20 insertions(+), 12 deletions(-)
 rename bin/tests/system/checkconf/{bad-ipv4-prefix-dotted2.conf => warn-address-prefix-length-mismatch.conf} (70%)

diff --git a/bin/tests/system/checkconf/tests.sh b/bin/tests/system/checkconf/tests.sh
index 85fb4839e9..d2b0daa35c 100644
--- a/bin/tests/system/checkconf/tests.sh
+++ b/bin/tests/system/checkconf/tests.sh
@@ -386,6 +386,15 @@ grep "dlv.isc.org has been shut down" < checkconf.out$n > /dev/null || ret=1
 if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
 status=`expr $status + $ret`
 
+n=`expr $n + 1`
+echo_i "check that invalid address/prefix length generates a warning ($n)"
+ret=0
+$CHECKCONF warn-address-prefix-length-mismatch.conf > checkconf.out$n 2>/dev/null || ret=1
+LINES=$(grep -c "address/prefix length mismatch" < checkconf.out$n) || ret=1
+[ "$LINES" -eq 8 ] || ret=1
+if [ $ret != 0 ]; then echo_i "failed"; ret=1; fi
+status=`expr $status + $ret`
+
 n=`expr $n + 1`
 echo_i "check that 'dnssec-lookaside . trust-anchor dlv.example.com;' doesn't generates a warning ($n)"
 ret=0
diff --git a/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf b/bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf
similarity index 70%
rename from bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf
rename to bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf
index 2c768c7e1a..5e3bc3f6ee 100644
--- a/bin/tests/system/checkconf/bad-ipv4-prefix-dotted2.conf
+++ b/bin/tests/system/checkconf/warn-address-prefix-length-mismatch.conf
@@ -9,6 +9,14 @@
  * information regarding copyright ownership.
  */
 
-acl myacl {
-	127.1/8; /* No-zero bits */
+zone example {
+	type master;
+	file "example.db";
+	auto-dnssec maintain;
+	allow-update {
+		192.0.2.64/24;
+		192.0.2.128/24;
+		198.51.100.255/24;
+		203.0.113.2/24;
+	};
 };
diff --git a/lib/isccfg/parser.c b/lib/isccfg/parser.c
index e2af054661..44a1dfc37a 100644
--- a/lib/isccfg/parser.c
+++ b/lib/isccfg/parser.c
@@ -2634,15 +2634,6 @@ cfg_parse_netprefix(cfg_parser_t *pctx, const cfg_type_t *type,
 					 "invalid prefix length");
 			return (ISC_R_RANGE);
 		}
-		result = isc_netaddr_prefixok(&netaddr, prefixlen);
-		if (result != ISC_R_SUCCESS) {
-			char buf[ISC_NETADDR_FORMATSIZE + 1];
-			isc_netaddr_format(&netaddr, buf, sizeof(buf));
-			cfg_parser_error(pctx, CFG_LOG_NOPREP,
-					 "'%s/%u': address/prefix length "
-					 "mismatch", buf, prefixlen);
-			return (ISC_R_FAILURE);
-		}
 	} else {
 		if (expectprefix) {
 			cfg_parser_error(pctx, CFG_LOG_NEAR,
-- 
GitLab