From 714a097ba82ad53b90cfff921ea3749cd1130f3e Mon Sep 17 00:00:00 2001 From: Dumitru Ceara Date: Tue, 23 Jun 2020 10:17:50 +0200 Subject: [PATCH] lex: Allow unmasked bits in value/mask tokens. It's quite restrictive to not accept ACLs/policies that match on a CIDR that has non-zero host bits. Right now this generates a lexer error that can only be detected in the logs. There's no real harm in automatically zero-ing the unmasked bits. Reported-at: https://bugzilla.redhat.com/1812820 Reported-by: Ying Xu Signed-off-by: Dumitru Ceara Acked-by: Mark Michelson Signed-off-by: Numan Siddique (cherry picked from upstream commit 2104f67aacd62f62a31f4e23a6720aeeaa751154) Change-Id: I90c57fe51170d63fcd08d1a57d6d9555755a43be --- lib/lex.c | 10 ++-------- tests/ovn.at | 11 +++++++---- 2 files changed, 9 insertions(+), 12 deletions(-) diff --git a/lib/lex.c b/lib/lex.c index 94f6c77..4d92199 100644 --- a/lib/lex.c +++ b/lib/lex.c @@ -485,16 +485,10 @@ lex_parse_mask(const char *p, struct lex_token *token) return p; } - /* Check invariant that a 1-bit in the value corresponds to a 1-bit in the + /* Apply invariant that a 1-bit in the value corresponds to a 1-bit in the * mask. */ for (int i = 0; i < ARRAY_SIZE(token->mask.be32); i++) { - ovs_be32 v = token->value.be32[i]; - ovs_be32 m = token->mask.be32[i]; - - if (v & ~m) { - lex_error(token, "Value contains unmasked 1-bits."); - break; - } + token->value.be32[i] &= token->mask.be32[i]; } /* Done! */ diff --git a/tests/ovn.at b/tests/ovn.at index cf521af..e7e0439 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -79,7 +79,7 @@ a/b => a error("`/' is only valid as part of `//' or `/*'.") b 0/0 0/1 -1/0 => error("Value contains unmasked 1-bits.") +1/0 => 0/0 1/1 128/384 1/3 @@ -99,7 +99,7 @@ a/b => a error("`/' is only valid as part of `//' or `/*'.") b 0X => error("Hex digits expected following 0X.") 0x0/0x0 => 0/0 0x0/0x1 => 0/0x1 -0x1/0x0 => error("Value contains unmasked 1-bits.") +0x1/0x0 => 0/0 0xffff/0x1ffff 0x. => error("Invalid syntax in hexadecimal constant.") @@ -109,9 +109,12 @@ a/b => a error("`/' is only valid as part of `//' or `/*'.") b 192.168.0.0/255.255.0.0 => 192.168.0.0/16 192.168.0.0/255.255.255.0 => 192.168.0.0/24 192.168.0.0/255.255.0.255 -192.168.0.0/255.0.0.0 => error("Value contains unmasked 1-bits.") +192.168.0.0/255.0.0.0 => 192.0.0.0/8 192.168.0.0/32 192.168.0.0/255.255.255.255 => 192.168.0.0/32 +192.168.0.2/32 +192.168.0.2/30 => 192.168.0.0/30 +192.168.0.2/24 => 192.168.0.0/24 1.2.3.4:5 => 1.2.3.4 : 5 :: @@ -135,7 +138,7 @@ FE:DC:ba:98:76:54 => fe:dc:ba:98:76:54 01:00:00:00:00:00/01:00:00:00:00:00 ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff fe:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff -ff:ff:ff:ff:ff:ff/fe:ff:ff:ff:ff:ff => error("Value contains unmasked 1-bits.") +ff:ff:ff:ff:ff:ff/fe:ff:ff:ff:ff:ff => fe:ff:ff:ff:ff:ff/fe:ff:ff:ff:ff:ff fe:x => error("Invalid numeric constant.") 00:01:02:03:04:x => error("Invalid numeric constant.") -- 1.8.3.1