as,rsrv: use real client IP instead of untrusted host name

This commit is contained in:
Michael Davidsaver
2018-06-16 09:45:00 -07:00
parent 383b6b1c36
commit 530eba133f
6 changed files with 61 additions and 6 deletions

View File

@@ -861,6 +861,14 @@ static int host_name_action ( caHdrLargeArray *mp, void *pPayload,
return RSRV_ERROR;
}
/* after all validation */
if(asUseIP) {
DLOG (2, ( "CAS: host_name_action for \"%s\" ignores clist provided host name\n",
client->pHostName ) );
return RSRV_OK;
}
/*
* user name will not change if there isnt enough memory
*/

View File

@@ -1421,6 +1421,20 @@ struct client *create_tcp_client (SOCKET sock , const osiSockAddr *peerAddr)
}
client->addr = peerAddr->ia;
if(asUseIP) {
epicsUInt32 ip = ntohl(client->addr.sin_addr.s_addr);
client->pHostName = malloc(24);
if(!client->pHostName) {
destroy_client ( client );
return NULL;
}
epicsSnprintf(client->pHostName, 24,
"%u.%u.%u.%u",
(ip>>24)&0xff,
(ip>>16)&0xff,
(ip>>8)&0xff,
(ip>>0)&0xff);
}
/*
* see TCP(4P) this seems to make unsolicited single events much

View File

@@ -86,7 +86,7 @@ typedef struct client {
ELLLIST chanList;
ELLLIST chanPendingUpdateARList;
ELLLIST putNotifyQue;
struct sockaddr_in addr;
struct sockaddr_in addr; /* peer address, TCP only */
epicsTimeStamp time_at_last_send;
epicsTimeStamp time_at_last_recv;
void *evuser;

View File

@@ -21,6 +21,11 @@
extern "C" {
#endif
/* 0 - Use (unverified) client provided host name string.
* 1 - Use actual client IP address. HAG() are resolved to IPs at ACF load time.
*/
epicsShareExtern int asUseIP;
typedef struct asgMember *ASMEMBERPVT;
typedef struct asgClient *ASCLIENTPVT;
typedef int (*ASINPUTFUNCPTR)(char *buf,int max_size);

View File

@@ -15,6 +15,8 @@
#include <ctype.h>
#define epicsExportSharedSymbols
#include "osiSock.h"
#include "epicsTypes.h"
#include "epicsStdio.h"
#include "dbDefs.h"
#include "epicsThread.h"
@@ -27,6 +29,8 @@
#include "postfix.h"
#include "asLib.h"
int asUseIP;
static epicsMutexId asLock;
#define LOCK epicsMutexMustLock(asLock)
#define UNLOCK epicsMutexUnlock(asLock)
@@ -1206,11 +1210,29 @@ static long asHagAddHost(HAG *phag,const char *host)
int len, i;
if (!phag) return 0;
len = strlen(host);
phagname = asCalloc(1, sizeof(HAGNAME) + len + 1);
phagname->host = (char *)(phagname + 1);
for (i = 0; i < len; i++) {
phagname->host[i] = (char)tolower((int)host[i]);
if(!asUseIP) {
len = strlen(host);
phagname = asCalloc(1, sizeof(HAGNAME) + len + 1);
phagname->host = (char *)(phagname + 1);
for (i = 0; i < len; i++) {
phagname->host[i] = (char)tolower((int)host[i]);
}
} else {
struct sockaddr_in addr;
epicsUInt32 ip;
if(aToIPAddr(host, 0, &addr)) {
errlogPrintf("Unable to resolve host '%s'\n", host);
return S_asLib_noHag;
}
ip = ntohl(addr.sin_addr.s_addr);
phagname = asCalloc(1, sizeof(HAGNAME) + 24);
phagname->host = (char *)(phagname + 1);
epicsSnprintf(phagname->host, 24,
"%u.%u.%u.%u",
(ip>>24)&0xff,
(ip>>16)&0xff,
(ip>>8)&0xff,
(ip>>0)&0xff);
}
ellAdd(&phag->list, &phagname->node);
return 0;

View File

@@ -12,6 +12,7 @@
#define epicsExportSharedSymbols
#include "iocsh.h"
#include "asLib.h"
#include "epicsStdioRedirect.h"
#include "epicsString.h"
#include "epicsTime.h"
@@ -392,6 +393,8 @@ static void installLastResortEventProviderCallFunc(const iocshArgBuf *args)
installLastResortEventProvider();
}
static iocshVarDef asUseIPDef = {"asUseIP", iocshArgInt, 0};
void epicsShareAPI libComRegister(void)
{
iocshRegister(&dateFuncDef, dateCallFunc);
@@ -424,4 +427,7 @@ void epicsShareAPI libComRegister(void)
iocshRegister(&generalTimeReportFuncDef,generalTimeReportCallFunc);
iocshRegister(&installLastResortEventProviderFuncDef, installLastResortEventProviderCallFunc);
asUseIPDef.pval = &asUseIP;
iocshRegisterVariable(&asUseIPDef);
}