Bug #11446
Mobile IPsec DNS server input validation does not reject unsupported IPv4-mapped IPv6 addresses
100%
Description
Adding an IPv4-mapped IPv6 address as a mobile IPsec DNS server on vpn_ipsec_mobile.php (ex: fd00::1.2.3.4
) causes strongSwan to fail to load the configuration:
: grep dns /var/etc/ipsec/swanctl.conf dns = 10.6.0.1,198.51.100.1,8.8.8.8,fd00::1.2.3.4
: swanctl --load-all --file /var/etc/ipsec/swanctl.conf --debug 1 loaded certificate from '/var/etc/ipsec/x509/cert-3.crt' loaded certificate from '/var/etc/ipsec/x509/cert-6.crt' loaded certificate from '/var/etc/ipsec/x509ca/6c0118d9.0' loaded certificate from '/var/etc/ipsec/x509ca/8d33f237.0' loaded certificate from '/var/etc/ipsec/x509ca/b3b66f4e.0' loaded certificate from '/var/etc/ipsec/x509crl/6000aa83711ba.crl' loaded certificate from '/var/etc/ipsec/x509crl/5dc46362b276b.crl' loaded certificate from '/var/etc/ipsec/x509crl/5e13900ddfcba.crl' loaded certificate from '/var/etc/ipsec/x509crl/5dc481d149c58.crl' loaded certificate from '/var/etc/ipsec/x509crl/5ddbf2404b7a4.crl' loaded certificate from '/var/etc/ipsec/x509crl/59cd3ea6e0046.crl' loaded ECDSA key from '/var/etc/ipsec/private/cert-6.key' loaded RSA key from '/var/etc/ipsec/private/cert-3.key' loaded ike secret 'ike-0' loaded ike secret 'ike-2' loaded ike secret 'ike-4' loaded eap secret 'eap-5' loaded eap secret 'eap-6' no authorities found, 0 unloaded loading pool 'mobile-pool-v4' failed: invalid attribute value for dns loading pool 'mobile-pool-v6' failed: invalid attribute value for dns loaded pool 'mobile-userpool-1' loaded pool 'mobile-userpool-2' loaded 2 of 4 pools, 2 failed to load, 0 unloaded
Removing fd00::1.2.3.4
and replacing it with an IPv6 address or another IPv4 address allows it to function normally.
Input validation should reject this since strongSwan won't parse it, and it should also be skipped in the backend to make sure an existing broken configuration won't prevent other parts from loading.
Associated revisions
Reject IPv4-mapped IPv6 addresses on Mobile IPsec DNS server input validation. Fixes #11446
(cherry picked from commit 90fd68c6d42a25db20147dd455fc2701599b9c7d)
History
#1
Updated by Viktor Gurov about 2 months ago
#2
Updated by Jim Pingle about 2 months ago
- Status changed from New to Pull Request Review
#3
Updated by Jim Pingle about 1 month ago
- Target version changed from CE-Next to 2.5.1
#4
Updated by Jim Pingle about 1 month ago
- Subject changed from Mobile IPsec DNS server input validation does not reject IPv4-mapped IPv6 addresses to Mobile IPsec DNS server input validation does not reject unsupported IPv4-mapped IPv6 addresses
Updating subject for release notes.
#5
Updated by Renato Botelho 28 days ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Viktor Gurov
Merged and cherry-picked to 2.5.1
#6
Updated by Viktor Gurov 28 days ago
- % Done changed from 0 to 100
Applied in changeset 90fd68c6d42a25db20147dd455fc2701599b9c7d.
Reject IPv4-mapped IPv6 addresses on Mobile IPsec DNS server input validation. Fixes #11446