From 527f158ec3b23b20dda19b46d000c69ed959b168 Mon Sep 17 00:00:00 2001
From: msalle <mischa.salle@gmail.com>
Date: Thu, 2 Jan 2020 12:18:29 +0100
Subject: pam_access: Fix (IPv6) address prefix size matching

IPv6 address prefix sizes larger than 128 (i.e. not larger or equal to) should
be discarded. Additionally, for IPv4 addresses, the largest valid prefix size
should be 32.

Fixes #161
---
 modules/pam_access/pam_access.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'modules/pam_access/pam_access.c')

diff --git a/modules/pam_access/pam_access.c b/modules/pam_access/pam_access.c
index 128da01d..b57397be 100644
--- a/modules/pam_access/pam_access.c
+++ b/modules/pam_access/pam_access.c
@@ -737,7 +737,9 @@ network_netmask_match (pam_handle_t *pamh,
 		{ /* invalid netmask value */
 		  return NO;
 		}
-	    if ((netmask < 0) || (netmask >= 128))
+	    if ((netmask < 0)
+		|| (addr_type == AF_INET && netmask > 32)
+		|| (addr_type == AF_INET6 && netmask > 128))
 		{ /* netmask value out of range */
 		  return NO;
 		}
-- 
cgit v1.2.3