[ipset] Can't resolve domain names containing an hyphen "-"

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "Pierre Mazière" <star+netfilterdevelml@paupiland.net>
To: netfilter-devel@vger.kernel.org
Subject: [ipset] Can't resolve domain names containing an hyphen "-"
Date: Fri, 22 Aug 2025 17:52:39 +0200	[thread overview]
Message-ID: <20250822155239.GA30578@askadice.com> (raw)

Hello,

I might have found a bug in ipset domain name resolving code:

--------------------------------------------------------------
# ipset create testset hash:ip
# ipset add testset hyphen-containing.example.com
ipset v7.2x: Syntax error: cannot parse hyphen: resolving to IPv4 address failed
----------------------------------------------------------------

This is the output of ipset 7.22 in an up-to-date debian testing system as well
as of 7.24 directly compiled from the git repository.

The issue seems to be located in the parse_ipaddr function of
lib/parse.c: the function attempts to find if the string pointed by the str 
argument is a range of IPs containing IPSET_RANGE_SEPARATOR defined in 
include/libipset/parse.h as "-".
If IPSET_RANGE_SEPARATOR is found, it is replaced by '\0' which results
in the truncation of the string pointed by the str argument.
If the string is a domain name then the subsequent attempt to resolve it
fails because it is incomplete compared to what was passed initially to
the parse_ipaddr function.

I don't have any understanding of what is done before or after
this step. Therefore, if you consider this report as valid, I'll leave
to the relevant developer the task to fix this issue in the most secure
and appropriate way.

Many thanks to all involved developers and non developers for their work on 
this very important set of tools that is netfilter !

Pierre

next             reply	other threads:[~2025-08-22 15:53 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-08-22 15:52 Pierre Mazière [this message]
2025-08-22 16:41 ` [ipset] Can't resolve domain names containing an hyphen "-" Jan Engelhardt

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250822155239.GA30578@askadice.com \
    --to=star+netfilterdevelml@paupiland.net \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.