openvpn: avoid accepting /32 "networks" where hosts are not allowed #2536

192.168.1.1/32 is not accepted, but 192.168.1.0/32 was.
2026-03-15 17:14:46 +00:00 · 2018-07-12 08:21:54 +02:00 · 2018-07-12 08:21:54 +02:00 · 399d719ede
commit 399d719ede
parent 5a9d6773df
1 changed files with 11 additions and 7 deletions
--- a/src/etc/inc/plugins.inc.d/openvpn.inc
+++ b/src/etc/inc/plugins.inc.d/openvpn.inc
@ -414,14 +414,18 @@ function openvpn_validate_cidr_ipv4($value, $allow_hosts = false)
 {
    $value = trim($value);
    if (!empty($value)) {
-        list($ip, $mask) = explode('/', $value);
-        if (!is_ipaddrv4($ip) or !is_numeric($mask) or ($mask > 32) or ($mask < 0)) {
+        list($ip, $prefix) = explode('/', $value);
+        if (!is_ipaddrv4($ip) || !is_numeric($prefix) || $prefix > 32 || $prefix < 0) {
            return false;
        }
-        /* IPv4 case is very strict, cannot be a host address */
-        $mask = (0xffffffff << (32 - $mask)) & 0xffffffff;
-        if (!$allow_hosts && (ip2long($ip) & $mask) != ip2long($ip)) {
-            return false;
+        if (!$allow_hosts) {
+            if ($prefix == 32) {
+                return false;
+            }
+            $mask = (0xffffffff << (32 - $prefix)) & 0xffffffff;
+            if (ip2long($ip) & $mask != ip2long($ip)) {
+                return false;
+            }
        }
    }
    return true;
@ -435,7 +439,7 @@ function openvpn_validate_cidr_ipv6($value)
        if (empty($prefix)) {
            $prefix = '128';
        }
-        if (!is_ipaddrv6($ipv6) or !is_numeric($prefix) or ($prefix > 128) or ($prefix < 0)) {
+        if (!is_ipaddrv6($ipv6) || !is_numeric($prefix) || $prefix > 128 || $prefix < 0) {
            return false;
        }
    }