[master] fix geoip asnum matching

3935.	[bug]		"geoip asnum" ACL elements would not match unless
			the full organization name was specified.  They
			can now match against the AS number alone (e.g.,
			AS1234). [RT #36945]

CHANGES

@@ -1,3 +1,8 @@
+3935.	[bug]		"geoip asnum" ACL elements would not match unless
+			the full organization name was specified.  They
+			can now match against the AS number alone (e.g.,
+			AS1234). [RT #36945]
+
 3934.	[bug]		Catch bad 'sit-secret' in named-checkconf.  Improve
 			sit-secret documentation. [RT #36980]
 

bin/tests/system/geoip/ns2/named10.conf

@@ -40,7 +40,7 @@ controls {
 };
 
 view one {
-	match-clients { geoip domain one.de; };
+	match-clients { geoip asnum "AS100001"; };
 	zone "example" {
 		type master;
 		file "example1.db";
@@ -48,7 +48,7 @@ view one {
 };
 
 view two {
-	match-clients { geoip domain two.com; };
+	match-clients { geoip asnum "AS100002"; };
 	zone "example" {
 		type master;
 		file "example2.db";
@@ -56,7 +56,7 @@ view two {
 };
 
 view three {
-	match-clients { geoip domain three.com; };
+	match-clients { geoip asnum "AS100003"; };
 	zone "example" {
 		type master;
 		file "example3.db";
@@ -64,7 +64,7 @@ view three {
 };
 
 view four {
-	match-clients { geoip domain four.com; };
+	match-clients { geoip asnum "AS100004"; };
 	zone "example" {
 		type master;
 		file "example4.db";
@@ -72,7 +72,7 @@ view four {
 };
 
 view five {
-	match-clients { geoip domain five.es; };
+	match-clients { geoip asnum "AS100005"; };
 	zone "example" {
 		type master;
 		file "example5.db";
@@ -80,7 +80,7 @@ view five {
 };
 
 view six {
-	match-clients { geoip domain six.it; };
+	match-clients { geoip asnum "AS100006"; };
 	zone "example" {
 		type master;
 		file "example6.db";
@@ -88,7 +88,7 @@ view six {
 };
 
 view seven {
-	match-clients { geoip domain seven.org; };
+	match-clients { geoip asnum "AS100007"; };
 	zone "example" {
 		type master;
 		file "example7.db";

bin/tests/system/geoip/ns2/named11.conf

@@ -40,7 +40,7 @@ controls {
 };
 
 view one {
-	match-clients { geoip netspeed 0; };
+	match-clients { geoip domain one.de; };
 	zone "example" {
 		type master;
 		file "example1.db";
@@ -48,7 +48,7 @@ view one {
 };
 
 view two {
-	match-clients { geoip netspeed 1; };
+	match-clients { geoip domain two.com; };
 	zone "example" {
 		type master;
 		file "example2.db";
@@ -56,7 +56,7 @@ view two {
 };
 
 view three {
-	match-clients { geoip netspeed 2; };
+	match-clients { geoip domain three.com; };
 	zone "example" {
 		type master;
 		file "example3.db";
@@ -64,13 +64,37 @@ view three {
 };
 
 view four {
-	match-clients { geoip netspeed 3; };
+	match-clients { geoip domain four.com; };
 	zone "example" {
 		type master;
 		file "example4.db";
 	};
 };
 
+view five {
+	match-clients { geoip domain five.es; };
+	zone "example" {
+		type master;
+		file "example5.db";
+	};
+};
+
+view six {
+	match-clients { geoip domain six.it; };
+	zone "example" {
+		type master;
+		file "example6.db";
+	};
+};
+
+view seven {
+	match-clients { geoip domain seven.org; };
+	zone "example" {
+		type master;
+		file "example7.db";
+	};
+};
+
 view none {
 	match-clients { any; };
 	zone "example" {

bin/tests/system/geoip/ns2/named12.conf

@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
+ * Copyright (C) 2013  Internet Systems Consortium, Inc. ("ISC")
  *
  * Permission to use, copy, modify, and/or distribute this software for any
  * purpose with or without fee is hereby granted, provided that the above
@@ -18,10 +18,6 @@
 
 controls { /* empty */ };
 
-acl blocking {
-	geoip db country country AU;
-};
-
 options {
 	query-source address 10.53.0.2;
 	notify-source 10.53.0.2;
@@ -32,7 +28,6 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	geoip-directory "../data";
-	blackhole { blocking; };
 };
 
 key rndc_key {
@@ -43,3 +38,43 @@ key rndc_key {
 controls {
 	inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
 };
+
+view one {
+	match-clients { geoip netspeed 0; };
+	zone "example" {
+		type master;
+		file "example1.db";
+	};
+};
+
+view two {
+	match-clients { geoip netspeed 1; };
+	zone "example" {
+		type master;
+		file "example2.db";
+	};
+};
+
+view three {
+	match-clients { geoip netspeed 2; };
+	zone "example" {
+		type master;
+		file "example3.db";
+	};
+};
+
+view four {
+	match-clients { geoip netspeed 3; };
+	zone "example" {
+		type master;
+		file "example4.db";
+	};
+};
+
+view none {
+	match-clients { any; };
+	zone "example" {
+		type master;
+		file "example.db.in";
+	};
+};

bin/tests/system/geoip/ns2/named13.conf

@@ -18,6 +18,10 @@
 
 controls { /* empty */ };
 
+acl blocking {
+	geoip db country country AU;
+};
+
 options {
 	query-source address 10.53.0.2;
 	notify-source 10.53.0.2;
@@ -28,6 +32,7 @@ options {
 	listen-on-v6 { none; };
 	recursion no;
 	geoip-directory "../data";
+	blackhole { blocking; };
 };
 
 key rndc_key {
@@ -38,75 +43,3 @@ key rndc_key {
 controls {
 	inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
 };
-
-acl gAU { geoip db country country AU; };
-acl gUS { geoip db country country US; };
-acl gGB { geoip db country country GB; };
-acl gCA { geoip db country country CA; };
-acl gCL { geoip db country country CL; };
-acl gDE { geoip db country country DE; };
-acl gEH { geoip db country country EH; };
-
-view one {
-	match-clients { gAU; };
-	zone "example" {
-		type master;
-		file "example1.db";
-	};
-};
-
-view two {
-	match-clients { gUS; };
-	zone "example" {
-		type master;
-		file "example2.db";
-	};
-};
-
-view three {
-	match-clients { gGB; };
-	zone "example" {
-		type master;
-		file "example3.db";
-	};
-};
-
-view four {
-	match-clients { gCA; };
-	zone "example" {
-		type master;
-		file "example4.db";
-	};
-};
-
-view five {
-	match-clients { gCL; };
-	zone "example" {
-		type master;
-		file "example5.db";
-	};
-};
-
-view six {
-	match-clients { gDE; };
-	zone "example" {
-		type master;
-		file "example6.db";
-	};
-};
-
-view seven {
-	match-clients { gEH; };
-	zone "example" {
-		type master;
-		file "example7.db";
-	};
-};
-
-view none {
-	match-clients { any; };
-	zone "example" {
-		type master;
-		file "example.db.in";
-	};
-};

bin/tests/system/geoip/ns2/named14.conf

@@ -0,0 +1,112 @@
+/*
+ * Copyright (C) 2014  Internet Systems Consortium, Inc. ("ISC")
+ *
+ * Permission to use, copy, modify, and/or distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
+ * REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
+ * AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
+ * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
+ * LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
+ * OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
+ * PERFORMANCE OF THIS SOFTWARE.
+ */
+
+// NS2
+
+controls { /* empty */ };
+
+options {
+	query-source address 10.53.0.2;
+	notify-source 10.53.0.2;
+	transfer-source 10.53.0.2;
+	port 5300;
+	pid-file "named.pid";
+	listen-on { 10.53.0.2; };
+	listen-on-v6 { none; };
+	recursion no;
+	geoip-directory "../data";
+};
+
+key rndc_key {
+	secret "1234abcd8765";
+	algorithm hmac-sha256;
+};
+
+controls {
+	inet 10.53.0.2 port 9953 allow { any; } keys { rndc_key; };
+};
+
+acl gAU { geoip db country country AU; };
+acl gUS { geoip db country country US; };
+acl gGB { geoip db country country GB; };
+acl gCA { geoip db country country CA; };
+acl gCL { geoip db country country CL; };
+acl gDE { geoip db country country DE; };
+acl gEH { geoip db country country EH; };
+
+view one {
+	match-clients { gAU; };
+	zone "example" {
+		type master;
+		file "example1.db";
+	};
+};
+
+view two {
+	match-clients { gUS; };
+	zone "example" {
+		type master;
+		file "example2.db";
+	};
+};
+
+view three {
+	match-clients { gGB; };
+	zone "example" {
+		type master;
+		file "example3.db";
+	};
+};
+
+view four {
+	match-clients { gCA; };
+	zone "example" {
+		type master;
+		file "example4.db";
+	};
+};
+
+view five {
+	match-clients { gCL; };
+	zone "example" {
+		type master;
+		file "example5.db";
+	};
+};
+
+view six {
+	match-clients { gDE; };
+	zone "example" {
+		type master;
+		file "example6.db";
+	};
+};
+
+view seven {
+	match-clients { gEH; };
+	zone "example" {
+		type master;
+		file "example7.db";
+	};
+};
+
+view none {
+	match-clients { any; };
+	zone "example" {
+		type master;
+		file "example.db.in";
+	};
+};

bin/tests/system/geoip/tests.sh

@@ -197,7 +197,7 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /
 sleep 3
 
 n=`expr $n + 1`
-echo "I:checking GeoIP domain database ($n)"
+echo "I:checking GeoIP asnum database - ASNNNN only ($n)"
 ret=0
 lret=0
 for i in 1 2 3 4 5 6 7; do
@@ -216,10 +216,10 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /
 sleep 3
 
 n=`expr $n + 1`
-echo "I:checking GeoIP netspeed database ($n)"
+echo "I:checking GeoIP domain database ($n)"
 ret=0
 lret=0
-for i in 1 2 3 4; do
+for i in 1 2 3 4 5 6 7; do
     $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
     j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
     [ "$i" = "$j" ] || lret=1
@@ -234,6 +234,25 @@ cp -f ns2/named12.conf ns2/named.conf
 $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
 sleep 3
 
+n=`expr $n + 1`
+echo "I:checking GeoIP netspeed database ($n)"
+ret=0
+lret=0
+for i in 1 2 3 4; do
+    $DIG $DIGOPTS txt example -b 10.53.0.$i > dig.out.ns2.test$n.$i || lret=1
+    j=`cat dig.out.ns2.test$n.$i | tr -d '"'`
+    [ "$i" = "$j" ] || lret=1
+    [ $lret -eq 1 ] && break
+done
+[ $lret -eq 1 ] && ret=1
+[ $ret -eq 0 ] || echo "I:failed"
+status=`expr $status + $ret`
+
+echo "I:reloading server"
+cp -f ns2/named13.conf ns2/named.conf
+$RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
+sleep 3
+
 n=`expr $n + 1`
 echo "I:checking GeoIP blackhole ACL ($n)"
 ret=0
@@ -243,7 +262,7 @@ $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 status 2>&1 > rndc.out.ns2.tes
 status=`expr $status + $ret`
 
 echo "I:reloading server"
-cp -f ns2/named13.conf ns2/named.conf
+cp -f ns2/named14.conf ns2/named.conf
 $RNDC -c ../common/rndc.conf -s 10.53.0.2 -p 9953 reload 2>&1 | sed 's/^/I:ns2 /'
 sleep 3
 

doc/arm/Bv9ARM-book.xml

@@ -3459,17 +3459,20 @@ $ORIGIN 0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
 	  "isp", "org", "asnum", "domain" and "netspeed".
 	</para>
 	<para>
-	  <replaceable>value</replaceable> is the value to searched for
+	  <replaceable>value</replaceable> is the value to search
-	  within the database.  A string may be quoted if it contains
+	  for within the database.  A string may be quoted if it
-	  spaces or other special characters.  If this is a "country"
+	  contains spaces or other special characters.  If this is
-	  search and the string is two characters long, then it must be a
+	  an "asnum" search, then the leading "ASNNNN" string can be
-	  standard ISO-3166-1 two-letter country code, and if it is three
+	  used, otherwise the full description must be used (e.g.
-	  characters long then it must be an ISO-3166-1 three-letter
+	  "ASNNNN Example Company Name").  If this is a "country"
-	  country code; otherwise it is the full name of the country.
+	  search and the string is two characters long, then it must
-	  Similarly, if this is a "region" search and the string is
+	  be a standard ISO-3166-1 two-letter country code, and if it
-	  two characters long, then it must be a standard two-letter state
+	  is three characters long then it must be an ISO-3166-1
-	  or province abbreviation; otherwise it is the full name of the
+	  three-letter country code; otherwise it is the full name
-	  state or province.
+	  of the country.  Similarly, if this is a "region" search
+	  and the string is two characters long, then it must be a
+	  standard two-letter state or province abbreviation;
+	  otherwise it is the full name of the state or province.
 	</para>
 	<para>
 	  The <replaceable>database</replaceable> field indicates which

lib/dns/geoip.c

@@ -766,8 +766,21 @@ dns_geoip_match(const isc_netaddr_t *reqaddr,
 			return (ISC_FALSE);
 
 		s = name_lookup(db, subtype, ipnum);
-		if (s != NULL && strcasecmp(elt->as_string, s) == 0)
+		if (s != NULL) {
+			size_t l;
+			if (strcasecmp(elt->as_string, s) == 0)
 				return (ISC_TRUE);
+			if (subtype != dns_geoip_as_asnum)
+				break;
+			/*
+			 * Just check if the ASNNNN value matches.
+			 */
+			l = strlen(elt->as_string);
+			if (l > 0U && strchr(elt->as_string, ' ') == NULL &&
+			    strncasecmp(elt->as_string, s, l) == 0 &&
+			    s[l] == ' ')
+				return (ISC_TRUE);
+		}
 		break;
 
 	case dns_geoip_netspeed_id:

lib/isccfg/aclconf.c

@@ -482,6 +482,7 @@ parse_geoip_element(const cfg_obj_t *obj, isc_log_t *lctx,
 	const char *stype, *search;
 	dns_geoip_subtype_t subtype;
 	dns_aclelement_t de;
+	size_t len;
 
 	REQUIRE(dep != NULL);
 
@@ -493,35 +494,52 @@ parse_geoip_element(const cfg_obj_t *obj, isc_log_t *lctx,
 
 	stype = cfg_obj_asstring(cfg_tuple_get(obj, "subtype"));
 	search = cfg_obj_asstring(cfg_tuple_get(obj, "search"));
+	len = strlen(search);
 
-	if (strcasecmp(stype, "country") == 0 && strlen(search) == 2) {
+	if (len == 0) {
+		cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
+			    "zero-length geoip search field");
+		return (ISC_R_FAILURE);
+	}
+
+	if (strcasecmp(stype, "country") == 0 && len == 2) {
 		/* Two-letter country code */
 		subtype = dns_geoip_countrycode;
-		strncpy(de.geoip_elem.as_string, search, 2);
+		strlcpy(de.geoip_elem.as_string, search,
-	} else if (strcasecmp(stype, "country") == 0 && strlen(search) == 3) {
+			sizeof(de.geoip_elem.as_string));
+	} else if (strcasecmp(stype, "country") == 0 && len == 3) {
 		/* Three-letter country code */
 		subtype = dns_geoip_countrycode3;
-		strncpy(de.geoip_elem.as_string, search, 3);
+		strlcpy(de.geoip_elem.as_string, search,
+			sizeof(de.geoip_elem.as_string));
 	} else if (strcasecmp(stype, "country") == 0) {
 		/* Country name */
 		subtype = dns_geoip_countryname;
-		strncpy(de.geoip_elem.as_string, search, 255);
+		strlcpy(de.geoip_elem.as_string, search,
-	} else if (strcasecmp(stype, "region") == 0 && strlen(search) == 2) {
+			sizeof(de.geoip_elem.as_string));
+	} else if (strcasecmp(stype, "region") == 0 && len == 2) {
 		/* Two-letter region code */
 		subtype = dns_geoip_region;
-		strncpy(de.geoip_elem.as_string, search, 2);
+		strlcpy(de.geoip_elem.as_string, search,
+			sizeof(de.geoip_elem.as_string));
 	} else if (strcasecmp(stype, "region") == 0) {
 		/* Region name */
 		subtype = dns_geoip_regionname;
-		strncpy(de.geoip_elem.as_string, search, 255);
+		strlcpy(de.geoip_elem.as_string, search,
+			sizeof(de.geoip_elem.as_string));
 	} else if (strcasecmp(stype, "city") == 0) {
 		/* City name */
 		subtype = dns_geoip_city_name;
-		strncpy(de.geoip_elem.as_string, search, 255);
+		strlcpy(de.geoip_elem.as_string, search,
-	} else if (strcasecmp(stype, "postal") == 0 && strlen(search) < 7) {
+			sizeof(de.geoip_elem.as_string));
+	} else if (strcasecmp(stype, "postal") == 0 && len < 7) {
 		subtype = dns_geoip_city_postalcode;
-		strncpy(de.geoip_elem.as_string, search, 6);
+		strlcpy(de.geoip_elem.as_string, search,
-		de.geoip_elem.as_string[6] = '\0';
+			sizeof(de.geoip_elem.as_string));
+	} else if (strcasecmp(stype, "postal") == 0) {
+		cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
+			    "geoiop postal code (%s) too long", search);
+		return (ISC_R_FAILURE);
 	} else if (strcasecmp(stype, "metro") == 0) {
 		subtype = dns_geoip_city_metrocode;
 		de.geoip_elem.as_int = atoi(search);
@@ -530,23 +548,33 @@ parse_geoip_element(const cfg_obj_t *obj, isc_log_t *lctx,
 		de.geoip_elem.as_int = atoi(search);
 	} else if (strcasecmp(stype, "tz") == 0) {
 		subtype = dns_geoip_city_timezonecode;
-		strncpy(de.geoip_elem.as_string, search, 255);
+		strlcpy(de.geoip_elem.as_string, search,
-	} else if (strcasecmp(stype, "continent") == 0 && strlen(search) == 2) {
+			sizeof(de.geoip_elem.as_string));
+	} else if (strcasecmp(stype, "continent") == 0 && len == 2) {
 		/* Two-letter continent code */
 		subtype = dns_geoip_city_continentcode;
-		strncpy(de.geoip_elem.as_string, search, 2);
+		strlcpy(de.geoip_elem.as_string, search,
+			sizeof(de.geoip_elem.as_string));
+	} else if (strcasecmp(stype, "continent") == 0) {
+		cfg_obj_log(obj, lctx, ISC_LOG_ERROR,
+			    "geoiop continent code (%s) too long", search);
+		return (ISC_R_FAILURE);
 	} else if (strcasecmp(stype, "isp") == 0) {
 		subtype = dns_geoip_isp_name;
-		strncpy(de.geoip_elem.as_string, search, 255);
+		strlcpy(de.geoip_elem.as_string, search,
+			sizeof(de.geoip_elem.as_string));
 	} else if (strcasecmp(stype, "asnum") == 0) {
 		subtype = dns_geoip_as_asnum;
-		strncpy(de.geoip_elem.as_string, search, 255);
+		strlcpy(de.geoip_elem.as_string, search,
+			sizeof(de.geoip_elem.as_string));
 	} else if (strcasecmp(stype, "org") == 0) {
 		subtype = dns_geoip_org_name;
-		strncpy(de.geoip_elem.as_string, search, 255);
+		strlcpy(de.geoip_elem.as_string, search,
+			sizeof(de.geoip_elem.as_string));
 	} else if (strcasecmp(stype, "domain") == 0) {
 		subtype = dns_geoip_domain_name;
-		strncpy(de.geoip_elem.as_string, search, 255);
+		strlcpy(de.geoip_elem.as_string, search,
+			sizeof(de.geoip_elem.as_string));
 	} else if (strcasecmp(stype, "netspeed") == 0) {
 		subtype = dns_geoip_netspeed_id;
 		de.geoip_elem.as_int = atoi(search);

util/copyrights

@@ -1313,10 +1313,11 @@
 ./bin/tests/system/geoip/geoip.c		C	2013
 ./bin/tests/system/geoip/ns2/example.db.in	ZONE	2013
 ./bin/tests/system/geoip/ns2/named1.conf	CONF-C	2013
-./bin/tests/system/geoip/ns2/named10.conf	CONF-C	2013
+./bin/tests/system/geoip/ns2/named10.conf	CONF-C	2014
 ./bin/tests/system/geoip/ns2/named11.conf	CONF-C	2013
-./bin/tests/system/geoip/ns2/named12.conf	CONF-C	2014
+./bin/tests/system/geoip/ns2/named12.conf	CONF-C	2013
 ./bin/tests/system/geoip/ns2/named13.conf	CONF-C	2014
+./bin/tests/system/geoip/ns2/named14.conf	CONF-C	2014
 ./bin/tests/system/geoip/ns2/named2.conf	CONF-C	2013
 ./bin/tests/system/geoip/ns2/named3.conf	CONF-C	2013
 ./bin/tests/system/geoip/ns2/named4.conf	CONF-C	2013