From eb95d2e917b3f71c33a8be53eac75eb191ee5a9d Mon Sep 17 00:00:00 2001
From: Mark Andrews <marka@isc.org>
Date: Thu, 1 Oct 2009 04:06:37 +0000
Subject: [PATCH] 2696.   [bug]           named failed to successfully process
 some valid                         acl constructs. [RT #20308]

---
 CHANGES              |  3 +++
 lib/isccfg/aclconf.c | 23 +++++++++++++++++------
 2 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/CHANGES b/CHANGES
index 0e32dd900e..f80a595c31 100644
--- a/CHANGES
+++ b/CHANGES
@@ -1,3 +1,6 @@
+2696.	[bug]		named failed to successfully process some valid
+			acl constructs. [RT #20308]
+
 2695.	[func]		DHCP/DDNS - update fdwatch code for use by
 			DHCP.  Modify the api to isc_sockfdwatch_t (the
 			callback funciton for isc_socket_fdwatchcreate)
diff --git a/lib/isccfg/aclconf.c b/lib/isccfg/aclconf.c
index 2b7719444f..e6a7dd6dfd 100644
--- a/lib/isccfg/aclconf.c
+++ b/lib/isccfg/aclconf.c
@@ -15,7 +15,7 @@
  * PERFORMANCE OF THIS SOFTWARE.
  */
 
-/* $Id: aclconf.c,v 1.25 2009/09/01 00:22:28 jinmei Exp $ */
+/* $Id: aclconf.c,v 1.26 2009/10/01 04:06:37 marka Exp $ */
 
 #include <config.h>
 
@@ -168,26 +168,36 @@ convert_keyname(const cfg_obj_t *keyobj, isc_log_t *lctx, isc_mem_t *mctx,
  * parent.
  */
 static int
-count_acl_elements(const cfg_obj_t *caml, const cfg_obj_t *cctx)
+count_acl_elements(const cfg_obj_t *caml, const cfg_obj_t *cctx,
+		   isc_boolean_t *has_negative)
 {
 	const cfg_listelt_t *elt;
 	const cfg_obj_t *cacl = NULL;
 	isc_result_t result;
 	int n = 0;
 
+	if (has_negative != NULL)
+		*has_negative = ISC_FALSE;
+
 	for (elt = cfg_list_first(caml);
 	     elt != NULL;
 	     elt = cfg_list_next(elt)) {
 		const cfg_obj_t *ce = cfg_listelt_value(elt);
 
 		/* negated element; just get the value. */
-		if (cfg_obj_istuple(ce))
+		if (cfg_obj_istuple(ce)) {
 			ce = cfg_tuple_get(ce, "value");
+			if (has_negative != NULL)
+				*has_negative = ISC_TRUE;
+		}
 
 		if (cfg_obj_istype(ce, &cfg_type_keyref)) {
 			n++;
 		} else if (cfg_obj_islist(ce)) {
-			n += count_acl_elements(ce, cctx);
+			isc_boolean_t negative;
+			n += count_acl_elements(ce, cctx, &negative);
+			if (negative)
+				n++;
 		} else if (cfg_obj_isstring(ce)) {
 			const char *name = cfg_obj_asstring(ce);
 			if (strcasecmp(name, "localhost") == 0 ||
@@ -197,7 +207,8 @@ count_acl_elements(const cfg_obj_t *caml, const cfg_obj_t *cctx)
 				   strcasecmp(name, "none") != 0) {
 				result = get_acl_def(cctx, name, &cacl);
 				if (result == ISC_R_SUCCESS)
-					n += count_acl_elements(cacl, cctx) + 1;
+					n += count_acl_elements(cacl, cctx,
+							        NULL) + 1;
 			}
 		}
 	}
@@ -246,7 +257,7 @@ cfg_acl_fromconfig(const cfg_obj_t *caml,
 		int nelem;
 
 		if (nest_level == 0)
-			nelem = count_acl_elements(caml, cctx);
+			nelem = count_acl_elements(caml, cctx, NULL);
 		else
 			nelem = cfg_list_length(caml, ISC_FALSE);