0002240: CIDR notation circumvents "Too broad mask" protection

ID	Project	Category	View Status	Date Submitted	Last Update

0002240	unreal	ircd	public	2004-12-15 13:02	2004-12-26 19:28

Reporter	aquanight	Assigned To	~~codemastr~~
Priority	normal	Severity	minor	Reproducibility	always
Status	resolved	Resolution	fixed
Platform	X86	OS	Windows	OS Version	XP Pro SP2
Product Version	3.2.2
Fixed in Version	3.2.3

Summary	0002240: CIDR notation circumvents "Too broad mask" protection
Description	The /?line commands all check if a mask is too broad and thus prevent opers from adding an insanely wide ?line (like @). However, CIDR notation allows an oper to ban a very large IP range, thus getting around this mechanism. For example, the mask *@0.0.0.0/1 is accepted as valid, and would end up banning about half the internet from the network! I'm thinking a simple check for CIDR masks should be done to avoid setting extremely wide CIDR bans, just as extremely wide wildcard bans aren't allowed. I think a good rule would be to require no less than /8 without uline intervention (eg, minimum 8 bits in the mask, so 0.0.0.0/1 isn't valid, but 39.0.0.0/8 is).
Steps To Reproduce	- Attempt to add a gline for something really broad using only wildcards. For example: @.com. Get "too broad mask" error. - Attempt to add a gline for something really broad using CIDR. For example, @0.0.0.0/1. It works. (Recommend using a low (5s?) timeout (or an except tkl @*) if you test this on a real network!)
Tags	No tags attached.

3rd party modules

Date Modified	Username	Field	Change
2004-12-15 13:02	aquanight	New Issue
2004-12-15 14:13	syzop	Status	new => acknowledged
2004-12-26 19:28	~~codemastr~~	Status	acknowledged => resolved
2004-12-26 19:28	~~codemastr~~	Fixed in Version	=> 3.2.3
2004-12-26 19:28	~~codemastr~~	Resolution	open => fixed
2004-12-26 19:28	~~codemastr~~	Assigned To	=> codemastr
2004-12-26 19:28	~~codemastr~~	Note Added: 0008675

~~codemastr~~ 2004-12-26 19:28 reporter ~0008675	As of .212, it now requires 16bits. 8 seemed too low (banning 1.0.0.0-1.255.255.255 is rather broad).