I found this suspisious case (and described shortly in Samba-JP), so I'll explain more.
In <[EMAIL PROTECTED]>, [EMAIL PROTECTED] wrote: >> The masked_match function in lib/access.c is wrong.(CVS HEAD and 2_2) This case matches if CIDR-like notation specified in hosts allow/deny (ex. '10.0.0.0/23') only. This is not case if specified with <network>/<subnet mask>. (ex. '10.0.0.0/255.255.254.0') I cite more lines in lib/access.c: 33 if (strlen(slash + 1) > 2) { 34 mask = interpret_addr(slash + 1); 35 } else { 36 mask = (uint32)((ALLONES << atoi(slash + 1)) ^ ALLONES); 37 } >> Example: hosts allow = 10.0.0.0/23 >> >> This produces following result. This isn't mask. >> mask = 0000 0000 0111 1111 1111 1111 1111 1111 In case '10.0.0.0/255.255.254.0', program execute line 34 and returns: mask = 1111 1111 1111 1111 1111 1110 0000 0000 >> I don't know why this change was made. >> http://cvs.samba.org/cgi-bin/cvsweb/samba/source/lib/access.c.diff?r1=1.19.4.12&r2=1.19.4.13 I think reverting change in line 36 (reverse shift direction) or replacing '^'(XOR) to '&'(AND) would solve this case. Am I right? Patch (I prefer replacing '^' to '&') follows: Index: lib/access.c =================================================================== RCS file: /cvsroot/samba/source/lib/access.c,v retrieving revision 1.35 diff -u -u -w -r1.35 access.c --- lib/access.c 12 Nov 2002 23:15:49 -0000 1.35 +++ lib/access.c 14 Mar 2003 10:43:09 -0000 @@ -33,7 +33,7 @@ if (strlen(slash + 1) > 2) { mask = interpret_addr(slash + 1); } else { - mask = (uint32)((ALLONES << atoi(slash + 1)) ^ ALLONES); + mask = (uint32)((ALLONES << atoi(slash + 1)) & ALLONES); } if (net == INADDR_NONE || mask == INADDR_NONE) { ---- Tomoki AONO ([EMAIL PROTECTED])