Various fixes to usage of ip2long, long2ip, and negated subnet masks, mostly affecting 64-bit. Ticket #459

3 files changed, 32 insertions, 22 deletions

diff --git a/etc/inc/openvpn.inc b/etc/inc/openvpn.inc
index 72630e7..3fe4574 100644
--- a/etc/inc/openvpn.inc
+++ b/etc/inc/openvpn.inc
@@ -363,9 +363,9 @@ function openvpn_reconfigure($mode,& $settings) {
 		switch($settings['mode']) {
 			case 'p2p_tls':
 			case 'p2p_shared_key':
-				$baselong = ip2long($ip) & ip2long($mask);
-				$ip1 = long2ip($baselong + 1);
-				$ip2 = long2ip($baselong + 2);
+				$baselong = ip2long32($ip) & ip2long($mask);
+				$ip1 = long2ip32($baselong + 1);
+				$ip2 = long2ip32($baselong + 2);
 				$conf .= "ifconfig $ip1 $ip2\n";
 				break;
 			case 'server_tls':
@@ -463,9 +463,9 @@ function openvpn_reconfigure($mode,& $settings) {
 		if (!empty($settings['tunnel_network'])) {
 			list($ip, $mask) = explode('/', $settings['tunnel_network']);
 			$mask = gen_subnet_mask($mask);
-			$baselong = ip2long($ip) & ip2long($mask);
-			$ip1 = long2ip($baselong + 1);
-			$ip2 = long2ip($baselong + 2);
+			$baselong = ip2long32($ip) & ip2long($mask);
+			$ip1 = long2ip32($baselong + 1);
+			$ip2 = long2ip32($baselong + 2);
 			$conf .= "ifconfig $ip2 $ip1\n";
 		}
 
@@ -626,9 +626,9 @@ function openvpn_resync_csc(& $settings) {
 
 	if (!empty($settings['tunnel_network'])) {
 		list($ip, $mask) = explode('/', $settings['tunnel_network']);
-		$baselong = ip2long($ip) & gen_subnet_mask_long($mask);
-		$ip1 = long2ip($baselong + 1);
-		$ip2 = long2ip($baselong + 2);
+		$baselong = ip2long32($ip) & gen_subnet_mask_long($mask);
+		$ip1 = long2ip32($baselong + 1);
+		$ip2 = long2ip32($baselong + 2);
 		$conf .= "ifconfig-push {$ip1} {$ip2}\n";
 	}
 
diff --git a/etc/inc/util.inc b/etc/inc/util.inc
index 930f9ac..0828bbf 100644
--- a/etc/inc/util.inc
+++ b/etc/inc/util.inc
@@ -198,7 +198,7 @@ function gen_subnet_max($ipaddr, $bits) {
 	if (!is_ipaddr($ipaddr) || !is_numeric($bits))
 		return "";
 
-	return long2ip(ip2long($ipaddr) | ~gen_subnet_mask_long($bits));
+	return long2ip32(ip2long($ipaddr) | ~gen_subnet_mask_long($bits));
 }
 
 /* returns a subnet mask (long given a bit count) */
@@ -216,9 +216,19 @@ function gen_subnet_mask($bits) {
 	return long2ip(gen_subnet_mask_long($bits));
 }
 
+/* Convert long int to IP address, truncating to 32-bits. */
+function long2ip32($ip) {
+	return long2ip($ip & 0xFFFFFFFF);
+}
+
+/* Convert IP address to long int, truncated to 32-bits to avoid sign extension on 64-bit platforms. */
+function ip2long32($ip) {
+	return ( ip2long($ip) & 0xFFFFFFFF );
+}
+
 /* Convert IP address to unsigned long int. */
 function ip2ulong($ip) {
-	return sprintf("%u", ip2long($ip));
+	return sprintf("%u", ip2long32($ip));
 }
 
 /* Find out how many IPs are contained within a given IP range
@@ -246,12 +256,12 @@ function find_smallest_cidr($number) {
 
 /* Return the previous IP address before the given address */
 function ip_before($ip) {
-	return long2ip(ip2long($ip)-1);
+	return long2ip32(ip2long($ip)-1);
 }
 
 /* Return the next IP address after the given address */
 function ip_after($ip) {
-	return long2ip(ip2long($ip)+1);
+	return long2ip32(ip2long($ip)+1);
 }
 
 /* Return true if the first IP is 'before' the second */
@@ -347,7 +357,7 @@ function is_ipaddr($ipaddr) {
 		return false;
 
 	$ip_long = ip2long($ipaddr);
-	$ip_reverse = long2ip($ip_long);
+	$ip_reverse = long2ip32($ip_long);
 
 	if ($ipaddr == $ip_reverse)
 		return true;
@@ -891,9 +901,9 @@ function check_subnets_overlap($subnet1, $bits1, $subnet2, $bits2) {
 
 /* compare two IP addresses */
 function ipcmp($a, $b) {
-	if (ip2long($a) < ip2long($b))
+	if (ip_less_than($a, $b))
 		return -1;
-	else if (ip2long($a) > ip2long($b))
+	else if (ip_greater_than($a, $b))
 		return 1;
 	else
 		return 0;
@@ -902,7 +912,7 @@ function ipcmp($a, $b) {
 /* return true if $addr is in $subnet, false if not */
 function ip_in_subnet($addr,$subnet) {
 	list($ip, $mask) = explode('/', $subnet);
-	$mask = 0xffffffff << (32 - $mask);
+	$mask = (0xffffffff << (32 - $mask)) & 0xffffffff;
 	return ((ip2long($addr) & $mask) == (ip2long($ip) & $mask));
 }
 
diff --git a/etc/inc/vpn.inc b/etc/inc/vpn.inc
index f2343e1..c874a83 100644
--- a/etc/inc/vpn.inc
+++ b/etc/inc/vpn.inc
@@ -343,8 +343,8 @@ function vpn_ipsec_configure($ipchg = false)
 					$pool_address = $a_client['pool_address'];
 					$pool_netmask = gen_subnet_mask($a_client['pool_netbits']);
 
-					$pool_address = long2ip(ip2long($pool_address)+1);
-					$pool_size = ~ip2long($pool_netmask) - 2;
+					$pool_address = long2ip32(ip2long($pool_address)+1);
+					$pool_size = (~ip2long($pool_netmask) & 0xFFFFFFFF) - 2;
 
 					$racoonconf .= "\tpool_size {$pool_size};\n";
 					$racoonconf .= "\tnetwork4 {$pool_address};\n";
@@ -1012,7 +1012,7 @@ EOD;
 
 			for ($i = 0; $i < $pptpdcfg['n_pptp_units']; $i++) {
 
-				$clientip = long2ip(ip2long($pptpdcfg['remoteip']) + $i);
+				$clientip = long2ip32(ip2long($pptpdcfg['remoteip']) + $i);
 
 				$mpdconf .= <<<EOD
 
@@ -1219,7 +1219,7 @@ EOD;
 
 			for ($i = 0; $i < $pppoecfg['n_pppoe_units']; $i++) {
 
-				$clientip = long2ip(ip2long($pppoecfg['remoteip']) + $i);
+				$clientip = long2ip32(ip2long($pppoecfg['remoteip']) + $i);
 
 				if (isset ($pppoecfg['radius']['radiusissueips']) && isset ($pppoecfg['radius']['enable'])) {
 					$isssue_ip_type = "set ipcp ranges {$pppoecfg['localip']}/32 0.0.0.0/0";
@@ -1409,7 +1409,7 @@ EOD;
 
 			for ($i = 0; $i < $l2tpcfg['n_l2tp_units']; $i++) {
 
-				$clientip = long2ip(ip2long($l2tpcfg['remoteip']) + $i);
+				$clientip = long2ip32(ip2long($l2tpcfg['remoteip']) + $i);
 
 				if (isset ($l2tpcfg['radius']['radiusissueips']) && isset ($l2tpcfg['radius']['enable'])) {
 					$isssue_ip_type = "set ipcp ranges {$l2tpcfg['localip']}/32 0.0.0.0/0";