FreeBSD Mail Archives

Date:      Tue, 23 Feb 1999 09:15:12 -0800
From:      "Philip A. Prindeville" <philipp@mirapoint.com>
To:        FreeBSD-gnats-submit@freebsd.org
Subject:   misc/10231: [PATCH] inet_addr() doesn't check for illegal values in input
Message-ID:  <36D2E220.9A563E10@mirapoint.com>

index | next in thread | raw e-mail



>Number:         10231
>Category:       misc
>Synopsis:       inet_addr() doesn't check for illegal values in input
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Feb 23 15:20:00 PST 1999
>Closed-Date:
>Last-Modified:
>Originator:     Philip A. Prindeville
>Release:        FreeBSD 2.2.8-RELEASE i386
>Organization:
Mirapoint, Inc.
>Environment:

FreeBSD putois.mirapoint.com 2.2.8-RELEASE FreeBSD 2.2.8-RELEASE #0: Mon
Nov 30
06:34:08 GMT 1998     jkh@time.cdrom.com:/usr/src/sys/compile/GENERIC
i386


>Description:

Input passed to inet_addr() is not correctly checked for
validity.  For instance, 437458475894848475 would be accepted,
even though it will overflow a 32bit quantity.

Likewise, on a four-part dotted-quad only the last integer
is checked for correctness.

>How-To-Repeat:

call inet_addr("3493748787895789475489") and it won't return
INADDR_NONE.  Similarly, inet_addr("257.0.0.10") will return
0x0100000a... (on non-intel machines, anyway)

>Fix:

The following patch ensures that 32bits are never overflowed,
and that the higher-order quads in a tuple, triple, or quadruple
don't exceed 8 bits.



--------------817090D209D8472FD395DE10
Content-Type: text/plain; charset=us-ascii;
 name="patches"
Content-Disposition: inline;
 filename="patches"
Content-Transfer-Encoding: 7bit

*** inet_addr.c#	Wed Feb  3 10:18:21 1999
--- inet_addr.c	Tue Feb 23 07:57:16 1999
***************
*** 115,123 ****
--- 115,127 ----
  		}
  		for (;;) {
  			if (isascii(c) && isdigit(c)) {
+ 				if (val >= (ULONG_MAX) / base)
+ 					return (0);
  				val = (val * base) + (c - '0');
  				c = *++cp;
  			} else if (base == 16 && isascii(c) && isxdigit(c)) {
+ 				if (val >= (ULONG_MAX) / base)
+ 					return (0);
  				val = (val << 4) |
  					(c + 10 - (islower(c) ? 'a' : 'A'));
  				c = *++cp;
***************
*** 157,175 ****
  		break;
  
  	case 2:				/* a.b -- 8.24 bits */
! 		if (val > 0xffffff)
  			return (0);
  		val |= parts[0] << 24;
  		break;
  
  	case 3:				/* a.b.c -- 8.8.16 bits */
! 		if (val > 0xffff)
  			return (0);
  		val |= (parts[0] << 24) | (parts[1] << 16);
  		break;
  
  	case 4:				/* a.b.c.d -- 8.8.8.8 bits */
! 		if (val > 0xff)
  			return (0);
  		val |= (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8);
  		break;
--- 161,180 ----
  		break;
  
  	case 2:				/* a.b -- 8.24 bits */
! 		if (parts[0] > 0xff || val > 0xffffff)
  			return (0);
  		val |= parts[0] << 24;
  		break;
  
  	case 3:				/* a.b.c -- 8.8.16 bits */
! 		if (parts[0] > 0xff || parts[1] || val > 0xffff)
  			return (0);
  		val |= (parts[0] << 24) | (parts[1] << 16);
  		break;
  
  	case 4:				/* a.b.c.d -- 8.8.8.8 bits */
! 		if (parts[0] > 0xff || parts[1] > 0xff || parts[2] > 0xff
! 		    || val > 0xff)
  			return (0);
  		val |= (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8);
  		break;

--------------817090D209D8472FD395DE10--


>Release-Note:
>Audit-Trail:
>Unformatted:
 This is a multi-part message in MIME format.
 --------------817090D209D8472FD395DE10
 Content-Type: text/plain; charset=us-ascii
 Content-Transfer-Encoding: 7bit
 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?36D2E220.9A563E10>

Header And Logo

Peripheral Links

Site Navigation

Header And Logo

Peripheral Links

Search

Site Navigation