From owner-freebsd-bugs Tue Feb 23 15:20: 3 1999 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 33877113A9 for ; Tue, 23 Feb 1999 15:20:01 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.2/8.9.2) id PAA53423; Tue, 23 Feb 1999 15:20:01 -0800 (PST) (envelope-from gnats@FreeBSD.org) Received: from mail.mirapoint.com (mail.mirapoint.com [209.157.59.162]) by hub.freebsd.org (Postfix) with ESMTP id 96BF410EA2 for ; Tue, 23 Feb 1999 15:14:09 -0800 (PST) (envelope-from philipp@mirapoint.com) Received: from mirapoint.com (putois.mirapoint.com [192.168.0.96]) by mail.mirapoint.com (1.0.0/1.0.Beta1) with ESMTP id ADJ00733 Tue, 23 Feb 1999 15:14:08 -0800 (PST) Message-Id: <36D2E220.9A563E10@mirapoint.com> Date: Tue, 23 Feb 1999 09:15:12 -0800 From: "Philip A. Prindeville" To: FreeBSD-gnats-submit@freebsd.org Subject: misc/10231: [PATCH] inet_addr() doesn't check for illegal values in input Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 10231 >Category: misc >Synopsis: inet_addr() doesn't check for illegal values in input >Confidential: no >Severity: non-critical >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Tue Feb 23 15:20:00 PST 1999 >Closed-Date: >Last-Modified: >Originator: Philip A. Prindeville >Release: FreeBSD 2.2.8-RELEASE i386 >Organization: Mirapoint, Inc. >Environment: FreeBSD putois.mirapoint.com 2.2.8-RELEASE FreeBSD 2.2.8-RELEASE #0: Mon Nov 30 06:34:08 GMT 1998 jkh@time.cdrom.com:/usr/src/sys/compile/GENERIC i386 >Description: Input passed to inet_addr() is not correctly checked for validity. For instance, 437458475894848475 would be accepted, even though it will overflow a 32bit quantity. Likewise, on a four-part dotted-quad only the last integer is checked for correctness. >How-To-Repeat: call inet_addr("3493748787895789475489") and it won't return INADDR_NONE. Similarly, inet_addr("257.0.0.10") will return 0x0100000a... (on non-intel machines, anyway) >Fix: The following patch ensures that 32bits are never overflowed, and that the higher-order quads in a tuple, triple, or quadruple don't exceed 8 bits. --------------817090D209D8472FD395DE10 Content-Type: text/plain; charset=us-ascii; name="patches" Content-Disposition: inline; filename="patches" Content-Transfer-Encoding: 7bit *** inet_addr.c# Wed Feb 3 10:18:21 1999 --- inet_addr.c Tue Feb 23 07:57:16 1999 *************** *** 115,123 **** --- 115,127 ---- } for (;;) { if (isascii(c) && isdigit(c)) { + if (val >= (ULONG_MAX) / base) + return (0); val = (val * base) + (c - '0'); c = *++cp; } else if (base == 16 && isascii(c) && isxdigit(c)) { + if (val >= (ULONG_MAX) / base) + return (0); val = (val << 4) | (c + 10 - (islower(c) ? 'a' : 'A')); c = *++cp; *************** *** 157,175 **** break; case 2: /* a.b -- 8.24 bits */ ! if (val > 0xffffff) return (0); val |= parts[0] << 24; break; case 3: /* a.b.c -- 8.8.16 bits */ ! if (val > 0xffff) return (0); val |= (parts[0] << 24) | (parts[1] << 16); break; case 4: /* a.b.c.d -- 8.8.8.8 bits */ ! if (val > 0xff) return (0); val |= (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8); break; --- 161,180 ---- break; case 2: /* a.b -- 8.24 bits */ ! if (parts[0] > 0xff || val > 0xffffff) return (0); val |= parts[0] << 24; break; case 3: /* a.b.c -- 8.8.16 bits */ ! if (parts[0] > 0xff || parts[1] || val > 0xffff) return (0); val |= (parts[0] << 24) | (parts[1] << 16); break; case 4: /* a.b.c.d -- 8.8.8.8 bits */ ! if (parts[0] > 0xff || parts[1] > 0xff || parts[2] > 0xff ! || val > 0xff) return (0); val |= (parts[0] << 24) | (parts[1] << 16) | (parts[2] << 8); break; --------------817090D209D8472FD395DE10-- >Release-Note: >Audit-Trail: >Unformatted: This is a multi-part message in MIME format. --------------817090D209D8472FD395DE10 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message