Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 16 Jul 1999 09:10:02 -0700 (PDT)
From:      John Polstra <jdp@polstra.com>
To:        freebsd-bugs@FreeBSD.org
Subject:   Re: misc/10231: inet_addr() doesn't check for illegal values in 
Message-ID:  <199907161610.JAA60271@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help 

The following reply was made to PR misc/10231; it has been noted by GNATS.

From: John Polstra <jdp@polstra.com>
To: Nick Hibma <nick.hibma@jrc.it>
Cc: philipp@mirapoint.com, jdp@FreeBSD.org, wpaul@FreeBSD.org,
	freebsd-gnats-submit@FreeBSD.org
Subject: Re: misc/10231: inet_addr() doesn't check for illegal values in 
Date: Fri, 16 Jul 1999 08:59:53 -0700 (PDT)

 Nick Hibma wrote:
 > Any comments on this PR?
 > 
 > 
 > Synopsis:
 > 
 > Input passed to inet_addr() is not correctly checked for
 > validity.  For instance, 437458475894848475 would be accepted,
 > even though it will overflow a 32bit quantity.
 > 
 > Likewise, on a four-part dotted-quad only the last integer
 > is checked for correctness.
 
 Yes, it's a bug.  The patch has the right idea but it isn't quite
 right in all the details.  For example, in the first chunk of the
 patch:
 
 *** 115,123 ****
 --- 115,127 ----
                 }
                 for (;;) {
                         if (isascii(c) && isdigit(c)) {
 +                               if (val >= (ULONG_MAX) / base)
 +                                       return (0);
                                 val = (val * base) + (c - '0');
                                 c = *++cp;
                         } else if (base == 16 && isascii(c) && isxdigit(c)) {
 +                               if (val >= (ULONG_MAX) / base)
 +                                       return (0);
                                 val = (val << 4) |
                                         (c + 10 - (islower(c) ? 'a' : 'A'));
                                 c = *++cp;
 
 overflow won't be detected if (val == ULONG_MAX / base) and c is not '0'.
 A simpler and more reliable check would be this:
 
         u_int32_t val;          /* Notice the new type of this variable */
         u_int32_t oldval;
 ...
         if (isascii(c) && isdigit(c)) {
                 oldval = val;
                 val = val * base + c - '0';
                 if (val < oldval)
                         return (0);
                 c = *++cp;
         } ...
 
 and so forth.
 
 Also, in the second chunk of the patch, under case 3, there's a bug.
 The line should read:
 
         if (parts[0] > 0xff || parts[1] > 0xff || val > 0xffff)
 
 John
 


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-bugs" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199907161610.JAA60271>