From owner-freebsd-bugs Fri Jul 16 9:12: 9 1999 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 340B314C4F for ; Fri, 16 Jul 1999 09:12:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id JAA60271; Fri, 16 Jul 1999 09:10:02 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Date: Fri, 16 Jul 1999 09:10:02 -0700 (PDT) Message-Id: <199907161610.JAA60271@freefall.freebsd.org> To: freebsd-bugs@FreeBSD.org Cc: From: John Polstra Subject: Re: misc/10231: inet_addr() doesn't check for illegal values in Reply-To: John Polstra Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The following reply was made to PR misc/10231; it has been noted by GNATS. From: John Polstra To: Nick Hibma Cc: philipp@mirapoint.com, jdp@FreeBSD.org, wpaul@FreeBSD.org, freebsd-gnats-submit@FreeBSD.org Subject: Re: misc/10231: inet_addr() doesn't check for illegal values in Date: Fri, 16 Jul 1999 08:59:53 -0700 (PDT) Nick Hibma wrote: > Any comments on this PR? > > > Synopsis: > > Input passed to inet_addr() is not correctly checked for > validity. For instance, 437458475894848475 would be accepted, > even though it will overflow a 32bit quantity. > > Likewise, on a four-part dotted-quad only the last integer > is checked for correctness. Yes, it's a bug. The patch has the right idea but it isn't quite right in all the details. For example, in the first chunk of the patch: *** 115,123 **** --- 115,127 ---- } for (;;) { if (isascii(c) && isdigit(c)) { + if (val >= (ULONG_MAX) / base) + return (0); val = (val * base) + (c - '0'); c = *++cp; } else if (base == 16 && isascii(c) && isxdigit(c)) { + if (val >= (ULONG_MAX) / base) + return (0); val = (val << 4) | (c + 10 - (islower(c) ? 'a' : 'A')); c = *++cp; overflow won't be detected if (val == ULONG_MAX / base) and c is not '0'. A simpler and more reliable check would be this: u_int32_t val; /* Notice the new type of this variable */ u_int32_t oldval; ... if (isascii(c) && isdigit(c)) { oldval = val; val = val * base + c - '0'; if (val < oldval) return (0); c = *++cp; } ... and so forth. Also, in the second chunk of the patch, under case 3, there's a bug. The line should read: if (parts[0] > 0xff || parts[1] > 0xff || val > 0xffff) John To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message