Fix libpcap issue #893: check for invalid IPv4 addresses.

This fixes errors such as: tcpdump -i lagg0 net 999.999.999.999 This was originally discovered on a Red Hat 7.7 server and verified to also be a bug on FreeBSD. Obtained from: https://github.com/the-tcpdump-group/libpcap/commit/ \ 07070918d5e81a515315b395f334e52589fe0fb Fixed by: https://github.com/guyharris
2019-12-19 00:11:18 +00:00 · 2019-12-19 00:11:18 +00:00 · 20616273d5
commit 20616273d5
parent 30a580a870
2 changed files with 16 additions and 2 deletions
--- a/gencode.c
+++ b/gencode.c
@ -6955,11 +6955,15 @@ gen_mcode(compiler_state_t *cstate, const char *s1, const char *s2,
 		return (NULL);

 	nlen = __pcap_atoin(s1, &n);
+	if (nlen < 0)
+		bpf_error(cstate, "invalid IPv4 address '%s'", s1);
 	/* Promote short ipaddr */
 	n <<= 32 - nlen;

 	if (s2 != NULL) {
 		mlen = __pcap_atoin(s2, &m);
+		if (mlen < 0)
+			bpf_error(cstate, "invalid IPv4 address '%s'", s2);
 		/* Promote short ipaddr */
 		m <<= 32 - mlen;
 		if ((n & ~m) != 0)
@ -7017,8 +7021,11 @@ gen_ncode(compiler_state_t *cstate, const char *s, bpf_u_int32 v, struct qual q)
 		vlen = __pcap_atodn(s, &v);
 		if (vlen == 0)
 			bpf_error(cstate, "malformed decnet address '%s'", s);
-	} else
+	} else {
 		vlen = __pcap_atoin(s, &v);
+		if (vlen < 0)
+			bpf_error(cstate, "invalid IPv4 address '%s'", s);
+	}

 	switch (q.addr) {

--- a/nametoaddr.c
+++ b/nametoaddr.c
@ -653,8 +653,15 @@ __pcap_atoin(const char *s, bpf_u_int32 *addr)
 	len = 0;
 	for (;;) {
 		n = 0;
-		while (*s && *s != '.')
+		while (*s && *s != '.') {
+			if (n > 25) {
+				/* The result will be > 255 */
+				return -1;
+			}
 			n = n * 10 + *s++ - '0';
+		}
+		if (n > 255)
+			return -1;
 		*addr <<= 8;
 		*addr |= n & 0xff;
 		len += 8;