From: Benjamin Kaduk <kaduk@mit.edu>
Date: Sun, 22 Nov 2015 20:23:49 +0000 (-0600)
Subject: cellconfig: check for invalid dotted quads
X-Git-Tag: upstream/1.8.0_pre1^2~163
X-Git-Url: https://git.michaelhowe.org/gitweb/?a=commitdiff_plain;h=97150150e6d12cbbc0c4a5af3424c9bf1e56918c;p=packages%2Fo%2Fopenafs.git

cellconfig: check for invalid dotted quads

IP addresses entered into the CellServDB with components larger
than 255 would silently be trucated down to 8-bit unsigned integer
representations.  This could cause confusing behavior with
occasional hangs.

FIXES 131794

Change-Id: I44834cb4662e178fdb4be2eeb03ad58d2fa7c556
Reviewed-on: http://gerrit.openafs.org/12109
Reviewed-by: Chas Williams <3chas3@gmail.com>
Reviewed-by: Michael Meffie <mmeffie@sinenomine.net>
Reviewed-by: Benjamin Kaduk <kaduk@mit.edu>
Tested-by: BuildBot <buildbot@rampaginggeek.com>
---

diff --git a/src/auth/cellconfig.c b/src/auth/cellconfig.c
index ca9dc04ed..80b6e1e98 100644
--- a/src/auth/cellconfig.c
+++ b/src/auth/cellconfig.c
@@ -843,7 +843,8 @@ static int
 ParseHostLine(char *aline, struct sockaddr_in *addr, char *aname,
 	      char *aclone)
 {
-    int c1, c2, c3, c4;
+    int i;
+    int c[4];
     afs_int32 code;
     char *tp;
 
@@ -851,25 +852,34 @@ ParseHostLine(char *aline, struct sockaddr_in *addr, char *aname,
 	if (aclone)
 	    *aclone = 1;
 	/* FIXME: length of aname unknown here */
-	code = sscanf(aline, "[%d.%d.%d.%d] #%s", &c1, &c2, &c3, &c4, aname);
+	code = sscanf(aline, "[%d.%d.%d.%d] #%s", &c[0], &c[1], &c[2], &c[3],
+		      aname);
     } else {
 	if (aclone)
 	    *aclone = 0;
 	/* FIXME: length of aname unknown here */
-	code = sscanf(aline, "%d.%d.%d.%d #%s", &c1, &c2, &c3, &c4, aname);
+	code = sscanf(aline, "%d.%d.%d.%d #%s", &c[0], &c[1], &c[2], &c[3],
+		      aname);
     }
     if (code != 5)
 	return AFSCONF_SYNTAX;
+    for(i = 0; i < 4; ++i) {
+	if (c[i] < 0 || c[i] > 255) {
+	    fprintf(stderr, "Illegal IP address %d.%d.%d.%d\n", c[0], c[1],
+		    c[2], c[3]);
+	    return AFSCONF_SYNTAX;
+	}
+    }
     addr->sin_family = AF_INET;
     addr->sin_port = 0;
 #ifdef STRUCT_SOCKADDR_HAS_SA_LEN
     addr->sin_len = sizeof(struct sockaddr_in);
 #endif
     tp = (char *)&addr->sin_addr;
-    *tp++ = c1;
-    *tp++ = c2;
-    *tp++ = c3;
-    *tp++ = c4;
+    *tp++ = c[0];
+    *tp++ = c[1];
+    *tp++ = c[2];
+    *tp++ = c[3];
     return 0;
 }