Skip to content
This repository has been archived by the owner on Feb 29, 2024. It is now read-only.

Commit

Permalink
VULN-8286: Prevent oob read when validating IP ranges
Browse files Browse the repository at this point in the history
  • Loading branch information
@dhaynespls
dhaynespls committed Oct 18, 2021
1 parent 69bf56a commit 2882307
Show file tree
Hide file tree
Showing 2 changed files with 17 additions and 4 deletions.
8 changes: 7 additions & 1 deletion validator/lib/cert.go
View file
Expand Up @@ -62,7 +62,10 @@ func (ipn *IPNet) GetAfi() uint8 {
}

func (ipn *IPNet) GetRange() (net.IP, net.IP, bool) {
min, max := GetRangeIP(ipn.IPNet)
err, min, max := GetRangeIP(ipn.IPNet)
if err != nil {
return nil, nil, false
}
return min, max, false
}

Expand Down Expand Up @@ -474,6 +477,9 @@ func ValidateIPCertificateList(list []IPCertificateInformation, parent *RPKICert
valids = append(valids, ip)
continue
}
if min == nil && max == nil {
invalids = append(invalids, ip)
}
valid, checkParent := parent.IsIPRangeInCertificate(min, max)
if valid {
valids = append(valids, ip)
Expand Down
13 changes: 10 additions & 3 deletions validator/lib/roa.go
View file
Expand Up @@ -133,17 +133,21 @@ func EncodeROAEntries(asn int, entries []*ROAEntry) (*ROA, error) {
return roa, nil
}

func GetRangeIP(ipnet *net.IPNet) (net.IP, net.IP) {
func GetRangeIP(ipnet *net.IPNet) (error, net.IP, net.IP) {
ip := ipnet.IP
mask := ipnet.Mask

beginIP := make([]byte, len(ip))
endIP := make([]byte, len(ip))
for i := range []byte(ip) {
// GHSA-w6ww-fmfx-2x22: Prevent oob read
if i >= len(mask) {
return errors.New("Invalid IP address mask"), nil, nil
}
beginIP[i] = ip[i] & mask[i]
endIP[i] = ip[i] | ^mask[i]
}
return net.IP(beginIP), net.IP(endIP)
return nil, net.IP(beginIP), net.IP(endIP)
}

// https://tools.ietf.org/html/rfc6480#section-2.3
Expand Down Expand Up @@ -191,7 +195,10 @@ func ValidateIPRoaCertificateList(entries []*ROAEntry, cert *RPKICertificate) ([
invalids := make([]*ROAEntry, 0)
checkParents := make([]*ROAEntry, 0)
for _, entry := range entries {
min, max := GetRangeIP(entry.IPNet)
err, min, max := GetRangeIP(entry.IPNet)
if err != nil {
invalids = append(invalids, entry)
}
valid, checkParent := cert.IsIPRangeInCertificate(min, max)
if valid {
valids = append(valids, entry)
Expand Down

0 comments on commit 2882307

Please sign in to comment.