From 8b42d414772b2ed85d99e05934875ad14183ad1e Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Sun, 8 Aug 2021 21:37:11 +0200
Subject: [PATCH 1/2] Ip4Address parser: reject 0-prefixed components

Some parsers interpret these as octal, some don't, and the
confusion can lead to vulnerabilities.

Return error.NonCanonical when parsing IPv4 addresses with 0 prefixes
---
 lib/std/net.zig      | 9 +++++++++
 lib/std/net/test.zig | 1 +
 2 files changed, 10 insertions(+)

diff --git a/lib/std/net.zig b/lib/std/net.zig
index 1b53399fd14b..c467c157c997 100644
--- a/lib/std/net.zig
+++ b/lib/std/net.zig
@@ -34,6 +34,7 @@ pub const Address = extern union {
             error.InvalidEnd,
             error.InvalidCharacter,
             error.Incomplete,
+            error.NonCanonical,
             => {},
         }
 
@@ -204,6 +205,7 @@ pub const Ip4Address = extern struct {
         var x: u8 = 0;
         var index: u8 = 0;
         var saw_any_digits = false;
+        var has_zero_prefix = false;
         for (buf) |c| {
             if (c == '.') {
                 if (!saw_any_digits) {
@@ -216,7 +218,13 @@ pub const Ip4Address = extern struct {
                 index += 1;
                 x = 0;
                 saw_any_digits = false;
+                has_zero_prefix = false;
             } else if (c >= '0' and c <= '9') {
+                if (c == '0' and !saw_any_digits) {
+                    has_zero_prefix = true;
+                } else if (has_zero_prefix) {
+                    return error.NonCanonical;
+                }
                 saw_any_digits = true;
                 x = try std.math.mul(u8, x, 10);
                 x = try std.math.add(u8, x, c - '0');
@@ -1149,6 +1157,7 @@ fn linuxLookupNameFromHosts(
             error.Incomplete,
             error.InvalidIPAddressFormat,
             error.InvalidIpv4Mapping,
+            error.NonCanonical,
             => continue,
         };
         try addrs.append(LookupAddr{ .addr = addr });
diff --git a/lib/std/net/test.zig b/lib/std/net/test.zig
index 08722c9e317a..589efbf53e21 100644
--- a/lib/std/net/test.zig
+++ b/lib/std/net/test.zig
@@ -92,6 +92,7 @@ test "parse and render IPv4 addresses" {
     try testing.expectError(error.InvalidEnd, net.Address.parseIp4("127.0.0.1.1", 0));
     try testing.expectError(error.Incomplete, net.Address.parseIp4("127.0.0.", 0));
     try testing.expectError(error.InvalidCharacter, net.Address.parseIp4("100..0.1", 0));
+    try testing.expectError(error.NonCanonical, net.Address.parseIp4("127.01.0.1", 0));
 }
 
 test "resolve DNS" {

From 166743282b6f4d295e53d514c64af039fa07db8f Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Mon, 9 Aug 2021 19:02:50 +0200
Subject: [PATCH 2/2] Handle error.NonCanonical after calling parseIp4()

---
 lib/std/net.zig | 1 +
 1 file changed, 1 insertion(+)

diff --git a/lib/std/net.zig b/lib/std/net.zig
index c467c157c997..fea033dc9cfc 100644
--- a/lib/std/net.zig
+++ b/lib/std/net.zig
@@ -56,6 +56,7 @@ pub const Address = extern union {
             error.InvalidEnd,
             error.InvalidCharacter,
             error.Incomplete,
+            error.NonCanonical,
             => {},
         }