Description
Description:
Envoy tries to validate IPv6 addresses in headers, but it does so incorrectly. It both accepts invalid IPv6 addresses (such as 1:2) and rejects valid ones (such as ::1:1:1:1:1:1:1).
I recommend checking that the buffer does not have NUL or . and is less than 40 bytes, then copying to a 40-byte buffer, adding a NUL terminator, and calling inet_pton(AF_INET6, buf, &value). This will use the libc inet_pton() function, which validates IPv6 addresses correctly. If calling this function on untrusted input is not an option due to security concerns, it is possible to implement IPv6 address validation directly in C++, but the libc code would likely be more battle-tested.
If checking that the address is canonical is desired, the simplest approach is to convert the IPv6 address to numeric form, check that the numeric form is not in ::ffff:0:0/96 (IPv4-mapped) and not in ::/96 (IPv4-compatible), convert back to text with inet_ntop, and check that the result is the same as what was provided.
Repro steps:
Use one of the above-mentioned addresses as the IPv6 address part of a Host: header.
Admin and Stats Output:
N/A as this was found by code review.
Config:
N/A
Logs:
N/A
Call Stack:
N/A