From: Guus Sliepen <guus@tinc-vpn.org>
Date: Mon, 26 Jul 2021 13:01:12 +0000 (+0200)
Subject: Avoid a stack overflow when presented with a malformed IPv6 Subnet.
X-Git-Url: https://tinc-vpn.org/git/browse?p=tinc;a=commitdiff_plain;h=04b588ea6be2ebd62922b638eae90a6a47326370

Avoid a stack overflow when presented with a malformed IPv6 Subnet.

Found by Kirill Isakov using AFL and AddressSanitizer.
---

diff --git a/src/subnet_parse.c b/src/subnet_parse.c
index d877c7fd..044d6e72 100644
--- a/src/subnet_parse.c
+++ b/src/subnet_parse.c
@@ -306,6 +306,11 @@ bool str2net(subnet_t *subnet, const char *subnetstr) {
 
 	char *last_colon = strrchr(str, ':');
 
+	/* Check that the last colon is not further than possible in an IPv6 address */
+	if(last_colon >= str + 5 * 8) {
+		return false;
+	}
+
 	if(last_colon && sscanf(last_colon, ":%hu.%hu.%hu.%hu%n", &x[0], &x[1], &x[2], &x[3], &consumed) >= 4 && !last_colon[consumed]) {
 		/* Dotted quad suffix notation, convert to standard IPv6 notation */
 		for(int i = 0; i < 4; i++)