diff options
author | Daijiro Wachi <daijiro.wachi@gmail.com> | 2017-04-14 18:12:16 +0200 |
---|---|---|
committer | Daijiro Wachi <daijiro.wachi@gmail.com> | 2017-04-14 18:12:16 +0200 |
commit | 1b99d8ffe9647aa075408b5551e81ef70242eec2 (patch) | |
tree | d263881ce614b54bf6bd5c658a8b3ece02d2db9d /src | |
parent | 1ae172b272f17fe8bb82a0f79b8d7e0bc2fb17ec (diff) | |
download | android-node-v8-1b99d8ffe9647aa075408b5551e81ef70242eec2.tar.gz android-node-v8-1b99d8ffe9647aa075408b5551e81ef70242eec2.tar.bz2 android-node-v8-1b99d8ffe9647aa075408b5551e81ef70242eec2.zip |
url: disallow invalid IPv4 in IPv6 parser
Fixes: https://github.com/nodejs/node/issues/10655
PR-URL: https://github.com/nodejs/node/pull/12315
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl>
Reviewed-By: James M Snell <jasnell@gmail.com>
Reviewed-By: Timothy Gu <timothygu99@gmail.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/node_url.cc | 26 |
1 files changed, 14 insertions, 12 deletions
diff --git a/src/node_url.cc b/src/node_url.cc index 16a4cdd45b..39f56ece67 100644 --- a/src/node_url.cc +++ b/src/node_url.cc @@ -110,7 +110,7 @@ namespace url { uint16_t* compress_pointer = nullptr; const char* pointer = input; const char* end = pointer + length; - unsigned value, len, swaps, dots; + unsigned value, len, swaps, numbers_seen; char ch = pointer < end ? pointer[0] : kEOL; if (ch == ':') { if (length < 2 || pointer[1] != ':') @@ -148,9 +148,17 @@ namespace url { ch = pointer < end ? pointer[0] : kEOL; if (piece_pointer > last_piece - 2) goto end; - dots = 0; + numbers_seen = 0; while (ch != kEOL) { value = 0xffffffff; + if (numbers_seen > 0) { + if (ch == '.' && numbers_seen < 4) { + pointer++; + ch = pointer < end ? pointer[0] : kEOL; + } else { + goto end; + } + } if (!ASCII_DIGIT(ch)) goto end; while (ASCII_DIGIT(ch)) { @@ -167,19 +175,13 @@ namespace url { pointer++; ch = pointer < end ? pointer[0] : kEOL; } - if (dots < 3 && ch != '.') - goto end; *piece_pointer = *piece_pointer * 0x100 + value; - if (dots & 0x1) + numbers_seen++; + if (numbers_seen == 2 || numbers_seen == 4) piece_pointer++; - if (ch != kEOL) { - pointer++; - ch = pointer < end ? pointer[0] : kEOL; - } - if (dots == 3 && ch != kEOL) - goto end; - dots++; } + if (numbers_seen != 4) + goto end; continue; case ':': pointer++; |