Corrected bug in checking the third number and added extra checks

for memory protection.

BUG=webrtc:5454

Review-Url: https://codereview.webrtc.org/1615653009
Cr-Commit-Position: refs/heads/master@{#12643}
This commit is contained in:
dkirovbroadsoft 2016-05-06 06:12:21 -07:00 committed by Commit bot
parent dc7d0d2ef0
commit f2eae333a2

View File

@ -2922,6 +2922,10 @@ bool UdpTransport::IsIpAddressValid(const char* ipadr, const bool ipV6)
// Store index of dots and count number of dots.
iDotPos[nDots++] = i;
}
else if (isdigit(ipadr[i]) == 0)
{
return false;
}
}
bool allUnder256 = false;
@ -2942,7 +2946,7 @@ bool UdpTransport::IsIpAddressValid(const char* ipadr, const bool ipV6)
memset(nr,0,4);
strncpy(nr,&ipadr[0],iDotPos[0]);
int32_t num = atoi(nr);
if (num > 255)
if (num > 255 || num < 0)
{
break;
}
@ -2956,7 +2960,7 @@ bool UdpTransport::IsIpAddressValid(const char* ipadr, const bool ipV6)
memset(nr,0,4);
strncpy(nr,&ipadr[iDotPos[0]+1], iDotPos[1] - iDotPos[0] - 1);
int32_t num = atoi(nr);
if (num > 255)
if (num > 255 || num < 0)
break;
} else {
break;
@ -2966,20 +2970,27 @@ bool UdpTransport::IsIpAddressValid(const char* ipadr, const bool ipV6)
{
char nr[4];
memset(nr,0,4);
strncpy(nr,&ipadr[iDotPos[1]+1], iDotPos[1] - iDotPos[0] - 1);
strncpy(nr,&ipadr[iDotPos[1]+1], iDotPos[2] - iDotPos[1] - 1);
int32_t num = atoi(nr);
if (num > 255)
if (num > 255 || num < 0)
break;
} else {
break;
}
if (len - iDotPos[2] <= 4)
{
char nr[4];
memset(nr,0,4);
strncpy(nr,&ipadr[iDotPos[2]+1], len - iDotPos[2] -1);
num = atoi(nr);
if (num > 255)
int32_t num = atoi(nr);
if (num > 255 || num < 0)
break;
else
allUnder256 = true;
} else
} else {
break;
}
} while(false);
if (nDots != 3 || !allUnder256)