Corrected bug in checking the third number and added extra checks

for memory protection. BUG=webrtc:5454 Review-Url: https://codereview.webrtc.org/1615653009 Cr-Commit-Position: refs/heads/master@{#12643}
2016-05-06 06:12:21 -07:00 · 2016-05-06 06:12:21 -07:00 · f2eae333a2
commit f2eae333a2
parent dc7d0d2ef0
1 changed files with 18 additions and 7 deletions
--- a/webrtc/test/channel_transport/udp_transport_impl.cc
+++ b/webrtc/test/channel_transport/udp_transport_impl.cc
@ -2922,6 +2922,10 @@ bool UdpTransport::IsIpAddressValid(const char* ipadr, const bool ipV6)
                // Store index of dots and count number of dots.
                iDotPos[nDots++] = i;
            }
+            else if (isdigit(ipadr[i]) == 0)
+            {
+                return false;
+            }
        }

        bool allUnder256 = false;
@ -2942,7 +2946,7 @@ bool UdpTransport::IsIpAddressValid(const char* ipadr, const bool ipV6)
                memset(nr,0,4);
                strncpy(nr,&ipadr[0],iDotPos[0]);
                int32_t num = atoi(nr);
-                if (num > 255)
+                if (num > 255 || num < 0)
                {
                    break;
                }
@ -2956,7 +2960,7 @@ bool UdpTransport::IsIpAddressValid(const char* ipadr, const bool ipV6)
                memset(nr,0,4);
                strncpy(nr,&ipadr[iDotPos[0]+1], iDotPos[1] - iDotPos[0] - 1);
                int32_t num = atoi(nr);
-                if (num > 255)
+                if (num > 255 || num < 0)
                    break;
            } else {
                break;
@ -2966,20 +2970,27 @@ bool UdpTransport::IsIpAddressValid(const char* ipadr, const bool ipV6)
            {
                char nr[4];
                memset(nr,0,4);
-                strncpy(nr,&ipadr[iDotPos[1]+1], iDotPos[1] - iDotPos[0] - 1);
+                strncpy(nr,&ipadr[iDotPos[1]+1], iDotPos[2] - iDotPos[1] - 1);
                int32_t num = atoi(nr);
-                if (num > 255)
+                if (num > 255 || num < 0)
                    break;
+            } else {
+                break;
+            }

+            if (len - iDotPos[2] <= 4)
+            {
+                char nr[4];
                memset(nr,0,4);
                strncpy(nr,&ipadr[iDotPos[2]+1], len - iDotPos[2] -1);
-                num = atoi(nr);
-                if (num > 255)
+                int32_t num = atoi(nr);
+                if (num > 255 || num < 0)
                    break;
                else
                    allUnder256 = true;
-            } else
+            } else {
                break;
+            }
        } while(false);

        if (nDots != 3 || !allUnder256)