detect/address: validate netmasks

author Victor Julien <vjulien@oisf.net>

Tue, 1 Mar 2022 11:41:04 +0000 (12:41 +0100)

committer Victor Julien <vjulien@oisf.net>

Wed, 2 Mar 2022 07:17:18 +0000 (08:17 +0100)
author Victor Julien <vjulien@oisf.net>
Tue, 1 Mar 2022 11:41:04 +0000 (12:41 +0100)
committer Victor Julien <vjulien@oisf.net>
Wed, 2 Mar 2022 07:17:18 +0000 (08:17 +0100)
diff --git a/src/detect-engine-address.c b/src/detect-engine-address.c

index 3d90521ca6fee06a1b80cb32502611daf73c2657..d59893d37098cb4561e5cad2b7797694fb3f809d 100644 (file)
--- a/src/detect-engine-address.c
+++ b/src/detect-engine-address.c
@@ -456,6 +456,16 @@ static int DetectAddressParseString(DetectAddress *dd, const char *str)
                      goto error;
  
                  netmask = in.s_addr;
+
+                /* validate netmask */
+                int cidr = CIDRFromMask(netmask);
+                if (cidr < 0) {
+                    SCLogError(SC_ERR_INVALID_SIGNATURE,
+                            "netmask \"%s\" is not usable. Only netmasks that are compatible with "
+                            "CIDR notation are supported. See #5168.",
+                            mask);
+                    goto error;
+                }
              }
  
              r = inet_pton(AF_INET, ip, &in);
author	Victor Julien <vjulien@oisf.net>
	Tue, 1 Mar 2022 11:41:04 +0000 (12:41 +0100)
committer	Victor Julien <vjulien@oisf.net>
	Wed, 2 Mar 2022 07:17:18 +0000 (08:17 +0100)